Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #11595 Add support for TLS-Encrypted LDAP (start_tls)
    Actions
    Infos
    #11595
    Marek Sotola (sotola)
    2021-07-26 08:41
    2018-06-11 22:21
    11933
    Details
    Add support for TLS-Encrypted LDAP (start_tls)
    Hi Tuleap folks,

    Currently, there is no way of connecting to an LDAP/Active Directory Directory Server using TLS-Encrypted LDAP (using start_tls).

    I'm no php/ldap expert, but I was able to come up with a short-term workaround. I modified plugins/ldap/include/LDAP.class.php to always use `ldap_start_tls`:
    ======
    --- LDAP.class.php.orig 2018-06-11 11:20:59.000000000 -0400
    +++ LDAP.class.php.start_tls 2018-06-11 16:02:42.000000000 -0400
    @@ -154,6 +154,8 @@
    ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
    ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);

    + ldap_start_tls($ds);
    +
    // Since ldap_connect always return a resource with
    // OpenLdap 2.2.x, we have to check that this ressource is
    // valid with a bind, If bind success: that's great, if
    @@ -196,6 +198,8 @@
    $this->bound = false;
    }

    + ldap_start_tls($this->ds);
    +
    if ($bind_result = @ldap_bind($this->ds, $binddn, $bindpw)) {
    $this->bound = true;
    } else {
    ======

    ... and works (but only because the _only_ server I'm connecting to requires TLS encryption). I don't recommend this as a general fix.

    I'm running:
    CentOS 6.9
    tuleap 10.1.99.104
    php 5.3.3

    Thanks,
    Marek
    Authentication & LDAP
    All
    CentOS 6
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Thomas Gerbet (tgerbet)
    Under implementation
    Empty
    Attachments
    Artifact links
    Empty
    Empty
    References
    Referenced by request #11595

    Other

    gerrit #11682
    Display settings

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2018-06-18 09:12
    Hi,

    So I give it a try and did the implementation, see gerrit #11682.

    It would be nice if you could give it a try. A new configuration option is added ($sys_ldap_starttls) to /etc/tuleap/plugins/ldap/etc/ldap.inc to enable the feature.
    • Status changed from Acknowledged to Under implementation
    User avatar
    Thomas Gerbet (tgerbet)2018-06-15 08:51
    Hi,

    Just a quick note on the proposed patch: Tuleap might also connect to LDAP servers outside the PHP code (typically when authenticating SVN users) so it might not enough to just add these two lines.

    That's said I'm kinda interested by adding a proper support for StartTLS so I will take a swing at this when I got the time.
    • Status changed from New to Acknowledged
    • Assigned to changed from None to Thomas Gerbet (tgerbet)