-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[4.x] Fix LDAP over SSL #37962
[4.x] Fix LDAP over SSL #37962
Conversation
I can do that tomorrow or on weekend. The file names look ok at a first quick look, and SQL syntax and style looks ok, too, but I have to check the replace for the parameter value because it needs to be very careful with that. We have to make sure to really match the complete parameter. Am too tired today to do that now. |
Co-authored-by: Quy <quy@fluxbb.org>
@richard67 Can you please review? |
Each PR needs 2 successful human tests. It could be hard to find testers for LDAP authentication since it's rarely used. So this alone might take some time. For the other PR people can maybe use https://www.forumsys.com/2022/05/10/online-ldap-test-server/ , but I'm not sure if it is also suitable for this one for LDAPS. |
administrator/components/com_admin/sql/updates/mysql/4.1.5-2022-06-02.sql
Outdated
Show resolved
Hide resolved
administrator/components/com_admin/sql/updates/postgresql/4.1.5-2022-06-02.sql
Outdated
Show resolved
Hide resolved
Co-authored-by: Richard Fath <richard67@users.noreply.github.com>
Thanks for the review and suggestions, I applied them. Now let's hope someone wants to test this... |
administrator/components/com_admin/sql/updates/mysql/4.1.5-2022-06-02.sql
Outdated
Show resolved
Hide resolved
administrator/components/com_admin/sql/updates/mysql/4.1.5-2022-06-02.sql
Outdated
Show resolved
Hide resolved
and fix element Co-authored-by: Richard Fath <richard67@users.noreply.github.com>
This pull requests has automatically rebased to 4.2-dev. |
This pull requests has been automatically converted to the PSR-12 coding standard. |
@tatankat 2 things first can you change the sql files to 4.2.0 with date. |
Hi @nickdring, those were the wrong files, which explains the bad naming. You are right about the option. If it fails, do not forget to also enable the ldap debug logging and provide it's complete output. |
ok so where are the right files :) |
at the same place, I replaced them, you will see the updated names: |
cool, i see the new changes to the plugin now. |
I'm getting my colleagues in IT to check that the LDAP server is actually reachable |
@nickdring The kind of log you provided in #37959 (comment) should give more details (that can't be provided by Joomla or php). Please provide it completely. |
Hi here is the apache: ldap_url_parse_ext(ldap://localhost/) |
There you go, as expected. You should configure the ldap client (on OS level) to accept the certificate.
|
Hi there, my colleagues in ICT are asking if you have any information regarding the configutation of the ldap client. |
@nickdring see #37959 (comment) and #37959 (comment) But, as #37959 and others are being merged and @laoneo is making me happy, I basically undid #35323 and implemented #24115 again using the symfony ldap client (and new php ldap options since 7.1). New packages with all ldap patches applied are at https://github.com/tatankat/joomla-cms/releases/tag/4.3.0-alpha3-dev-patched |
Hi @tatankat ok upload patch. Non errors and its working for us. From apache log: This is good news, when these changes are released we can start planning the migration of our 90+ sites to J4. Thanks for your help! |
@tatankat can you update the update SQL file names to reflect the current date and version 4.3. Then we can merge it. |
Awesome work - thanks for perservering |
tests/Integration/Plugin/Authentication/Ldap/LdapPluginTest.php
Outdated
Show resolved
Hide resolved
Thanks for the tests and confirmation @nickdring. @nickdring's tests also confirm that #38388 is working. Can that one also be merged? |
Thank you very much for help bringing the ldap plugin to a new level. On some point the variables in the plugin need to be renamed to fit more our camelCase style. But for now this is fine. |
Can you folks confirm this change made it to the J 4.3.x release? We are currently on 4.2.7 and looking to rely on the LDAP(S) plugin again for our SSO, rather than the miniorange one. I'm still getting this error in the logs:
|
@noxidsoft Yes, this made it in 4.3 |
Pull Request for Issue (none created)
Summary of Changes
Convert negotiate TLS option to encryption protocol option to re-enable the use of ldap over ssl (ldaps).
I am not too sure about the filename of the database changes, please review and comment.
Testing Instructions
Use an LDAP server with LDAPS. When entering the full ldap URI (ldaps://example.com) in the Host field in V3, it was working.
Actual result BEFORE applying this Pull Request
Joomla was trying to connect to ldap://ldaps://example.com
When only entering the hostname, Joomla was trying to connect to ldap://example.com
The prefix "ldap://" is added by the symfony library.
Expected result AFTER applying this Pull Request
Joomla connects to ldaps://example.com (only) when the SSL encryption protocol is selected - changed behavior wrt V3. Behavior for no encryption and TLS negotiation has not changed.
Documentation Changes Required
Possibly