#1106 Authentication LDAP with TLS

[Karl]

Hi all,

In my organization we can not connect to Active Directory servers without TLS.
Here is the modification (diff) I've done to model.authent-ldap.php to make it work:

73a74
>               $bLDAPStartTLS = MetaModel::GetModuleSetting('authent-ldap', 'starttls', 0);
81a83,93
>               if ($bLDAPStartTLS)
>               {
>                       $hStartTLS = ldap_start_tls($hDS);
>                       //$this->LogMessage("ldap_authentication: hStartTLS = '$hStartTLS'");
>                       if (!$hStartTLS)
>                       {
>                               $this->LogMessage("ldap_authentication: start tls failed.");
>                               return false;
>                       }
>               }
>

And a new entry is made in config-itop-php then the authent-ldap array :

'starttls' => TRUE,

Thanks

[Romain Quetiez]

I've dug into the PHP documentation for ldap_start_tls:

1. Enabling encryption by this method is not compatible with the use of the URI ldaps:// on port 636. The outcome of this is an error that will be quite hard to troubleshoot as, by default, it will not be logged anywhere. As a consequence, I suggest another improvement: add a setting to enable full logging of connection errors [#1122].
2. It may be required to force the version of the protocol to 3. To let admins do that by the mean of the setting 'options', I suggest to place the call to ldap_start_tls after the loop for ldap_set_option, thus at line 87.

Any further comment on this?

[Denis]

Implemented as revision [r3764]. Not that for consistency reason, the parameter in named 'start_tls'.