diff --git a/Demo/docker-compose.yaml b/Demo/docker-compose.yaml index ba592dd..f77a9b7 100644 --- a/Demo/docker-compose.yaml +++ b/Demo/docker-compose.yaml @@ -21,6 +21,7 @@ services: ldap_host: ldap://ldap.company.com:389/ ldap_port: 389 ldap_version: 3 + ldap_start_tls: false ldap_search_attribute: uid ldap_base_dn: "ou=People,o=Company" ldap_filter: "(objectClass=*)" diff --git a/Docker/README.md b/Docker/README.md index b6e5bc4..2435d1d 100644 --- a/Docker/README.md +++ b/Docker/README.md @@ -58,6 +58,7 @@ Some image parameters can be changed, by specifying the desired parameters in co | ldap_host | URL or IP to connect LDAP server | `ldap://ldap.company.com/` | | ldap_port | Port used to connect LDAP server | `389` | | ldap_version | LDAP version or protocol version used by LDAP server | `3` | +| ldap_start_tls | LDAP over STARTTLS | `false` | | ldap_search_attribute | Attribute used to identify a user on the LDAP | `uid` | | ldap_filter | Additional filter for LDAP search | `objectClass=*` | | ldap_base_dn | The base directory name of your LDAP server | ` ou=People,o=Company` | diff --git a/README.md b/README.md index 5afbc16..b37d230 100755 --- a/README.md +++ b/README.md @@ -249,6 +249,7 @@ Edit `oauth/LDAP/config_ldap.php` and adapt prameters with your LDAP configurati | ldap_host | URL or IP to connect LDAP server | `ldap://ldap.company.com/` | | ldap_port | Port used to connect LDAP server | `389` | | ldap_version | LDAP version or protocol version used by LDAP server | `3` | +| ldap_start_tls | LDAP over STARTTLS | `false` | | ldap_search_attribute | Attribute used to identify a user on the LDAP | `uid` | | ldap_filter | Additional filter for LDAP search | `(objectClass=*)` | | ldap_base_dn | The base directory name of your LDAP server | `ou=People,o=Company` | @@ -259,7 +260,7 @@ For openLDAP server, the 'ldap_search_attribute' should be `uid`, and for AD ser Parameters 'ldap_bind_dn' and 'ldap_bind_pass' are required if your LDAP is restrictive, else put an empty string (""). -**Wraning** : Mattermost-LDAP V2 has changed 'ldap_filter' syntax. Now, the ldap filter must respect the LDAP syntax and need to be included into parenthesis. +**Warning** : Mattermost-LDAP V2 has changed 'ldap_filter' syntax. Now, the ldap filter must respect the LDAP syntax and need to be included into parenthesis. *Note* : 'ldap_version' avoid LDAP blind error with LDAP 3 (issue #14) diff --git a/docker-compose.yaml b/docker-compose.yaml index 4033a8b..6efd37d 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -11,6 +11,7 @@ services: - ldap_host - ldap_port - ldap_version + - ldap_start_tls - ldap_search_attribute - ldap_base_dn - ldap_filter diff --git a/env.example b/env.example index 665d55d..e3572d0 100644 --- a/env.example +++ b/env.example @@ -69,6 +69,9 @@ ldap_port = "389" # LDAP protocol version ldap_version = "3" +# LDAP STARTTLS +ldap_start_tls = "1" + # Unique identifier for entry in LDAP ldap_search_attribute = "uid" diff --git a/ldap.php b/ldap.php index b949be4..89f63d1 100644 --- a/ldap.php +++ b/ldap.php @@ -10,6 +10,9 @@ $hostname = "ldap://company.com:389"; //LDAP version $ldap_version = 3; +//LDAP STARTTLS +$ldap_start_tls = false; + //Unique identifier of user on LDAP $uid = "username"; $email = "username@company.com"; diff --git a/oauth/LDAP/LDAP.php b/oauth/LDAP/LDAP.php index 8fbb941..8b7de1c 100755 --- a/oauth/LDAP/LDAP.php +++ b/oauth/LDAP/LDAP.php @@ -22,10 +22,12 @@ class LDAP implements LDAPInterface * An optional int to specify ldap server port, by default : 389 * @param int @ldap_version * An optional int to specify ldap version, by default LDAP V3 protocol is used + * @param boolean @ldap_start_tls + * An optional boolean to use ldap over STARTTLS, by default LDAP STARTTLS is not used * * Initiate LDAP connection by creating an associated resource */ - public function __construct($ldap_host, $ldap_port = 389, $ldap_version = 3) + public function __construct($ldap_host, $ldap_port = 389, $ldap_version = 3, $ldap_start_tls = false) { if (!is_string($ldap_host)) { throw new InvalidArgumentException('First argument to LDAP must be the hostname of a ldap server (string). Ex: ldap//example.com/ '); @@ -45,6 +47,11 @@ class LDAP implements LDAPInterface throw new InvalidArgumentException('Third argument to LDAP must be the ldap version (int). Ex : 3'); } + // Support LDAP over STARTTLS + if ($ldap_start_tls === true) { + ldap_start_tls($ldap); + } + $this->ldap_server = $ldap; } diff --git a/oauth/LDAP/config_ldap.php.example b/oauth/LDAP/config_ldap.php.example index a570166..4a1c4c1 100755 --- a/oauth/LDAP/config_ldap.php.example +++ b/oauth/LDAP/config_ldap.php.example @@ -3,6 +3,7 @@ $ldap_host = getenv('ldap_host') ?: "ldap://ldap.company.com/"; $ldap_port = intval(getenv('ldap_port')) ?: 389; $ldap_version = intval(getenv('ldap_version')) ?: 3; +$ldap_start_tls = boolval(getenv('ldap_start_tls')) ?: false; // Attribute use to identify user on LDAP - ex : uid, mail, sAMAccountName $ldap_search_attribute = getenv('ldap_search_attribute') ?: "uid"; diff --git a/oauth/index.php b/oauth/index.php index 77baacd..a0b4fd3 100644 --- a/oauth/index.php +++ b/oauth/index.php @@ -52,7 +52,7 @@ else $password=$_POST['password']; // Open a LDAP connection - $ldap = new LDAP($ldap_host,$ldap_port,$ldap_version); + $ldap = new LDAP($ldap_host,$ldap_port,$ldap_version,$ldap_start_tls); // Check user credential on LDAP try{ diff --git a/oauth/resource.php b/oauth/resource.php index 762c105..b378dd4 100755 --- a/oauth/resource.php +++ b/oauth/resource.php @@ -27,7 +27,7 @@ $user = $info_oauth["user_id"]; $assoc_id = intval($info_oauth["assoc_id"]); // Open a LDAP connection -$ldap = new LDAP($ldap_host, $ldap_port, $ldap_version); +$ldap = new LDAP($ldap_host, $ldap_port, $ldap_version, $ldap_start_tls); // Try to get user data on the LDAP try {