diff --git a/.env b/.env index 503cf07..f4a40de 100644 --- a/.env +++ b/.env @@ -59,6 +59,10 @@ LDAP_AUTH_URL="ldap://127.0.0.1" LDAP_DN_PATTERN="mail=%u" LDAP_MAIL_ATTRIBUTE="mail" LDAP_AUTH_USER_AUTOCREATE=false +# See https://www.php.net/manual/en/ldap.constants.php#constant.ldap-opt-x-tls-require-cert +# Allowed values are: never, hard, demand, allow or try. +# "try" is the default if left unspecified +LDAP_CERTIFICATE_CHECKING_STRATEGY="try" # Do we enable caldav and carddav ? CALDAV_ENABLED=true diff --git a/README.md b/README.md index 7875ce6..4977494 100644 --- a/README.md +++ b/README.md @@ -193,6 +193,7 @@ LDAP_AUTH_URL="ldap://127.0.0.1" LDAP_DN_PATTERN="mail=%u" LDAP_MAIL_ATTRIBUTE="mail" LDAP_AUTH_USER_AUTOCREATE=true # false by default +LDAP_CERTIFICATE_CHECKING_STRATEGY="try" # try by default. ``` > Ex: for [Zimbra LDAP](https://zimbra.github.io/adminguide/latest/#zimbra_ldap_service), you might want to use the `zimbraMailDeliveryAddress` attribute to retrieve the principal user email: diff --git a/config/services.yaml b/config/services.yaml index 100becb..8526baa 100644 --- a/config/services.yaml +++ b/config/services.yaml @@ -35,6 +35,7 @@ services: $LDAPDnPattern: "%env(LDAP_DN_PATTERN)%" $LDAPMailAttribute: "%env(LDAP_MAIL_ATTRIBUTE)%" $autoCreate: "%env(bool:LDAP_AUTH_USER_AUTOCREATE)%" + $LDAPCertificateCheckingStrategy: "%env(LDAP_CERTIFICATE_CHECKING_STRATEGY)%" # controllers are imported separately to make sure services can be injected # as action arguments even if you don't extend any base controller class @@ -70,4 +71,4 @@ when@dev: when@test: services: - Symfony\Component\HttpKernel\Profiler\Profiler: '@profiler' \ No newline at end of file + Symfony\Component\HttpKernel\Profiler\Profiler: '@profiler' diff --git a/src/Services/LDAPAuth.php b/src/Services/LDAPAuth.php index 7e0b03b..7e2273f 100644 --- a/src/Services/LDAPAuth.php +++ b/src/Services/LDAPAuth.php @@ -62,15 +62,23 @@ final class LDAPAuth extends AbstractBasic */ private $autoCreate; + + /** + * Indicates what to do with certificate. + * see https://www.php.net/manual/en/ldap.constants.php#constant.ldap-opt-x-tls-require-cert + */ + private $cert_checking_strat; + /** * Creates the backend object. */ - public function __construct(ManagerRegistry $doctrine, Utils $utils, string $LDAPAuthUrl, string $LDAPDnPattern, string $LDAPMailAttribute, bool $autoCreate) + public function __construct(ManagerRegistry $doctrine, Utils $utils, string $LDAPAuthUrl, string $LDAPDnPattern, string $LDAPMailAttribute, bool $autoCreate, string $LDAPCertificateCheckingStrategy) { $this->LDAPAuthUrl = $LDAPAuthUrl; $this->LDAPDnPattern = $LDAPDnPattern; $this->LDAPMailAttribute = $LDAPMailAttribute ?? 'mail'; $this->autoCreate = $autoCreate; + $this->cert_checking_strat = $LDAPCertificateCheckingStrategy ?? "try"; $this->doctrine = $doctrine; $this->utils = $utils; @@ -86,6 +94,32 @@ final class LDAPAuth extends AbstractBasic */ protected function ldapOpen($username, $password) { + switch ($this->cert_checking_strat) { + case 'never': + $cert_strategy = LDAP_OPT_X_TLS_NEVER; + break; + case 'hard': + $cert_strategy = LDAP_OPT_X_TLS_HARD; + break; + case 'demand': + $cert_strategy = LDAP_OPT_X_TLS_DEMAND; + break; + case 'allow': + $cert_strategy = LDAP_OPT_X_TLS_ALLOW; + break; + case 'try': + $cert_strategy = LDAP_OPT_X_TLS_TRY; + break; + default: + error_log('Invalid certificate checking strategy: ' . $this->cert_checking_strat); + return false; + } + + if (false === ldap_set_option(null, LDAP_OPT_X_TLS_REQUIRE_CERT, $cert_strategy)) { + error_log('LDAP Error (ldap_set_option with '.$cert_strategy.'): failed'); + + return false; + } try { $ldap = ldap_connect($this->LDAPAuthUrl); } catch (\Exception $e) {