Project

General

Profile

Actions

Todo #9417

closed

Convert LDAP TLS setup from environment to LDAP_OPT_X_TLS_* set options

Added by Jim Pingle over 5 years ago. Updated almost 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Authentication
Target version:
Start date:
03/21/2019
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:

Description

PHP 7.1 added support for configuring the LDAP CA/Cert environment directly, rather than relying on the environment variables. These use new constants named LDAP_OPT_X_TLS_<blah>

For example:

ldap_set_option($ldap, LDAP_OPT_X_TLS_CERTFILE, "{$cert_prefix}.crt");

The use of environment variables may also be contributing to occasional failures of Diagnostics > Authentication testing LDAP logins with/without SSL.

Actions #1

Updated by Jim Pingle over 5 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #2

Updated by Jim Pingle over 5 years ago

See #9433 for an additional example of a problem case solved by this patch

Actions #3

Updated by Jim Pingle over 5 years ago

  • Target version changed from 2.5.0 to 2.4.4-p3
Actions #4

Updated by Chris Linstruth over 5 years ago

2.4.4-p3

This all seems to work. It also seems much more consistent as posited in the description. I did a lot of bouncing around between SSL/636, STARTTLS, Clear, making changes to the server capabilities and requirements and everything seemed to happen as expected.

Much improved. Thank you.

Actions #5

Updated by Jim Pingle over 5 years ago

  • Status changed from Feedback to Resolved
Actions #6

Updated by Jim Pingle over 5 years ago

  • Status changed from Resolved to New
  • Target version changed from 2.4.4-p3 to 2.5.0

Upon further testing this does not appear to be working for self-signed certificates. It works for global, however. Will need to be backed out of 2.4.4 and revisited for 2.5.0, where it also doesn't appear to be working for this scenario.

Actions #7

Updated by Jim Pingle over 5 years ago

  • Status changed from New to Feedback
Actions #8

Updated by Jim Pingle over 5 years ago

  • Status changed from Feedback to New
Actions #9

Updated by Jim Pingle over 5 years ago

It looks like LDAP_OPT_X_TLS_CACERTDIR and LDAP_OPT_X_TLS_CACERTFILE are being set but for some reason not honored as they should be. I can retrieve the set values with ldap_get_option(), but the connection still fails to validate the CA even though the correct file is in place. Checking with the exact same CA file at the CLI using s_client shows the CA as valid.

There was a PHP bug filed a long time ago, but was closed for lack of feedback: https://bugs.php.net/bug.php?id=73558
A couple other similar posts around but nothing concrete either way.

Will keep testing on 2.5.0 but this may need backed out entirely, or at least reworked so the old style is only used for self-signed.

Actions #10

Updated by Jim Pingle over 5 years ago

  • Category changed from User Manager / Privileges to Authentication
Actions #11

Updated by Jim Pingle over 5 years ago

  • Target version changed from 2.5.0 to Future

Taking this off 2.5.0. I backed the changes out. It appears to be an upstream problem in PHP still, and no movement on the bug report above. I left a comment with some more details. We can revisit this in the future if the bug ever gets fixed.

Actions #12

Updated by Jim Pingle about 4 years ago

  • Target version changed from Future to 2.5.0

And back on 2.5.0... Looks like there is some slightly different required syntax than I was using before. I can now use the new method and no longer see the unknown CA errors.

Commits coming.

Actions #13

Updated by Jim Pingle about 4 years ago

  • Status changed from New to Feedback
Actions #14

Updated by Jim Pingle about 4 years ago

This is working better but today I'm seeing some inconsistencies in the behavior. I can flip back and forth between testing two LDAP servers with different CAs and most of the time they both work, but some results return a failure. Packet capture shows that when it fails, it's an "unknown CA" error. So somehow it still appears to be confusing the LDAP environments.

The functions setting the values succeed, but there also doesn't seem to be any function which can read the values of the LDAP_OPT_X_TLS_CACERTDIR / LDAP_OPT_X_TLS_CACERTFILE variables since they use a NULL resource identifier.

Actions #15

Updated by Fernando Barros about 4 years ago

  • File openssl_s_client.txt added
Actions #16

Updated by Jim Pingle about 4 years ago

  • File deleted (openssl_s_client.txt)
Actions #17

Updated by Fernando Barros about 4 years ago

  • File Screen Shot 2020-11-06 at 6.57.51 PM.png added
  • File Screen Shot 2020-11-06 at 6.58.10 PM.png added
  • File Screen Shot 2020-11-06 at 6.59.53 PM.png added
  • File Screen Shot 2020-11-06 at 7.01.20 PM.png added
  • File Screen Shot 2020-11-06 at 7.01.47 PM.png added
Actions #18

Updated by Jim Pingle about 4 years ago

  • File deleted (Screen Shot 2020-11-06 at 6.57.51 PM.png)
Actions #19

Updated by Jim Pingle about 4 years ago

  • File deleted (Screen Shot 2020-11-06 at 6.58.10 PM.png)
Actions #20

Updated by Jim Pingle about 4 years ago

  • File deleted (Screen Shot 2020-11-06 at 6.59.53 PM.png)
Actions #21

Updated by Jim Pingle about 4 years ago

  • File deleted (Screen Shot 2020-11-06 at 7.01.20 PM.png)
Actions #22

Updated by Jim Pingle about 4 years ago

  • File deleted (Screen Shot 2020-11-06 at 7.01.47 PM.png)
Actions #23

Updated by Jim Pingle about 4 years ago

See also: #10704

Actions #24

Updated by Renato Botelho almost 4 years ago

  • Status changed from Feedback to Resolved

Marking it as resolved since nobody answered in 3 months

Actions

Also available in: Atom PDF