✨ LDAP StartTLS to fix #54

Signed-off-by: mathieu.brunot <mathieu.brunot@monogramm.io>

Demo/docker-compose.yaml

@@ -21,6 +21,7 @@ services:
             ldap_host: ldap://ldap.company.com:389/
             ldap_port: 389
             ldap_version: 3
+            ldap_start_tls: false
             ldap_search_attribute: uid
             ldap_base_dn: "ou=People,o=Company"
             ldap_filter: "(objectClass=*)"

Docker/README.md

@@ -58,6 +58,7 @@ Some image parameters can be changed, by specifying the desired parameters in co
 | ldap_host             | URL or IP to connect LDAP server                                    | `ldap://ldap.company.com/` |
 | ldap_port             | Port used to connect LDAP server                                    | `389`                      |
 | ldap_version          | LDAP version or protocol version used by LDAP server                | `3`                        |
+| ldap_start_tls        | LDAP over STARTTLS                                                  | `false`                    |
 | ldap_search_attribute | Attribute used to identify a user on the LDAP                       | `uid`                      |
 | ldap_filter           | Additional filter for LDAP search                                   | `objectClass=*`            |
 | ldap_base_dn          | The base directory name of your LDAP server                         | ` ou=People,o=Company`     |

README.md

@@ -249,6 +249,7 @@ Edit `oauth/LDAP/config_ldap.php` and adapt prameters with your LDAP configurati
 | ldap_host             | URL or IP to connect LDAP server                                    | `ldap://ldap.company.com/` |
 | ldap_port             | Port used to connect LDAP server                                    | `389`                      |
 | ldap_version          | LDAP version or protocol version used by LDAP server                | `3`                        |
+| ldap_start_tls        | LDAP over STARTTLS                                                  | `false`                    |
 | ldap_search_attribute | Attribute used to identify a user on the LDAP                       | `uid`                      |
 | ldap_filter           | Additional filter for LDAP search                                   | `(objectClass=*)`          |
 | ldap_base_dn          | The base directory name of your LDAP server                         | `ou=People,o=Company`      |
@@ -259,7 +260,7 @@ For openLDAP server, the 'ldap_search_attribute' should be `uid`, and for AD ser
 
 Parameters 'ldap_bind_dn' and 'ldap_bind_pass' are required if your LDAP is restrictive, else put an empty string ("").
 
-**Wraning** : Mattermost-LDAP V2 has changed 'ldap_filter' syntax. Now, the ldap filter must respect the LDAP syntax and need to be included into parenthesis.
+**Warning** : Mattermost-LDAP V2 has changed 'ldap_filter' syntax. Now, the ldap filter must respect the LDAP syntax and need to be included into parenthesis.
 
 *Note* : 'ldap_version' avoid LDAP blind error with LDAP 3 (issue #14)
 

docker-compose.yaml

@@ -11,6 +11,7 @@ services:
             - ldap_host
             - ldap_port
             - ldap_version
+            - ldap_start_tls
             - ldap_search_attribute
             - ldap_base_dn
             - ldap_filter

env.example

@@ -69,6 +69,9 @@ ldap_port = "389"
 # LDAP protocol version
 ldap_version = "3"
 
+# LDAP STARTTLS
+ldap_start_tls = "1"
+
 # Unique identifier for entry in LDAP
 ldap_search_attribute = "uid"
 

ldap.php

@@ -10,6 +10,9 @@ $hostname = "ldap://company.com:389";
 //LDAP version
 $ldap_version = 3;
 
+//LDAP STARTTLS
+$ldap_start_tls = false;
+
 //Unique identifier of user on LDAP
 $uid = "username";
 $email = "username@company.com";

oauth/LDAP/LDAP.php

@@ -22,10 +22,12 @@ class LDAP implements LDAPInterface
     * An optional int to specify ldap server port, by default : 389
     * @param int @ldap_version
     * An optional int to specify ldap version, by default LDAP V3 protocol is used
+    * @param boolean @ldap_start_tls
+    * An optional boolean to use ldap over STARTTLS, by default LDAP STARTTLS is not used
     *
     * Initiate LDAP connection by creating an associated resource
     */
-    public function __construct($ldap_host, $ldap_port = 389, $ldap_version = 3)
+    public function __construct($ldap_host, $ldap_port = 389, $ldap_version = 3, $ldap_start_tls = false)
     {
         if (!is_string($ldap_host)) {
             throw new InvalidArgumentException('First argument to LDAP must be the hostname of a ldap server (string). Ex: ldap//example.com/ ');
@@ -45,6 +47,11 @@ class LDAP implements LDAPInterface
             throw new InvalidArgumentException('Third argument to LDAP must be the ldap version (int). Ex : 3');
         }
 
+        // Support LDAP over STARTTLS
+        if ($ldap_start_tls === true) {
+            ldap_start_tls($ldap);
+        }
+
         $this->ldap_server = $ldap;
     }
 

oauth/LDAP/config_ldap.php.example

@@ -3,6 +3,7 @@
 $ldap_host = getenv('ldap_host') ?: "ldap://ldap.company.com/";
 $ldap_port = intval(getenv('ldap_port')) ?: 389;
 $ldap_version = intval(getenv('ldap_version')) ?: 3;
+$ldap_start_tls = boolval(getenv('ldap_start_tls')) ?: false;
 
 // Attribute use to identify user on LDAP - ex : uid, mail, sAMAccountName
 $ldap_search_attribute = getenv('ldap_search_attribute') ?: "uid";

oauth/index.php

@@ -52,7 +52,7 @@ else
         $password=$_POST['password'];
 
         // Open a LDAP connection
-        $ldap = new LDAP($ldap_host,$ldap_port,$ldap_version);
+        $ldap = new LDAP($ldap_host,$ldap_port,$ldap_version,$ldap_start_tls);
 
         // Check user credential on LDAP
         try{

oauth/resource.php

@@ -27,7 +27,7 @@ $user = $info_oauth["user_id"];
 $assoc_id = intval($info_oauth["assoc_id"]);
 
 // Open a LDAP connection
-$ldap = new LDAP($ldap_host, $ldap_port, $ldap_version);
+$ldap = new LDAP($ldap_host, $ldap_port, $ldap_version, $ldap_start_tls);
 
 // Try to get user data on the LDAP
 try {