-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added patch for connecting to AD-server with self-signed certificates. #24115
Conversation
{ | ||
putenv('LDAPTLS_REQCERT=never'); | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove tabs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I removed the spaces.
Hmm, emacs acting up. php-mode seems to default to PEAR-style. Which uses spaces.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please change the language keys to match the field name, atm the key says the opposite then the description.
…D_IGNORE_REQCERT_TLS*.
…nto self-signed-cert
Now we need 2 testers... |
@HLeithner it is very unlikely that we will get 2 testers for this as it is very specialised and not used often. I suspect the only option is to code review |
Yeah I have the same feeling |
Would you at least test if the plugin screen doesn't break? |
Tested and the screen doesnt break. Not sure if debug should be the very first option. But I have never used LDAP authentication so dont know if it is important or not |
It's the first? request for this feature ;-) so properly the first position is not perfect.... I would suggest moving debug to the last option and the tls thing before debug. |
@@ -16,6 +16,10 @@ PLG_LDAP_FIELD_HOST_DESC="Eg: openldap.example.com." | |||
PLG_LDAP_FIELD_HOST_LABEL="Host" | |||
PLG_LDAP_FIELD_NEGOCIATE_DESC="Negotiate TLS encryption with the LDAP server. This requires all traffic to and from the LDAP server to be encrypted." | |||
PLG_LDAP_FIELD_NEGOCIATE_LABEL="Negotiate TLS" | |||
PLG_LDAP_FIELD_LDAPDEBUG_DESC="Enables debug hardcoded to level 7" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please sort keys in alpha order.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's the first? request for this feature ;-) so properly the first position is not perfect....
I would suggest moving debug to the last option and the tls thing before debug.
I moved the debug option to last but the Ignore certificate is closely connected to enabling TLS and thus should be the next option.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It should still be sorted in alpha order.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Check the file after last nights commit 224ec41, the file is in order.
* Ignore TLS Certificate (encrypted communications) | ||
* | ||
* @var boolean | ||
* @since 1.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
* @since 1.0 | |
* @since __DEPLOY_VERSION__ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
* Enable LDAP debug (encrypted communications) | ||
* | ||
* @var boolean | ||
* @since 1.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
* @since 1.0 | |
* @since __DEPLOY_VERSION__ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
A Composer dependency is changed without having updated the lock file. That should be a red flag to somebody... |
So good that you are here^^ @rickyosser parts of the PR have to be made against https://github.com/joomla-framework/ldap/blob/master/src/LdapClient.php |
…n list. And fixed so it says __DEPLOY_VERSION__
…nto self-signed-cert
Can you please point to where the composer dependency would change, I'm looking at the diff-file I originally created and it closeley looks like the git PR I'm trying to create. It only touches 3 files and none of them is a Composer control-file. |
It is this file libraries/vendor/joomla/ldap/src/LdapClient.php |
@brianteeman and @HLeithner , I've created a pull request in the LDAP tree for the changes in that file. Anyway this problem is relatively new as the security hardening of SAMBA4 and the openldap-client library have been made in the last year/years. |
My PR joomla-framework/ldap@c7e30ce has been accepted in joomla-framework/ldap, what do you need me to do here now? |
Remove the changes in the ldapclient file, I will update the lib after releasing 3.9.4. |
@HLeithner, the file is now reverted. |
@@ -12,8 +12,12 @@ PLG_LDAP_FIELD_EMAIL_DESC="LDAP attribute which has the User's email address." | |||
PLG_LDAP_FIELD_EMAIL_LABEL="Map: Email" | |||
PLG_LDAP_FIELD_FULLNAME_DESC="LDAP attribute which has the User's full name." | |||
PLG_LDAP_FIELD_FULLNAME_LABEL="Map: Full Name" | |||
PLG_LDAP_FIELD_IGNORE_REQCERT_TLS_DESC="When enabled ignore the server certificate, this is useful when running for example Samba 4 with a self-signed certificate." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Move lines 15-16 after line 18.
thx |
Pull Request for Issue # .
Summary of Changes
Added patches for connecting to AD-server with self-signed certificates.
Testing Instructions
Just install and enable the Ignore Certificate option.
Expected result
Working authentication using TLS/LDAPS with servers that are configured with self-signed certificates. For example recent SAMBA4.
Actual result
Working authentication using TLS/LDAPS with servers that are configured with self-signed certificates. For example recent SAMBA4.
Documentation Changes Required
Option:
"Ignore Certificate"
Desc:
When enabled ignore the server certificate, this is useful when running for example Samba 4 with a self-signed certificate.