From 6c14c09880bc085752a0479c512a47fe08b76aeb Mon Sep 17 00:00:00 2001 From: Christopher Tran Date: Sat, 27 Oct 2018 16:14:19 -0400 Subject: [PATCH 1/3] Add ability to disable LDAP certificate validation --- .env.example | 2 ++ app/Auth/Access/LdapService.php | 6 ++++++ config/services.php | 1 + 3 files changed, 9 insertions(+) diff --git a/.env.example b/.env.example index eda20ea26..3ca612f64 100644 --- a/.env.example +++ b/.env.example @@ -76,6 +76,8 @@ LDAP_GROUP_ATTRIBUTE="memberOf" # Would you like to remove users from roles on BookStack if they do not match on LDAP # If false, the ldap groups-roles sync will only add users to roles LDAP_REMOVE_FROM_GROUPS=false +# Set this option to disable LDAPS Certificate Verification +LDAP_TLS_INSECURE=false # Mail settings MAIL_DRIVER=smtp diff --git a/app/Auth/Access/LdapService.php b/app/Auth/Access/LdapService.php index d3a177f8e..04af5b370 100644 --- a/app/Auth/Access/LdapService.php +++ b/app/Auth/Access/LdapService.php @@ -169,8 +169,14 @@ class LdapService } $hostName = $ldapServer[0] . ($hasProtocol?':':'') . $ldapServer[1]; $defaultPort = $ldapServer[0] === 'ldaps' ? 636 : 389; + $ldapConnection = $this->ldap->connect($hostName, count($ldapServer) > 2 ? intval($ldapServer[2]) : $defaultPort); + // Check if TLS_INSECURE is set + if($this->config['tls_insecure']) { + $this->ldap->setOption($ldapConnection, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER); + } + if ($ldapConnection === false) { throw new LdapException(trans('errors.ldap_cannot_connect')); } diff --git a/config/services.php b/config/services.php index 711040386..47fd2f2ff 100644 --- a/config/services.php +++ b/config/services.php @@ -148,6 +148,7 @@ return [ 'user_to_groups' => env('LDAP_USER_TO_GROUPS',false), 'group_attribute' => env('LDAP_GROUP_ATTRIBUTE', 'memberOf'), 'remove_from_groups' => env('LDAP_REMOVE_FROM_GROUPS',false), + 'tls_insecure' => env('LDAP_TLS_INSECURE', false), ] ]; From 8e7f703af713c7c81bd1399d2f6e2518bee0d328 Mon Sep 17 00:00:00 2001 From: Christopher Tran Date: Sat, 27 Oct 2018 16:58:10 -0400 Subject: [PATCH 2/3] fix how the option is set, change handle to NULL --- app/Auth/Access/LdapService.php | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/app/Auth/Access/LdapService.php b/app/Auth/Access/LdapService.php index 04af5b370..9e626bbac 100644 --- a/app/Auth/Access/LdapService.php +++ b/app/Auth/Access/LdapService.php @@ -170,13 +170,17 @@ class LdapService $hostName = $ldapServer[0] . ($hasProtocol?':':'') . $ldapServer[1]; $defaultPort = $ldapServer[0] === 'ldaps' ? 636 : 389; - $ldapConnection = $this->ldap->connect($hostName, count($ldapServer) > 2 ? intval($ldapServer[2]) : $defaultPort); - - // Check if TLS_INSECURE is set + /* + * Check if TLS_INSECURE is set. The handle is set to NULL due to the nature of + * the LDAP_OPT_X_TLS_REQUIRE_CERT option. It can only be set globally and not + * per handle. + */ if($this->config['tls_insecure']) { - $this->ldap->setOption($ldapConnection, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER); + $this->ldap->setOption(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER); } + $ldapConnection = $this->ldap->connect($hostName, count($ldapServer) > 2 ? intval($ldapServer[2]) : $defaultPort); + if ($ldapConnection === false) { throw new LdapException(trans('errors.ldap_cannot_connect')); } From 730cb78b455b75d1503008cbf39904898af3ffa1 Mon Sep 17 00:00:00 2001 From: Christopher Tran Date: Sat, 27 Oct 2018 17:05:46 -0400 Subject: [PATCH 3/3] switch spaces to tabs --- config/services.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/services.php b/config/services.php index 47fd2f2ff..98b1fce8e 100644 --- a/config/services.php +++ b/config/services.php @@ -148,7 +148,7 @@ return [ 'user_to_groups' => env('LDAP_USER_TO_GROUPS',false), 'group_attribute' => env('LDAP_GROUP_ATTRIBUTE', 'memberOf'), 'remove_from_groups' => env('LDAP_REMOVE_FROM_GROUPS',false), - 'tls_insecure' => env('LDAP_TLS_INSECURE', false), + 'tls_insecure' => env('LDAP_TLS_INSECURE', false), ] ];