Added patch for connecting to AD-server with self-signed certificates. #24115
Conversation
joomla-cms-bot
added
Composer Dependency Changed
Language Change
rickyosser
changed the title
| { | ||
| putenv('LDAPTLS_REQCERT=never'); | ||
| } | ||
|
|
There was a problem hiding this comment.
I removed the spaces.
Hmm, emacs acting up. php-mode seems to default to PEAR-style. Which uses spaces.
…D_IGNORE_REQCERT_TLS*.
…nto self-signed-cert
|
Now we need 2 testers... |
|
@HLeithner it is very unlikely that we will get 2 testers for this as it is very specialised and not used often. I suspect the only option is to code review |
|
Yeah I have the same feeling |
|
Would you at least test if the plugin screen doesn't break? |
|
Tested and the screen doesnt break. Not sure if debug should be the very first option. But I have never used LDAP authentication so dont know if it is important or not |
|
It's the first? request for this feature ;-) so properly the first position is not perfect.... I would suggest moving debug to the last option and the tls thing before debug. |
| @@ -16,6 +16,10 @@ PLG_LDAP_FIELD_HOST_DESC="Eg: openldap.example.com." | |||
| PLG_LDAP_FIELD_HOST_LABEL="Host" | |||
| PLG_LDAP_FIELD_NEGOCIATE_DESC="Negotiate TLS encryption with the LDAP server. This requires all traffic to and from the LDAP server to be encrypted." | |||
| PLG_LDAP_FIELD_NEGOCIATE_LABEL="Negotiate TLS" | |||
| PLG_LDAP_FIELD_LDAPDEBUG_DESC="Enables debug hardcoded to level 7" | |||
There was a problem hiding this comment.
Please sort keys in alpha order.
There was a problem hiding this comment.
It's the first? request for this feature ;-) so properly the first position is not perfect....
I would suggest moving debug to the last option and the tls thing before debug.
I moved the debug option to last but the Ignore certificate is closely connected to enabling TLS and thus should be the next option.
There was a problem hiding this comment.
It should still be sorted in alpha order.
There was a problem hiding this comment.
Check the file after last nights commit 224ec41, the file is in order.
| * Ignore TLS Certificate (encrypted communications) | ||
| * | ||
| * @var boolean | ||
| * @since 1.0 |
There was a problem hiding this comment.
| * @since 1.0 | |
| * @since __DEPLOY_VERSION__ |
| * Enable LDAP debug (encrypted communications) | ||
| * | ||
| * @var boolean | ||
| * @since 1.0 |
There was a problem hiding this comment.
| * @since 1.0 | |
| * @since __DEPLOY_VERSION__ |
|
A Composer dependency is changed without having updated the lock file. That should be a red flag to somebody... |
|
So good that you are here^^ @rickyosser parts of the PR have to be made against https://github.com/joomla-framework/ldap/blob/master/src/LdapClient.php |
…n list. And fixed so it says __DEPLOY_VERSION__
…nto self-signed-cert
Can you please point to where the composer dependency would change, I'm looking at the diff-file I originally created and it closeley looks like the git PR I'm trying to create. It only touches 3 files and none of them is a Composer control-file. |
|
It is this file libraries/vendor/joomla/ldap/src/LdapClient.php |
@brianteeman and @HLeithner , I've created a pull request in the LDAP tree for the changes in that file. Anyway this problem is relatively new as the security hardening of SAMBA4 and the openldap-client library have been made in the last year/years. |
|
My PR joomla-framework/ldap@c7e30ce has been accepted in joomla-framework/ldap, what do you need me to do here now? |
|
Remove the changes in the ldapclient file, I will update the lib after releasing 3.9.4. |
@HLeithner, the file is now reverted. |
| @@ -12,8 +12,12 @@ PLG_LDAP_FIELD_EMAIL_DESC="LDAP attribute which has the User's email address." | |||
| PLG_LDAP_FIELD_EMAIL_LABEL="Map: Email" | |||
| PLG_LDAP_FIELD_FULLNAME_DESC="LDAP attribute which has the User's full name." | |||
| PLG_LDAP_FIELD_FULLNAME_LABEL="Map: Full Name" | |||
| PLG_LDAP_FIELD_IGNORE_REQCERT_TLS_DESC="When enabled ignore the server certificate, this is useful when running for example Samba 4 with a self-signed certificate." | |||
There was a problem hiding this comment.
Move lines 15-16 after line 18.
ghost
changed the title
|
thx |
Pull Request for Issue # .
Summary of Changes
Added patches for connecting to AD-server with self-signed certificates.
Testing Instructions
Just install and enable the Ignore Certificate option.
Expected result
Working authentication using TLS/LDAPS with servers that are configured with self-signed certificates. For example recent SAMBA4.
Actual result
Working authentication using TLS/LDAPS with servers that are configured with self-signed certificates. For example recent SAMBA4.
Documentation Changes Required
Option:
"Ignore Certificate"
Desc:
When enabled ignore the server certificate, this is useful when running for example Samba 4 with a self-signed certificate.