jellyfin · joshuaboniface · Dec 28, 2019 · Dec 15, 2019 · Dec 15, 2019
diff --git a/LDAP-Auth/Config/PluginConfiguration.cs b/LDAP-Auth/Config/PluginConfiguration.cs
@@ -13,6 +13,9 @@ public class PluginConfiguration :  MediaBrowser.Model.Plugins.BasePluginConfigu
         public string LdapBindPassword { get; set; }
         public bool CreateUsersFromLdap { get; set; }
         public bool UseSsl { get; set; }
+        public bool UseStartTls { get; set; }
+        public bool SkipSslVerify { get; set; }
+
         public PluginConfiguration()
         {
             LdapServer = "ldap-server.contoso.com";
@@ -26,6 +29,8 @@ public PluginConfiguration()
             LdapBindPassword = "password";
             CreateUsersFromLdap = true;
             UseSsl = true;
+            UseStartTls = false;
+            SkipSslVerify = false;
         }
     }
 }
diff --git a/LDAP-Auth/Config/configPage.html b/LDAP-Auth/Config/configPage.html
@@ -27,6 +27,20 @@ <h2 class="sectionTitle">LDAP Settings:</h2>
                                 </label>
                                 <div class="fieldDescription checkboxFieldDescription">Use SSL for the LDAP connection.</div>
                             </div>
+                            <div class="checkboxContainer checkboxContainer-withDescription">
+                                <label>
+                                    <input type="checkbox" is="emby-checkbox" id="chkUseStartTls" />
+                                    <span>STARTTLS:</span>
+                                </label>
+                                <div class="fieldDescription checkboxFieldDescription">Use STARTTLS for the LDAP connection.</div>
+                            </div>
+                            <div class="checkboxContainer checkboxContainer-withDescription">
+                                <label>
+                                    <input type="checkbox" is="emby-checkbox" id="chkSkipSslVerify" />
+                                    <span>Skip SSL/TLS Verification:</span>
+                                </label>
+                                <div class="fieldDescription checkboxFieldDescription">Skip verification of connection certificate when using SSL/STARTTLS.</div>
+                            </div>
                             <div class="inputContainer fldExternalAddressFilter">
                                 <input is="emby-input" type="text" id="txtLdapBaseDn" label="LDAP Base DN for searches:" />
                                 <div class="fieldDescription">The base DN for your LDAP query.</div>
@@ -97,6 +111,8 @@ <h2 class="sectionTitle">LDAP Settings:</h2>
 
                     $('#txtLdapServer', page).val(config.LdapServer || "ldap-server.contoso.com");
                     $("#chkUseSsl", page).checked(config.UseSsl);
+                    $("#chkUseStartTls", page).checked(config.UseStartTls);
+                    $("#chkSkipSslVerify", page).checked(config.SkipSslVerify);
                     $('#txtLdapBaseDn', page).val(config.LdapBaseDn || "o=domains,dc=contoso,dc=com");
                     $('#txtLdapPort', page).val(config.LdapPort || "389");
                     $('#txtLdapSearchAttributes', page).val(config.LdapSearchAttributes || "uid, cn, mail, displayName");
@@ -119,6 +135,8 @@ <h2 class="sectionTitle">LDAP Settings:</h2>
                 ApiClient.getPluginConfiguration(SyncConfigurationPage.pluginUniqueId).then(function (config) {
                     config.LDAPServer = $('#txtLdapServer', form).val();
                     config.UseSsl = $("#chkUseSsl", form).checked();
+                    config.UseStartTls = $("#chkUseStartTls", form).checked();
+                    config.SkipSslVerify = $("#chkSkipSslVerify", form).checked();
                     config.LdapBaseDn = $('#txtLdapBaseDn', form).val();
                     config.LdapSearchAttributes = $('#txtLdapSearchAttributes', form).val();
                     config.LdapUsernameAttribute = $('#txtLdapUsernameAttribute', form).val();

diff --git a/LDAP-Auth/LDAPAuthenticationProviderPlugin.cs b/LDAP-Auth/LDAPAuthenticationProviderPlugin.cs
@@ -37,15 +37,29 @@ public async Task<ProviderAuthenticationResult> Authenticate(string username, st
             using (var ldapClient = new LdapConnection() { SecureSocketLayer = _config.UseSsl })
             {
                 try
-                {
-                    ldapClient.Connect(_config.LdapServer,_config.LdapPort);
+                {
+                    if (_config.SkipSslVerify)
+                    {
+                        ldapClient.UserDefinedServerCertValidationDelegate += LdapClient_UserDefinedServerCertValidationDelegate;
+                    }
+
+                    ldapClient.Connect(_config.LdapServer,_config.LdapPort);
+                    if (_config.UseStartTls)
+                    {
+                        ldapClient.StartTls();
+                    }
                     ldapClient.Bind(_config.LdapBindUser,_config.LdapBindPassword);
                 }
                 catch(Exception e)
                 {
                     _logger.LogError(e,"Failed to Connect or Bind to server");
                     throw e;
-                }
+                }
+                finally
+                {
+                    ldapClient.UserDefinedServerCertValidationDelegate -= LdapClient_UserDefinedServerCertValidationDelegate;
+                }
+
                 if(ldapClient.Bound)
                 {
                     LdapSearchResults ldapUsers = ldapClient.Search(_config.LdapBaseDn, 2, searchFilter, ldapAttrs, false);
@@ -100,15 +114,29 @@ public async Task<ProviderAuthenticationResult> Authenticate(string username, st
             {
                 _logger.LogDebug("Trying bind as user {1}", ldapUser.DN);
                 try
-                {
-                    ldapClient.Connect(_config.LdapServer, _config.LdapPort);
+                {
+                    if(_config.SkipSslVerify)
+                    {
+                        ldapClient.UserDefinedServerCertValidationDelegate += LdapClient_UserDefinedServerCertValidationDelegate;
+                    }
+
+                    ldapClient.Connect(_config.LdapServer, _config.LdapPort);
+                    if(_config.UseStartTls)
+                    {
+                        ldapClient.StartTls();
+                    }
                     ldapClient.Bind(ldapUser.DN, password);
                 }
                 catch(Exception e)
                 {
                     _logger.LogError(e,"Failed to Connect or Bind to server as user {1}", ldapUser.DN);
                     throw e;
-                }
+                }
+                finally
+                {
+                    ldapClient.UserDefinedServerCertValidationDelegate -= LdapClient_UserDefinedServerCertValidationDelegate;
+                }
+
                 if(ldapClient.Bound)
                 {
                     if(user == null)
@@ -149,8 +177,15 @@ public async Task<ProviderAuthenticationResult> Authenticate(string username, st
                     throw new Exception("Error completing LDAP login. Invalid username or password.");
                 }
             }
-        }
-
+        }
+
+        private bool LdapClient_UserDefinedServerCertValidationDelegate(
+            object sender,
+            System.Security.Cryptography.X509Certificates.X509Certificate certificate,
+            System.Security.Cryptography.X509Certificates.X509Chain chain,
+            System.Net.Security.SslPolicyErrors sslPolicyErrors)
+            => true;
+
         public bool HasPassword(User user)
         {
             return true;