LDAP: Allow TLS certificate checking policy to be configured (#180)

Author: daedric

.env

@@ -59,6 +59,10 @@ LDAP_AUTH_URL="ldap://127.0.0.1"
 LDAP_DN_PATTERN="mail=%u"
 LDAP_MAIL_ATTRIBUTE="mail"
 LDAP_AUTH_USER_AUTOCREATE=false
+# See https://www.php.net/manual/en/ldap.constants.php#constant.ldap-opt-x-tls-require-cert
+# Allowed values are: never, hard, demand, allow or try.
+# "try" is the default if left unspecified
+LDAP_CERTIFICATE_CHECKING_STRATEGY="try"
 
 # Do we enable caldav and carddav ?
 CALDAV_ENABLED=true

README.md

@@ -193,6 +193,7 @@ LDAP_AUTH_URL="ldap://127.0.0.1"
 LDAP_DN_PATTERN="mail=%u"
 LDAP_MAIL_ATTRIBUTE="mail"
 LDAP_AUTH_USER_AUTOCREATE=true # false by default
+LDAP_CERTIFICATE_CHECKING_STRATEGY="try" # try by default.
 ```
 
 > Ex: for [Zimbra LDAP](https://zimbra.github.io/adminguide/latest/#zimbra_ldap_service), you might want to use the `zimbraMailDeliveryAddress` attribute to retrieve the principal user email:

config/services.yaml

@@ -35,6 +35,7 @@ services:
             $LDAPDnPattern: "%env(LDAP_DN_PATTERN)%"
             $LDAPMailAttribute: "%env(LDAP_MAIL_ATTRIBUTE)%"
             $autoCreate: "%env(bool:LDAP_AUTH_USER_AUTOCREATE)%"
+            $LDAPCertificateCheckingStrategy: "%env(LDAP_CERTIFICATE_CHECKING_STRATEGY)%"
 
     # controllers are imported separately to make sure services can be injected
     # as action arguments even if you don't extend any base controller class
@@ -70,4 +71,4 @@ when@dev:
 
 when@test:
     services:
-        Symfony\Component\HttpKernel\Profiler\Profiler: '@profiler'
+        Symfony\Component\HttpKernel\Profiler\Profiler: '@profiler'

src/Services/LDAPAuth.php

@@ -62,15 +62,23 @@ final class LDAPAuth extends AbstractBasic
      */
     private $autoCreate;
 
+
+    /**
+     * Indicates what to do with certificate.
+     * see https://www.php.net/manual/en/ldap.constants.php#constant.ldap-opt-x-tls-require-cert
+     */
+    private $cert_checking_strat;
+
     /**
      * Creates the backend object.
      */
-    public function __construct(ManagerRegistry $doctrine, Utils $utils, string $LDAPAuthUrl, string $LDAPDnPattern, string $LDAPMailAttribute, bool $autoCreate)
+    public function __construct(ManagerRegistry $doctrine, Utils $utils, string $LDAPAuthUrl, string $LDAPDnPattern, string $LDAPMailAttribute, bool $autoCreate, string $LDAPCertificateCheckingStrategy)
     {
         $this->LDAPAuthUrl = $LDAPAuthUrl;
         $this->LDAPDnPattern = $LDAPDnPattern;
         $this->LDAPMailAttribute = $LDAPMailAttribute ?? 'mail';
         $this->autoCreate = $autoCreate;
+        $this->cert_checking_strat = $LDAPCertificateCheckingStrategy ?? "try";
 
         $this->doctrine = $doctrine;
         $this->utils = $utils;
@@ -86,6 +94,32 @@ public function __construct(ManagerRegistry $doctrine, Utils $utils, string $LDA
      */
     protected function ldapOpen($username, $password)
     {
+        switch ($this->cert_checking_strat) {
+            case 'never':
+                $cert_strategy = LDAP_OPT_X_TLS_NEVER;
+                break;
+            case 'hard':
+                $cert_strategy = LDAP_OPT_X_TLS_HARD;
+                break;
+            case 'demand':
+                $cert_strategy = LDAP_OPT_X_TLS_DEMAND;
+                break;
+            case 'allow':
+                $cert_strategy = LDAP_OPT_X_TLS_ALLOW;
+                break;
+            case 'try':
+                $cert_strategy = LDAP_OPT_X_TLS_TRY;
+                break;
+            default:
+                error_log('Invalid certificate checking strategy: ' . $this->cert_checking_strat);
+                return false;
+        }
+
+        if (false === ldap_set_option(null, LDAP_OPT_X_TLS_REQUIRE_CERT, $cert_strategy)) {
+            error_log('LDAP Error (ldap_set_option with '.$cert_strategy.'): failed');
+
+            return false;
+        }
         try {
             $ldap = ldap_connect($this->LDAPAuthUrl);
         } catch (\Exception $e) {