Revision 836c858f
Added by derelict-pf over 8 years ago
| src/etc/inc/auth.inc | ||
|---|---|---|
| 809 | 809 |
global $debug, $config, $g; |
| 810 | 810 |
|
| 811 | 811 |
if ($authcfg) {
|
| 812 |
if (strstr($authcfg['ldap_urltype'], "Standard")) {
|
|
| 813 |
$ldapproto = "ldap"; |
|
| 814 |
} else {
|
|
| 812 |
if (strstr($authcfg['ldap_urltype'], "SSL")) {
|
|
| 815 | 813 |
$ldapproto = "ldaps"; |
| 814 |
} else {
|
|
| 815 |
$ldapproto = "ldap"; |
|
| 816 | 816 |
} |
| 817 | 817 |
$ldapserver = "{$ldapproto}://" . ldap_format_host($authcfg['host']);
|
| 818 | 818 |
$ldapport = $authcfg['ldap_port']; |
| ... | ... | |
| 853 | 853 |
require_once("certs.inc");
|
| 854 | 854 |
|
| 855 | 855 |
unset($caref); |
| 856 |
if (empty($authcfg['ldap_caref']) || !strstr($authcfg['ldap_urltype'], "SSL")) {
|
|
| 856 |
if (empty($authcfg['ldap_caref']) || strstr($authcfg['ldap_urltype'], "Standard")) {
|
|
| 857 | 857 |
putenv('LDAPTLS_REQCERT=never');
|
| 858 | 858 |
return; |
| 859 | 859 |
} else {
|
| ... | ... | |
| 883 | 883 |
global $debug, $config, $g; |
| 884 | 884 |
|
| 885 | 885 |
if ($authcfg) {
|
| 886 |
if (strstr($authcfg['ldap_urltype'], "Standard")) {
|
|
| 887 |
$ldapproto = "ldap"; |
|
| 888 |
} else {
|
|
| 886 |
if (strstr($authcfg['ldap_urltype'], "SSL")) {
|
|
| 889 | 887 |
$ldapproto = "ldaps"; |
| 888 |
} else {
|
|
| 889 |
$ldapproto = "ldap"; |
|
| 890 | 890 |
} |
| 891 | 891 |
$ldapserver = "{$ldapproto}://" . ldap_format_host($authcfg['host']);
|
| 892 | 892 |
$ldapport = $authcfg['ldap_port']; |
| ... | ... | |
| 932 | 932 |
ldap_set_option($ldap, LDAP_OPT_TIMELIMIT, (int)$ldaptimeout); |
| 933 | 933 |
ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, (int)$ldaptimeout); |
| 934 | 934 |
|
| 935 |
if (strstr($authcfg['ldap_urltype'], "STARTTLS")) {
|
|
| 936 |
if (!(ldap_start_tls($ldap))) {
|
|
| 937 |
log_error(sprintf(gettext("ERROR! ldap_test_bind() could not STARTTLS to server %s."), $ldapname));
|
|
| 938 |
@ldap_close($ldap); |
|
| 939 |
return false; |
|
| 940 |
} |
|
| 941 |
} |
|
| 942 |
|
|
| 935 | 943 |
$ldapbindun = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindun) : $ldapbindun; |
| 936 | 944 |
$ldapbindpw = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindpw) : $ldapbindpw; |
| 937 | 945 |
if ($ldapanon == true) {
|
| ... | ... | |
| 959 | 967 |
$ous = array(); |
| 960 | 968 |
|
| 961 | 969 |
if ($authcfg) {
|
| 962 |
if (strstr($authcfg['ldap_urltype'], "Standard")) {
|
|
| 963 |
$ldapproto = "ldap"; |
|
| 964 |
} else {
|
|
| 970 |
if (strstr($authcfg['ldap_urltype'], "SSL")) {
|
|
| 965 | 971 |
$ldapproto = "ldaps"; |
| 972 |
} else {
|
|
| 973 |
$ldapproto = "ldap"; |
|
| 966 | 974 |
} |
| 967 | 975 |
$ldapserver = "{$ldapproto}://" . ldap_format_host($authcfg['host']);
|
| 968 | 976 |
$ldapport = $authcfg['ldap_port']; |
| ... | ... | |
| 1014 | 1022 |
ldap_set_option($ldap, LDAP_OPT_TIMELIMIT, (int)$ldaptimeout); |
| 1015 | 1023 |
ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, (int)$ldaptimeout); |
| 1016 | 1024 |
|
| 1025 |
if (strstr($authcfg['ldap_urltype'], "STARTTLS")) {
|
|
| 1026 |
if (!(ldap_start_tls($ldap))) {
|
|
| 1027 |
log_error(sprintf(gettext("ERROR! ldap_get_user_ous() could not STARTTLS to server %s."), $ldapname));
|
|
| 1028 |
@ldap_close($ldap); |
|
| 1029 |
return false; |
|
| 1030 |
} |
|
| 1031 |
} |
|
| 1032 |
|
|
| 1017 | 1033 |
$ldapbindun = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindun) : $ldapbindun; |
| 1018 | 1034 |
$ldapbindpw = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindpw) : $ldapbindpw; |
| 1019 | 1035 |
if ($ldapanon == true) {
|
| ... | ... | |
| 1083 | 1099 |
|
| 1084 | 1100 |
//log_error("Getting LDAP groups for {$username}.");
|
| 1085 | 1101 |
if ($authcfg) {
|
| 1086 |
if (strstr($authcfg['ldap_urltype'], "Standard")) {
|
|
| 1087 |
$ldapproto = "ldap"; |
|
| 1088 |
} else {
|
|
| 1102 |
if (strstr($authcfg['ldap_urltype'], "SSL")) {
|
|
| 1089 | 1103 |
$ldapproto = "ldaps"; |
| 1104 |
} else {
|
|
| 1105 |
$ldapproto = "ldap"; |
|
| 1090 | 1106 |
} |
| 1091 | 1107 |
$ldapserver = "{$ldapproto}://" . ldap_format_host($authcfg['host']);
|
| 1092 | 1108 |
$ldapport = $authcfg['ldap_port']; |
| ... | ... | |
| 1149 | 1165 |
ldap_set_option($ldap, LDAP_OPT_TIMELIMIT, (int)$ldaptimeout); |
| 1150 | 1166 |
ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, (int)$ldaptimeout); |
| 1151 | 1167 |
|
| 1168 |
if (strstr($authcfg['ldap_urltype'], "STARTTLS")) {
|
|
| 1169 |
if (!(ldap_start_tls($ldap))) {
|
|
| 1170 |
log_error(sprintf(gettext("ERROR! ldap_get_groups() could not STARTTLS to server %s."), $ldapname));
|
|
| 1171 |
@ldap_close($ldap); |
|
| 1172 |
return false; |
|
| 1173 |
} |
|
| 1174 |
} |
|
| 1175 |
|
|
| 1152 | 1176 |
/* bind as user that has rights to read group attributes */ |
| 1153 | 1177 |
$ldapbindun = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindun) : $ldapbindun; |
| 1154 | 1178 |
$ldapbindpw = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindpw) : $ldapbindpw; |
| ... | ... | |
| 1225 | 1249 |
} |
| 1226 | 1250 |
|
| 1227 | 1251 |
if ($authcfg) {
|
| 1228 |
if (strstr($authcfg['ldap_urltype'], "Standard")) {
|
|
| 1229 |
$ldapproto = "ldap"; |
|
| 1230 |
} else {
|
|
| 1252 |
if (strstr($authcfg['ldap_urltype'], "SSL")) {
|
|
| 1231 | 1253 |
$ldapproto = "ldaps"; |
| 1254 |
} else {
|
|
| 1255 |
$ldapproto = "ldap"; |
|
| 1232 | 1256 |
} |
| 1233 | 1257 |
$ldapserver = "{$ldapproto}://" . ldap_format_host($authcfg['host']);
|
| 1234 | 1258 |
$ldapport = $authcfg['ldap_port']; |
| ... | ... | |
| 1277 | 1301 |
/* Setup CA environment if needed. */ |
| 1278 | 1302 |
ldap_setup_caenv($authcfg); |
| 1279 | 1303 |
|
| 1304 |
/* Make sure we can connect to LDAP */ |
|
| 1305 |
$error = false; |
|
| 1306 |
if (!($ldap = ldap_connect($ldapserver))) {
|
|
| 1307 |
$error = true; |
|
| 1308 |
} |
|
| 1309 |
|
|
| 1280 | 1310 |
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); |
| 1281 | 1311 |
ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING); |
| 1282 | 1312 |
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); |
| 1283 | 1313 |
ldap_set_option($ldap, LDAP_OPT_TIMELIMIT, (int)$ldaptimeout); |
| 1284 | 1314 |
ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, (int)$ldaptimeout); |
| 1285 | 1315 |
|
| 1286 |
/* Make sure we can connect to LDAP */ |
|
| 1287 |
$error = false; |
|
| 1288 |
if (!($ldap = ldap_connect($ldapserver))) {
|
|
| 1289 |
$error = true; |
|
| 1316 |
if (strstr($authcfg['ldap_urltype'], "STARTTLS")) {
|
|
| 1317 |
if (!(ldap_start_tls($ldap))) {
|
|
| 1318 |
log_error(sprintf(gettext("ERROR! ldap_backed() could not STARTTLS to server %s."), $ldapname));
|
|
| 1319 |
@ldap_close($ldap); |
|
| 1320 |
return false; |
|
| 1321 |
} |
|
| 1290 | 1322 |
} |
| 1291 | 1323 |
|
| 1292 | 1324 |
if ($error == true) {
|
Also available in: Unified diff
Added STARTTLS to LDAP Auth Server Config
(cherry picked from commit d672403c250556ced61d6eec7c51f5518b5f8c6b)