Merge pull request #120 from melanger/patch-6

LDAP startTLS support (port 389)
CESNET · Jun 18, 2020 · 456ce84 · 456ce84
2 parents 9e0dce6 + 8971128
commit 456ce84
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 2 deletions.
diff --git a/config-templates/module_perun.php b/config-templates/module_perun.php
@@ -32,6 +32,12 @@
      */
     //'ldap.username' => '_proxy-idp',
     //'ldap.password' => 'password'
+
+    /**
+     * Whether to use startTLS on port 389. Defaults to false.
+     * SSL/TLS is always used for ldaps: regardless of this setting.
+     */
+    //'ldap.enable_tls' => true,
 
     /**
      * Perun group name to eduPersonEntitlement mapping. Mapping is according to the spec in

diff --git a/lib/AdapterLdap.php b/lib/AdapterLdap.php
@@ -30,6 +30,7 @@ class AdapterLdap extends Adapter
     const LDAP_USER = 'ldap.username';
     const LDAP_PASSWORD = 'ldap.password';
     const LDAP_BASE = 'ldap.base';
+    const LDAP_TLS = 'ldap.enable_tls';
     const PERUN_FACILITY_ID = 'perunFacilityId';
     const CN = 'cn';
     const DESCRIPTION = 'description';
@@ -57,8 +58,9 @@ public function __construct($configFileName = null)
         $ldapUser = $conf->getString(self::LDAP_USER, null);
         $ldapPassword = $conf->getString(self::LDAP_PASSWORD, null);
         $this->ldapBase = $conf->getString(self::LDAP_BASE);
+        $ldapEnableTLS = $conf->getBoolean(self::LDAP_TLS, false);
 
-        $this->connector = new LdapConnector($ldapHostname, $ldapUser, $ldapPassword);
+        $this->connector = new LdapConnector($ldapHostname, $ldapUser, $ldapPassword, $ldapEnableTLS);
         $this->fallbackAdapter = new AdapterRpc();
     }
 

diff --git a/lib/LdapConnector.php b/lib/LdapConnector.php
@@ -31,18 +31,21 @@ class LdapConnector
     private $hostname;
     private $user;
     private $password;
+    private $enableTLS;
 
     /**
      * LdapConnector constructor.
      * @param $hostname
      * @param $user
      * @param $password
+     * @param $enableTLS
      */
-    public function __construct($hostname, $user, $password)
+    public function __construct($hostname, $user, $password, $enableTLS = false)
     {
         $this->hostname = $hostname;
         $this->user = $user;
         $this->password = $password;
+        $this->enableTLS = $enableTLS;
     }
 
     /**
@@ -108,6 +111,13 @@ protected function search($base, $filter, $attributes = null)
         }
 
         ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3);
+
+        // Enable TLS, if needed
+        if ($this->enableTLS && stripos($this->hostname, "ldaps:") === false) {
+            if (!@ldap_start_tls($conn)) {
+                throw new Exception('Unable to force TLS on Perun LDAP');
+            }
+        }
 
         if (ldap_bind($conn, $this->user, $this->password) === false) {
             throw new Exception('Unable to bind user to the Perun LDAP, ' . $this->hostname);