Extend /users API endpoint

[bookstack] / app / Auth / Access / LdapService.php

diff --git a/app/Auth/Access/LdapService.php b/app/Auth/Access/LdapService.php
index c359cc943014ef3f0e024712f19eefc7c55d6150..a438c098490586f44f06b607ff15892e726b60d9 100644 (file)
--- a/app/Auth/Access/LdapService.php
+++ b/app/Auth/Access/LdapService.php
@@ -85,9 +85,9 @@ class LdapService extends ExternalAuthService
 
         $userCn = $this->getUserResponseProperty($user, 'cn', null);
         $formatted = [
-            'uid'   => $this->getUserResponseProperty($user, $idAttr, $user['dn']),
-            'name'  => $this->getUserResponseProperty($user, $displayNameAttr, $userCn),
-            'dn'    => $user['dn'],
+            'uid' => $this->getUserResponseProperty($user, $idAttr, $user['dn']),
+            'name' => $this->getUserResponseProperty($user, $displayNameAttr, $userCn),
+            'dn' => $user['dn'],
             'email' => $this->getUserResponseProperty($user, $emailAttr, null),
         ];
 
@@ -187,6 +187,12 @@ class LdapService extends ExternalAuthService
             throw new LdapException(trans('errors.ldap_extension_not_installed'));
         }
 
+        // Disable certificate verification.
+        // This option works globally and must be set before a connection is created.
+        if ($this->config['tls_insecure']) {
+            $this->ldap->setOption(null, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER);
+        }
+
         $serverDetails = $this->parseServerString($this->config['server']);
         $ldapConnection = $this->ldap->connect($serverDetails['host'], $serverDetails['port']);
 
@@ -198,21 +204,14 @@ class LdapService extends ExternalAuthService
         if ($this->config['version']) {
             $this->ldap->setVersion($ldapConnection, $this->config['version']);
         }
-       
-       // Check if TLS_INSECURE is set. The handle is set to NULL due to the nature of
-        // the LDAP_OPT_X_TLS_REQUIRE_CERT option. It can only be set globally and not per handle.
-       if ($this->config['tls_insecure']) {
-           // Setting also ignored?
-            $this->ldap->setOption($ldapConnection, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER);
-       }
-
-       if ($this->config['start_tls']) {
-           // "&& $this->config['tls_cacertfile']" this condition was removed because:
-           // This ldap option is totally ignored by PHP. (bug: https://bugs.php.net/bug.php?id=73558)
-           // If we set 'TLS_CACERT /config/ca/bundle.pem' into /etc/openldap/ldap.conf and restart php, ldap_start_tls works. 
-           //$this->ldap->setOption($ldapConnection, LDAP_OPT_X_TLS_CACERTFILE, $this->config['tls_cacertfile']);
-           ldap_start_tls($ldapConnection);
-       }
+
+        // Start and verify TLS if it's enabled
+        if ($this->config['start_tls']) {
+            $started = $this->ldap->startTls($ldapConnection);
+            if (!$started) {
+                throw new LdapException('Could not start TLS connection');
+            }
+        }
 
         $this->ldapConnection = $ldapConnection;
         return $this->ldapConnection;