Implement startTLS for ldap #1346 (#1350)

* implement startTLS for ldap #1346 ignore the implementation in #1348 since it is a non-used replication * fix the data-port of startTLS #1364

Implement startTLS for ldap #1346 (#1350)
* implement startTLS for ldap #1346 ignore the implementation in #1348 since it is a non-used replication * fix the data-port of startTLS #1364
2889e235 · Eugen Mayer · Franco Fichtner · b376646f · 2889e235 · 2889e235
Commit 2889e235 authored Jan 25, 2017 by Eugen Mayer Committed by Franco Fichtner Jan 25, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 20 additions and 0 deletions

LDAP.php src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php +17 -0

system_authservers.php src/www/system_authservers.php +3 -0

No files found.
--- a/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php
@@ -96,6 +96,10 @@ class LDAP implements IAuthConnector
     */
    private $userDNmap = array();

+    /**
+     * @var bool if true, startTLS will be initialized
+     */
+    private $useStartTLS = false;
    /**
     * close ldap handle if open
     */
@@ -211,11 +215,16 @@ class LDAP implements IAuthConnector
        }

        // translate config settings
+        // Encryption types: Standard ( none ), StartTLS and SSL
        if (strstr($config['ldap_urltype'], "Standard")) {
            $this->ldapBindURL = "ldap://";
+        } else if (strstr($config['ldap_urltype'], "StartTLS")) {
+            $this->ldapBindURL = "ldap://";
+            $this->useStartTLS = true;
        } else {
            $this->ldapBindURL = "ldaps://";
        }
+
        $this->ldapBindURL .= strpos($config['host'], "::") !== false ? "[{$config['host']}]" : $config['host'];
        if (!empty($config['ldap_port'])) {
            $this->ldapBindURL .= ":{$config['ldap_port']}";
@@ -250,6 +259,14 @@ class LDAP implements IAuthConnector
        $this->closeLDAPHandle();
        $this->ldapHandle = @ldap_connect($bind_url);

+        if($this->useStartTLS) {
+            ldap_set_option($this->ldapHandle, LDAP_OPT_PROTOCOL_VERSION, 3);
+            if (ldap_start_tls($this->ldapHandle) === false) {
+                $this->ldapHandle = null;
+                syslog(LOG_ERR, 'Could not startTLS on ldap connection (' .  ldap_error($this->ldapHandle).')');
+            }
+        }
+
        if ($this->ldapHandle !== false) {
            ldap_set_option($this->ldapHandle, LDAP_OPT_NETWORK_TIMEOUT, $timeout);
            ldap_set_option($this->ldapHandle, LDAP_OPT_REFERRALS, 0);

--- a/src/www/system_authservers.php
+++ b/src/www/system_authservers.php
@@ -494,6 +494,9 @@ endif; ?>
                      <option value="TCP - Standard" data-port="389" <?=$pconfig['ldap_urltype'] == "TCP - Standard" ? "selected=\"selected\"" : "";?>>
                        <?=gettext("TCP - Standard");?>
                      </option>
+                      <option value="StartTLS" data-port="389" <?=$pconfig['ldap_urltype'] == "StartTLS" ? "selected=\"selected\"" : "";?>>
+                        <?=gettext("StartTLS");?>
+                      </option>
                      <option value="SSL - Encrypted" data-port="636" <?=$pconfig['ldap_urltype'] == "SSL - Encrypted" ? "selected=\"selected\"" : "";?>>
                        <?=gettext("SSL - Encrypted");?>
                      </option>