Tweaked LDAP TLS Implementation
- Moved the ldap function out to our separate service for easier testing. - Added testing for the option. - Moved tls_insecure part back up above connection start as found more reliable there. Done a lot of real-connection testing during this review. Used wireshare to ensure TLS connection does take place. Found LDAP_TLS_INSECURE=false can action unreliably, restarting php-fpm helped. Tested both trusted and untrusted certificates.
This commit is contained in:
Dan Brown
parent
f177b02cae
commit
af032f8993
|
|
@ -31,6 +31,14 @@ class Ldap
|
||||||
return ldap_set_option($ldapConnection, $option, $value);
|
return ldap_set_option($ldapConnection, $option, $value);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Start TLS on the given LDAP connection.
|
||||||
|
*/
|
||||||
|
public function startTls($ldapConnection): bool
|
||||||
|
{
|
||||||
|
return ldap_start_tls($ldapConnection);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Set the version number for the given ldap connection.
|
* Set the version number for the given ldap connection.
|
||||||
* @param $ldapConnection
|
* @param $ldapConnection
|
||||||
|
|
|
||||||
|
|
@ -187,6 +187,12 @@ class LdapService extends ExternalAuthService
|
||||||
throw new LdapException(trans('errors.ldap_extension_not_installed'));
|
throw new LdapException(trans('errors.ldap_extension_not_installed'));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Disable certificate verification.
|
||||||
|
// This option works globally and must be set before a connection is created.
|
||||||
|
if ($this->config['tls_insecure']) {
|
||||||
|
$this->ldap->setOption(null, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER);
|
||||||
|
}
|
||||||
|
|
||||||
$serverDetails = $this->parseServerString($this->config['server']);
|
$serverDetails = $this->parseServerString($this->config['server']);
|
||||||
$ldapConnection = $this->ldap->connect($serverDetails['host'], $serverDetails['port']);
|
$ldapConnection = $this->ldap->connect($serverDetails['host'], $serverDetails['port']);
|
||||||
|
|
||||||
|
|
@ -199,19 +205,12 @@ class LdapService extends ExternalAuthService
|
||||||
$this->ldap->setVersion($ldapConnection, $this->config['version']);
|
$this->ldap->setVersion($ldapConnection, $this->config['version']);
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check if TLS_INSECURE is set. The handle is set to NULL due to the nature of
|
// Start and verify TLS if it's enabled
|
||||||
// the LDAP_OPT_X_TLS_REQUIRE_CERT option. It can only be set globally and not per handle.
|
|
||||||
if ($this->config['tls_insecure']) {
|
|
||||||
// Setting also ignored?
|
|
||||||
$this->ldap->setOption($ldapConnection, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER);
|
|
||||||
}
|
|
||||||
|
|
||||||
if ($this->config['start_tls']) {
|
if ($this->config['start_tls']) {
|
||||||
// "&& $this->config['tls_cacertfile']" this condition was removed because:
|
$started = $this->ldap->startTls($ldapConnection);
|
||||||
// This ldap option is totally ignored by PHP. (bug: https://bugs.php.net/bug.php?id=73558)
|
if (!$started) {
|
||||||
// If we set 'TLS_CACERT /config/ca/bundle.pem' into /etc/openldap/ldap.conf and restart php, ldap_start_tls works.
|
throw new LdapException('Could not start TLS connection');
|
||||||
//$this->ldap->setOption($ldapConnection, LDAP_OPT_X_TLS_CACERTFILE, $this->config['tls_cacertfile']);
|
}
|
||||||
ldap_start_tls($ldapConnection);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
$this->ldapConnection = $ldapConnection;
|
$this->ldapConnection = $ldapConnection;
|
||||||
|
|
|
||||||
|
|
@ -36,6 +36,7 @@
|
||||||
<server name="AUTH_METHOD" value="standard"/>
|
<server name="AUTH_METHOD" value="standard"/>
|
||||||
<server name="DISABLE_EXTERNAL_SERVICES" value="true"/>
|
<server name="DISABLE_EXTERNAL_SERVICES" value="true"/>
|
||||||
<server name="AVATAR_URL" value=""/>
|
<server name="AVATAR_URL" value=""/>
|
||||||
|
<server name="LDAP_START_TLS" value="false"/>
|
||||||
<server name="LDAP_VERSION" value="3"/>
|
<server name="LDAP_VERSION" value="3"/>
|
||||||
<server name="SESSION_SECURE_COOKIE" value="null"/>
|
<server name="SESSION_SECURE_COOKIE" value="null"/>
|
||||||
<server name="STORAGE_TYPE" value="local"/>
|
<server name="STORAGE_TYPE" value="local"/>
|
||||||
|
|
|
||||||
|
|
@ -4,6 +4,7 @@ use BookStack\Auth\Access\LdapService;
|
||||||
use BookStack\Auth\Role;
|
use BookStack\Auth\Role;
|
||||||
use BookStack\Auth\Access\Ldap;
|
use BookStack\Auth\Access\Ldap;
|
||||||
use BookStack\Auth\User;
|
use BookStack\Auth\User;
|
||||||
|
use BookStack\Exceptions\LdapException;
|
||||||
use Mockery\MockInterface;
|
use Mockery\MockInterface;
|
||||||
use Tests\BrowserKitTest;
|
use Tests\BrowserKitTest;
|
||||||
|
|
||||||
|
|
@ -40,6 +41,14 @@ class LdapTest extends BrowserKitTest
|
||||||
$this->mockUser = factory(User::class)->make();
|
$this->mockUser = factory(User::class)->make();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
protected function runFailedAuthLogin()
|
||||||
|
{
|
||||||
|
$this->commonLdapMocks(1, 1, 1, 1, 1);
|
||||||
|
$this->mockLdap->shouldReceive('searchAndGetEntries')->times(1)
|
||||||
|
->andReturn(['count' => 0]);
|
||||||
|
$this->post('/login', ['username' => 'timmyjenkins', 'password' => 'cattreedog']);
|
||||||
|
}
|
||||||
|
|
||||||
protected function mockEscapes($times = 1)
|
protected function mockEscapes($times = 1)
|
||||||
{
|
{
|
||||||
$this->mockLdap->shouldReceive('escape')->times($times)->andReturnUsing(function($val) {
|
$this->mockLdap->shouldReceive('escape')->times($times)->andReturnUsing(function($val) {
|
||||||
|
|
@ -550,6 +559,22 @@ class LdapTest extends BrowserKitTest
|
||||||
]);
|
]);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function test_start_tls_called_if_option_set()
|
||||||
|
{
|
||||||
|
config()->set(['services.ldap.start_tls' => true]);
|
||||||
|
$this->mockLdap->shouldReceive('startTls')->once()->andReturn(true);
|
||||||
|
$this->runFailedAuthLogin();
|
||||||
|
}
|
||||||
|
|
||||||
|
public function test_connection_fails_if_tls_fails()
|
||||||
|
{
|
||||||
|
config()->set(['services.ldap.start_tls' => true]);
|
||||||
|
$this->mockLdap->shouldReceive('startTls')->once()->andReturn(false);
|
||||||
|
$this->commonLdapMocks(1, 1, 0, 0, 0);
|
||||||
|
$this->post('/login', ['username' => 'timmyjenkins', 'password' => 'cattreedog']);
|
||||||
|
$this->assertResponseStatus(500);
|
||||||
|
}
|
||||||
|
|
||||||
public function test_ldap_attributes_can_be_binary_decoded_if_marked()
|
public function test_ldap_attributes_can_be_binary_decoded_if_marked()
|
||||||
{
|
{
|
||||||
config()->set(['services.ldap.id_attribute' => 'BIN;uid']);
|
config()->set(['services.ldap.id_attribute' => 'BIN;uid']);
|
||||||
|
|
@ -640,12 +665,7 @@ class LdapTest extends BrowserKitTest
|
||||||
{
|
{
|
||||||
$log = $this->withTestLogger();
|
$log = $this->withTestLogger();
|
||||||
config()->set(['logging.failed_login.message' => 'Failed login for %u']);
|
config()->set(['logging.failed_login.message' => 'Failed login for %u']);
|
||||||
|
$this->runFailedAuthLogin();
|
||||||
$this->commonLdapMocks(1, 1, 1, 1, 1);
|
|
||||||
$this->mockLdap->shouldReceive('searchAndGetEntries')->times(1)
|
|
||||||
->andReturn(['count' => 0]);
|
|
||||||
|
|
||||||
$this->post('/login', ['username' => 'timmyjenkins', 'password' => 'cattreedog']);
|
|
||||||
$this->assertTrue($log->hasWarningThatContains('Failed login for timmyjenkins'));
|
$this->assertTrue($log->hasWarningThatContains('Failed login for timmyjenkins'));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue