Skip to content

O
OpnSense
Commit 2889e235 authored by Eugen Mayer's avatar Eugen Mayer Committed by Franco Fichtner
Browse files
Options

Implement startTLS for ldap #1346 (#1350) 

* implement startTLS for ldap #1346
ignore the implementation in #1348 since it is a non-used replication

* fix the data-port of startTLS #1364
parent b376646f
Hide whitespace changes
Inline Side-by-side
Showing with 20 additions and 0 deletions
src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php
View file @ 2889e235
...@@ -96,6 +96,10 @@ class LDAP implements IAuthConnector ...@@ -96,6 +96,10 @@ class LDAP implements IAuthConnector
*/ */
private $userDNmap = array(); private $userDNmap = array();
/**
* @var bool if true, startTLS will be initialized
*/
private $useStartTLS = false;
/** /**
* close ldap handle if open * close ldap handle if open
*/ */
...@@ -211,11 +215,16 @@ class LDAP implements IAuthConnector ...@@ -211,11 +215,16 @@ class LDAP implements IAuthConnector
} }
// translate config settings // translate config settings
// Encryption types: Standard ( none ), StartTLS and SSL
if (strstr($config['ldap_urltype'], "Standard")) { if (strstr($config['ldap_urltype'], "Standard")) {
$this->ldapBindURL = "ldap://"; $this->ldapBindURL = "ldap://";
} else if (strstr($config['ldap_urltype'], "StartTLS")) {
$this->ldapBindURL = "ldap://";
$this->useStartTLS = true;
} else { } else {
$this->ldapBindURL = "ldaps://"; $this->ldapBindURL = "ldaps://";
} }
$this->ldapBindURL .= strpos($config['host'], "::") !== false ? "[{$config['host']}]" : $config['host']; $this->ldapBindURL .= strpos($config['host'], "::") !== false ? "[{$config['host']}]" : $config['host'];
if (!empty($config['ldap_port'])) { if (!empty($config['ldap_port'])) {
$this->ldapBindURL .= ":{$config['ldap_port']}"; $this->ldapBindURL .= ":{$config['ldap_port']}";
...@@ -250,6 +259,14 @@ class LDAP implements IAuthConnector ...@@ -250,6 +259,14 @@ class LDAP implements IAuthConnector
$this->closeLDAPHandle(); $this->closeLDAPHandle();
$this->ldapHandle = @ldap_connect($bind_url); $this->ldapHandle = @ldap_connect($bind_url);
if($this->useStartTLS) {
ldap_set_option($this->ldapHandle, LDAP_OPT_PROTOCOL_VERSION, 3);
if (ldap_start_tls($this->ldapHandle) === false) {
$this->ldapHandle = null;
syslog(LOG_ERR, 'Could not startTLS on ldap connection (' . ldap_error($this->ldapHandle).')');
}
}
if ($this->ldapHandle !== false) { if ($this->ldapHandle !== false) {
ldap_set_option($this->ldapHandle, LDAP_OPT_NETWORK_TIMEOUT, $timeout); ldap_set_option($this->ldapHandle, LDAP_OPT_NETWORK_TIMEOUT, $timeout);
ldap_set_option($this->ldapHandle, LDAP_OPT_REFERRALS, 0); ldap_set_option($this->ldapHandle, LDAP_OPT_REFERRALS, 0);
......
src/www/system_authservers.php
View file @ 2889e235
...@@ -494,6 +494,9 @@ endif; ?> ...@@ -494,6 +494,9 @@ endif; ?>
<option value="TCP - Standard" data-port="389" <?=$pconfig['ldap_urltype'] == "TCP - Standard" ? "selected=\"selected\"" : "";?>> <option value="TCP - Standard" data-port="389" <?=$pconfig['ldap_urltype'] == "TCP - Standard" ? "selected=\"selected\"" : "";?>>
<?=gettext("TCP - Standard");?> <?=gettext("TCP - Standard");?>
</option> </option>
<option value="StartTLS" data-port="389" <?=$pconfig['ldap_urltype'] == "StartTLS" ? "selected=\"selected\"" : "";?>>
<?=gettext("StartTLS");?>
</option>
<option value="SSL - Encrypted" data-port="636" <?=$pconfig['ldap_urltype'] == "SSL - Encrypted" ? "selected=\"selected\"" : "";?>> <option value="SSL - Encrypted" data-port="636" <?=$pconfig['ldap_urltype'] == "SSL - Encrypted" ? "selected=\"selected\"" : "";?>>
<?=gettext("SSL - Encrypted");?> <?=gettext("SSL - Encrypted");?>
</option> </option>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023