diff options
| author | derelict-pf <cjl@netgate.com> | 2016-10-14 16:29:46 -0700 |
|---|---|---|
| committer | Renato Botelho <renato@netgate.com> | 2016-12-06 15:51:37 -0200 |
| commit | 836c858f7a24825ed2fc84ac0e0d7ff8c0f3b397 (patch) | |
| tree | 3713bb87edf9e301a937af0577a732b931277beb | |
| parent | 13622c260ee1ad82e66f278450a296c5d88d7a1b (diff) | |
| download | pfsense-836c858f7a24825ed2fc84ac0e0d7ff8c0f3b397.zip pfsense-836c858f7a24825ed2fc84ac0e0d7ff8c0f3b397.tar.gz | |
Added STARTTLS to LDAP Auth Server Config
(cherry picked from commit d672403c250556ced61d6eec7c51f5518b5f8c6b)
| -rw-r--r-- | src/etc/inc/auth.inc | 72 | ||||
| -rw-r--r-- | src/usr/local/www/guiconfig.inc | 1 | ||||
| -rw-r--r-- | src/usr/local/www/system_authservers.php | 11 |
3 files changed, 59 insertions, 25 deletions
diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc index df26c63..3688659 100644 --- a/src/etc/inc/auth.inc +++ b/src/etc/inc/auth.inc @@ -809,10 +809,10 @@ function ldap_test_connection($authcfg) { global $debug, $config, $g; if ($authcfg) { - if (strstr($authcfg['ldap_urltype'], "Standard")) { - $ldapproto = "ldap"; - } else { + if (strstr($authcfg['ldap_urltype'], "SSL")) { $ldapproto = "ldaps"; + } else { + $ldapproto = "ldap"; } $ldapserver = "{$ldapproto}://" . ldap_format_host($authcfg['host']); $ldapport = $authcfg['ldap_port']; @@ -853,7 +853,7 @@ function ldap_setup_caenv($authcfg) { require_once("certs.inc"); unset($caref); - if (empty($authcfg['ldap_caref']) || !strstr($authcfg['ldap_urltype'], "SSL")) { + if (empty($authcfg['ldap_caref']) || strstr($authcfg['ldap_urltype'], "Standard")) { putenv('LDAPTLS_REQCERT=never'); return; } else { @@ -883,10 +883,10 @@ function ldap_test_bind($authcfg) { global $debug, $config, $g; if ($authcfg) { - if (strstr($authcfg['ldap_urltype'], "Standard")) { - $ldapproto = "ldap"; - } else { + if (strstr($authcfg['ldap_urltype'], "SSL")) { $ldapproto = "ldaps"; + } else { + $ldapproto = "ldap"; } $ldapserver = "{$ldapproto}://" . ldap_format_host($authcfg['host']); $ldapport = $authcfg['ldap_port']; @@ -932,6 +932,14 @@ function ldap_test_bind($authcfg) { ldap_set_option($ldap, LDAP_OPT_TIMELIMIT, (int)$ldaptimeout); ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, (int)$ldaptimeout); + if (strstr($authcfg['ldap_urltype'], "STARTTLS")) { + if (!(ldap_start_tls($ldap))) { + log_error(sprintf(gettext("ERROR! ldap_test_bind() could not STARTTLS to server %s."), $ldapname)); + @ldap_close($ldap); + return false; + } + } + $ldapbindun = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindun) : $ldapbindun; $ldapbindpw = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindpw) : $ldapbindpw; if ($ldapanon == true) { @@ -959,10 +967,10 @@ function ldap_get_user_ous($show_complete_ou=true, $authcfg) { $ous = array(); if ($authcfg) { - if (strstr($authcfg['ldap_urltype'], "Standard")) { - $ldapproto = "ldap"; - } else { + if (strstr($authcfg['ldap_urltype'], "SSL")) { $ldapproto = "ldaps"; + } else { + $ldapproto = "ldap"; } $ldapserver = "{$ldapproto}://" . ldap_format_host($authcfg['host']); $ldapport = $authcfg['ldap_port']; @@ -1014,6 +1022,14 @@ function ldap_get_user_ous($show_complete_ou=true, $authcfg) { ldap_set_option($ldap, LDAP_OPT_TIMELIMIT, (int)$ldaptimeout); ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, (int)$ldaptimeout); + if (strstr($authcfg['ldap_urltype'], "STARTTLS")) { + if (!(ldap_start_tls($ldap))) { + log_error(sprintf(gettext("ERROR! ldap_get_user_ous() could not STARTTLS to server %s."), $ldapname)); + @ldap_close($ldap); + return false; + } + } + $ldapbindun = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindun) : $ldapbindun; $ldapbindpw = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindpw) : $ldapbindpw; if ($ldapanon == true) { @@ -1083,10 +1099,10 @@ function ldap_get_groups($username, $authcfg) { //log_error("Getting LDAP groups for {$username}."); if ($authcfg) { - if (strstr($authcfg['ldap_urltype'], "Standard")) { - $ldapproto = "ldap"; - } else { + if (strstr($authcfg['ldap_urltype'], "SSL")) { $ldapproto = "ldaps"; + } else { + $ldapproto = "ldap"; } $ldapserver = "{$ldapproto}://" . ldap_format_host($authcfg['host']); $ldapport = $authcfg['ldap_port']; @@ -1149,6 +1165,14 @@ function ldap_get_groups($username, $authcfg) { ldap_set_option($ldap, LDAP_OPT_TIMELIMIT, (int)$ldaptimeout); ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, (int)$ldaptimeout); + if (strstr($authcfg['ldap_urltype'], "STARTTLS")) { + if (!(ldap_start_tls($ldap))) { + log_error(sprintf(gettext("ERROR! ldap_get_groups() could not STARTTLS to server %s."), $ldapname)); + @ldap_close($ldap); + return false; + } + } + /* bind as user that has rights to read group attributes */ $ldapbindun = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindun) : $ldapbindun; $ldapbindpw = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindpw) : $ldapbindpw; @@ -1225,10 +1249,10 @@ function ldap_backed($username, $passwd, $authcfg) { } if ($authcfg) { - if (strstr($authcfg['ldap_urltype'], "Standard")) { - $ldapproto = "ldap"; - } else { + if (strstr($authcfg['ldap_urltype'], "SSL")) { $ldapproto = "ldaps"; + } else { + $ldapproto = "ldap"; } $ldapserver = "{$ldapproto}://" . ldap_format_host($authcfg['host']); $ldapport = $authcfg['ldap_port']; @@ -1277,16 +1301,24 @@ function ldap_backed($username, $passwd, $authcfg) { /* Setup CA environment if needed. */ ldap_setup_caenv($authcfg); + /* Make sure we can connect to LDAP */ + $error = false; + if (!($ldap = ldap_connect($ldapserver))) { + $error = true; + } + ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING); ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); ldap_set_option($ldap, LDAP_OPT_TIMELIMIT, (int)$ldaptimeout); ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, (int)$ldaptimeout); - /* Make sure we can connect to LDAP */ - $error = false; - if (!($ldap = ldap_connect($ldapserver))) { - $error = true; + if (strstr($authcfg['ldap_urltype'], "STARTTLS")) { + if (!(ldap_start_tls($ldap))) { + log_error(sprintf(gettext("ERROR! ldap_backed() could not STARTTLS to server %s."), $ldapname)); + @ldap_close($ldap); + return false; + } } if ($error == true) { diff --git a/src/usr/local/www/guiconfig.inc b/src/usr/local/www/guiconfig.inc index 10114aa..f64df7b 100644 --- a/src/usr/local/www/guiconfig.inc +++ b/src/usr/local/www/guiconfig.inc @@ -154,6 +154,7 @@ $auth_server_types = array( $ldap_urltypes = array( 'TCP - Standard' => 389, + 'TCP - STARTTLS' => 389, 'SSL - Encrypted' => 636); $ldap_scopes = array( diff --git a/src/usr/local/www/system_authservers.php b/src/usr/local/www/system_authservers.php index c6a2b72..84f4f2a 100644 --- a/src/usr/local/www/system_authservers.php +++ b/src/usr/local/www/system_authservers.php @@ -541,7 +541,7 @@ $section->addInput(new Form_Input( 'Hostname or IP address', 'text', $pconfig['ldap_host'] -))->setHelp('NOTE: When using SSL, this hostname MUST match the Common Name '. +))->setHelp('NOTE: When using SSL or STARTTLS, this hostname MUST match the Common Name '. '(CN) of the LDAP server\'s SSL Certificate.'); $section->addInput(new Form_Input( @@ -576,7 +576,8 @@ else 'Peer Certificate Authority', $pconfig['ldap_caref'], $ldapCaRef - ))->setHelp('This option is used if \'SSL Encrypted\' option is choosen. '. + ))->setHelp('This option is used if \'SSL Encrypted\' '. + 'or \'TCP - STARTTLS\' options are chosen. '. 'It must match with the CA in the AD otherwise problems will arise.'); } @@ -912,10 +913,10 @@ events.push(function() { } function set_ldap_port() { - if ($('#ldap_urltype').find(":selected").index() == 0) - $('#ldap_port').val('389'); - else + if ($('#ldap_urltype').find(":selected").index() == 2) $('#ldap_port').val('636'); + else + $('#ldap_port').val('389'); } // Hides all elements of the specified class. This will usually be a section |
