From 06ef95dc5fc4635379698cf73bd36d4b370aab69 Mon Sep 17 00:00:00 2001
From: Matt Moore <matthew.moore@jameshall.co.uk>
Date: Tue, 26 Mar 2024 16:30:04 +0000
Subject: [PATCH] Change to allow override of CA CERT for LDAPS

Using the env LDAP_TLS_CACERTFILE to set a file to use to override
the CA CERT used to verify LDAPS connections. This is to make this
process easier for docker use.
---
 app/Access/LdapService.php | 6 ++++++
 app/Config/services.php    | 1 +
 2 files changed, 7 insertions(+)

diff --git a/app/Access/LdapService.php b/app/Access/LdapService.php
index 9d2667635..56e7aba04 100644
--- a/app/Access/LdapService.php
+++ b/app/Access/LdapService.php
@@ -209,6 +209,12 @@ class LdapService
             $this->ldap->setOption(null, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER);
         }
 
+        // Specify CA Cert file for LDAP.
+        // This option works globally and must be set before a connection is created.
+        if ($this->config['tls_cacertfile']) {
+            $this->ldap->setOption(null, LDAP_OPT_X_TLS_CACERTFILE, $this->config['tls_cacertfile']);
+        }
+
         $ldapHost = $this->parseServerString($this->config['server']);
         $ldapConnection = $this->ldap->connect($ldapHost);
 
diff --git a/app/Config/services.php b/app/Config/services.php
index a035f1056..a407b5dc8 100644
--- a/app/Config/services.php
+++ b/app/Config/services.php
@@ -133,6 +133,7 @@ return [
         'group_attribute'        => env('LDAP_GROUP_ATTRIBUTE', 'memberOf'),
         'remove_from_groups'     => env('LDAP_REMOVE_FROM_GROUPS', false),
         'tls_insecure'           => env('LDAP_TLS_INSECURE', false),
+        'tls_cacertfile'   	     => env('LDAP_TLS_CACERTFILE', false),
         'start_tls'              => env('LDAP_START_TLS', false),
         'thumbnail_attribute'    => env('LDAP_THUMBNAIL_ATTRIBUTE', null),
     ],