Skip to content

Commit

Permalink
LDAP, hook ssl/tls setup into system wide system_trust_configure() for
Browse files Browse the repository at this point in the history 
…#3742 and cleanup settings.

(cherry picked from commit b2affd1)
  • Loading branch information
@AdSchellevis @fichtner
AdSchellevis authored and fichtner committed Oct 28, 2019
1 parent ddcc0da commit ea72e99
Show file tree
Hide file tree
Showing 3 changed files with 15 additions and 73 deletions.
41 changes: 7 additions & 34 deletions src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php
View file
Expand Up @@ -92,9 +92,9 @@ class LDAP extends Base implements IAuthConnector
private $ldapScope = 'subtree';

/**
* @var null|string certificate reference (in /var/run/certs/)
* @var null|string url type (standard, startTLS, SSL)
*/
private $ldapCAcert = null;
private $ldapURLType = null;

/**
* @var array list of already known usernames vs distinguished names
Expand Down Expand Up @@ -265,46 +265,20 @@ public function setProperties($config)
// Encryption types: Standard ( none ), StartTLS and SSL
if (strstr($config['ldap_urltype'], "Standard")) {
$this->ldapBindURL = "ldap://";
$this->ldapURLType = "standard";
} elseif (strstr($config['ldap_urltype'], "StartTLS")) {
$this->ldapBindURL = "ldap://";
$this->useStartTLS = true;
$this->ldapURLType = "StartTLS";
} else {
$this->ldapBindURL = "ldaps://";
$this->ldapURLType = "SSL";
}

$this->ldapBindURL .= strpos($config['host'], "::") !== false ? "[{$config['host']}]" : $config['host'];
if (!empty($config['ldap_port'])) {
$this->ldapBindURL .= ":{$config['ldap_port']}";
}

// setup environment
if (!empty($config['ldap_caref']) && stristr($config['ldap_urltype'], "standard") === false) {
$this->setupCaEnv($config['ldap_caref']);
}
}

/**
* setup certificate environment
* @param string $caref ca reference
*/
public function setupCaEnv($caref)
{
$this->ldapCAcert = null;
if (isset(Config::getInstance()->object()->ca)) {
foreach (Config::getInstance()->object()->ca as $cert) {
if (isset($cert->refid) && (string)$caref == $cert->refid) {
$this->ldapCAcert = (string)$cert->refid;
@mkdir("/var/run/certs");
@unlink("/var/run/certs/{$this->ldapCAcert}.ca");
file_put_contents("/var/run/certs/{$this->ldapCAcert}.ca", base64_decode((string)$cert->crt));
@chmod("/var/run/certs/{$this->ldapCAcert}.ca", 0644);
break;
}
}
}
if (empty($this->ldapCAcert)) {
syslog(LOG_ERR, sprintf('LDAP: Could not lookup CA by reference for host %s.', $caref));
}
}

/**
Expand Down Expand Up @@ -335,10 +309,9 @@ function () {
$this->closeLDAPHandle();

// Note: All TLS options must be set before ldap_connect is called
if (!empty($this->ldapCAcert)) {
if ($this->ldapURLType != "standard") {
ldap_set_option(null, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_HARD);
ldap_set_option(null, LDAP_OPT_X_TLS_CACERTDIR, '/var/run/certs');
ldap_set_option(null, LDAP_OPT_X_TLS_CACERTFILE, "/var/run/certs/{$this->ldapCAcert}.ca");
ldap_set_option(null, LDAP_OPT_X_TLS_CACERTFILE, "/etc/ssl/cert.pem");
} else {
ldap_set_option(null, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER);
}
Expand Down
36 changes: 4 additions & 32 deletions src/www/system_authservers.php
View file
Expand Up @@ -73,7 +73,6 @@
$pconfig['name'] = $a_server[$id]['name'];

if (in_array($pconfig['type'], array("ldap", "ldap-totp"))) {
$pconfig['ldap_caref'] = $a_server[$id]['ldap_caref'];
$pconfig['ldap_host'] = $a_server[$id]['host'];
$pconfig['ldap_port'] = $a_server[$id]['ldap_port'];
$pconfig['ldap_urltype'] = $a_server[$id]['ldap_urltype'];
Expand Down Expand Up @@ -221,9 +220,6 @@
}

if (in_array($server['type'], array("ldap", "ldap-totp"))) {
if (!empty($pconfig['ldap_caref'])) {
$server['ldap_caref'] = $pconfig['ldap_caref'];
}
$server['host'] = $pconfig['ldap_host'];
$server['ldap_port'] = $pconfig['ldap_port'];
$server['ldap_urltype'] = $pconfig['ldap_urltype'];
Expand Down Expand Up @@ -315,7 +311,7 @@

// list of all possible fields for auth item (used for form init)
$all_authfields = array(
'type','name','ldap_caref','ldap_host','ldap_port','ldap_urltype','ldap_protver','ldap_scope',
'type','name','ldap_host','ldap_port','ldap_urltype','ldap_protver','ldap_scope',
'ldap_basedn','ldap_authcn','ldap_extended_query','ldap_binddn','ldap_bindpw','ldap_attr_user',
'ldap_read_properties', 'ldap_sync_memberof', 'radius_host',
'radius_auth_port','radius_acct_port','radius_secret','radius_timeout','radius_srvcs'
Expand Down Expand Up @@ -436,9 +432,6 @@
'proto': $("#ldap_protver").val(),
'authcn': $("#ldapauthcontainers").val(),
};
if ($("#ldap_caref").val() != undefined) {
request_data['cert'] = $("#ldap_caref").val();
}
//
if ($("#ldap_port").val() == '' || $("#ldap_host").val() == '' || $("#ldap_scope").val() == '' || $("#ldap_basedn").val() == '') {
BootstrapDialog.show({
Expand Down Expand Up @@ -628,7 +621,7 @@
</td>
</tr>
<tr class="auth_ldap auth_ldap-totp auth_options hidden">
<td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Transport");?></td>
<td><a id="help_for_ldap_urltype" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Transport");?></td>
<td>
<select name="ldap_urltype" id="ldap_urltype" class="selectpicker" data-style="btn-default">
<option value="TCP - Standard" data-port="389" <?=$pconfig['ldap_urltype'] == "TCP - Standard" ? "selected=\"selected\"" : "";?>>
Expand All @@ -641,30 +634,9 @@
<?=gettext("SSL - Encrypted");?>
</option>
</select>
</td>
</tr>
<tr class="auth_ldap auth_ldap-totp auth_options hidden">
<td><a id="help_for_ldap_caref" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Peer Certificate Authority"); ?></td>
<td>
<?php
if (count($config['ca'])) :?>
<select id="ldap_caref" name="ldap_caref" class="selectpicker" data-style="btn-default">
<?php
foreach ($config['ca'] as $ca) :
?>
<option value="<?=$ca['refid'];?>" <?=$pconfig['ldap_caref'] == $ca['refid'] ? "selected=\"selected\"" : "";?>><?=$ca['descr'];?></option>
<?php
endforeach; ?>
</select>
<div class="hidden" data-for="help_for_ldap_caref">
<span><?=gettext("This option is used if 'SSL Encrypted' option is choosen.");?> <br />
<?=gettext("It must match with the CA in the AD otherwise problems will arise.");?></span>
<div class="hidden" data-for="help_for_ldap_urltype">
<?=gettext("When choosing StartTLS or SSL, please configure the required private CAs in System -> Trust");?>
</div>
<?php
else :?>
<b><?=gettext('No Certificate Authorities defined.');?></b> <br /><?=gettext('Create one under');?> <a href="system_camanager.php"><?=gettext('System: Certificates');?></a>.
<?php
endif; ?>
</td>
</tr>
<tr class="auth_ldap auth_ldap-totp auth_options hidden">
Expand Down
11 changes: 4 additions & 7 deletions src/www/system_usermanager_settings_ldapacpicker.php
View file
Expand Up @@ -45,16 +45,13 @@
}

$ldap_auth = new OPNsense\Auth\LDAP($_POST['basedn'], isset($_POST['proto']) ? $_POST['proto'] : 3);
if (isset($_POST['cert'])) {
$ldap_auth->setupCaEnv($_POST['cert']);
}
$ldap_is_connected = $ldap_auth->connect($ldap_full_url
, !empty($_POST['binddn']) ? $_POST['binddn'] : null
, !empty($_POST['bindpw']) ? $_POST['bindpw'] : null
$ldap_is_connected = $ldap_auth->connect(
$ldap_full_url,
!empty($_POST['binddn']) ? $_POST['binddn'] : null,
!empty($_POST['bindpw']) ? $_POST['bindpw'] : null
);

$ous = false;

if ($ldap_is_connected) {
$ous = $ldap_auth->listOUs();
}
Expand Down

0 comments on commit ea72e99

Please sign in to comment.