From: Dan Brown <redacted>
Date: Sat, 22 Dec 2018 16:38:50 +0000 (+0000)
Subject: Merge pull request #1096 from christophert/add-ldaptlsinsecure
X-Git-Tag: v0.25.0~1^2~12
X-Git-Url: http://source.bookstackapp.com/bookstack/commitdiff_plain/7c8edf56736bb60a25acbc8be3ed3370f9d12b25?ds=inline;hp=-c

Merge pull request #1096 from christophert/add-ldaptlsinsecure

Add option to disable LDAPS Certificate Validation
---

7c8edf56736bb60a25acbc8be3ed3370f9d12b25
diff --combined .env.example
index 6e015335e,3ca612f64..11dafa2ab
--- a/.env.example
+++ b/.env.example
@@@ -48,7 -48,6 +48,7 @@@ GITHUB_APP_ID=fals
  GITHUB_APP_SECRET=false
  GOOGLE_APP_ID=false
  GOOGLE_APP_SECRET=false
 +GOOGLE_SELECT_ACCOUNT=false
  OKTA_BASE_URL=false
  OKTA_APP_ID=false
  OKTA_APP_SECRET=false
@@@ -77,6 -76,8 +77,8 @@@ LDAP_GROUP_ATTRIBUTE="memberOf
  # Would you like to remove users from roles on BookStack if they do not match on LDAP
  # If false, the ldap groups-roles sync will only add users to roles
  LDAP_REMOVE_FROM_GROUPS=false
+ # Set this option to disable LDAPS Certificate Verification
+ LDAP_TLS_INSECURE=false
  
  # Mail settings
  MAIL_DRIVER=smtp
diff --combined app/Auth/Access/LdapService.php
index b49ecf129,9e626bbac..1e95ac513
--- a/app/Auth/Access/LdapService.php
+++ b/app/Auth/Access/LdapService.php
@@@ -107,7 -107,6 +107,7 @@@ class LdapServic
          if ($ldapUser === null) {
              return false;
          }
 +
          if ($ldapUser['uid'] !== $user->external_auth_id) {
              return false;
          }
@@@ -170,6 -169,16 +170,16 @@@
          }
          $hostName = $ldapServer[0] . ($hasProtocol?':':'') . $ldapServer[1];
          $defaultPort = $ldapServer[0] === 'ldaps' ? 636 : 389;
+ 
+         /*
+          * Check if TLS_INSECURE is set. The handle is set to NULL due to the nature of
+          * the LDAP_OPT_X_TLS_REQUIRE_CERT option. It can only be set globally and not
+          * per handle.
+          */
+         if($this->config['tls_insecure']) {
+             $this->ldap->setOption(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER);
+         }
+ 
          $ldapConnection = $this->ldap->connect($hostName, count($ldapServer) > 2 ? intval($ldapServer[2]) : $defaultPort);
  
          if ($ldapConnection === false) {
@@@ -196,7 -205,7 +206,7 @@@
          $newAttrs = [];
          foreach ($attrs as $key => $attrText) {
              $newKey = '${' . $key . '}';
 -            $newAttrs[$newKey] = $attrText;
 +            $newAttrs[$newKey] = $this->ldap->escape($attrText);
          }
          return strtr($filterString, $newAttrs);
      }
@@@ -266,8 -275,7 +276,8 @@@
          $baseDn = $this->config['base_dn'];
          $groupsAttr = strtolower($this->config['group_attribute']);
  
 -        $groups = $this->ldap->searchAndGetEntries($ldapConnection, $baseDn, 'CN='.$groupName, [$groupsAttr]);
 +        $groupFilter = 'CN=' . $this->ldap->escape($groupName);
 +        $groups = $this->ldap->searchAndGetEntries($ldapConnection, $baseDn, $groupFilter, [$groupsAttr]);
          if ($groups['count'] === 0) {
              return [];
          }
@@@ -279,26 -287,23 +289,26 @@@
      /**
       * Filter out LDAP CN and DN language in a ldap search return
       * Gets the base CN (common name) of the string
 -     * @param string $ldapSearchReturn
 +     * @param array $userGroupSearchResponse
       * @return array
       */
 -    protected function groupFilter($ldapSearchReturn)
 +    protected function groupFilter(array $userGroupSearchResponse)
      {
          $groupsAttr = strtolower($this->config['group_attribute']);
          $ldapGroups = [];
          $count = 0;
 -        if (isset($ldapSearchReturn[$groupsAttr]['count'])) {
 -            $count = (int) $ldapSearchReturn[$groupsAttr]['count'];
 +
 +        if (isset($userGroupSearchResponse[$groupsAttr]['count'])) {
 +            $count = (int) $userGroupSearchResponse[$groupsAttr]['count'];
          }
 +
          for ($i=0; $i<$count; $i++) {
 -            $dnComponents = ldap_explode_dn($ldapSearchReturn[$groupsAttr][$i], 1);
 +            $dnComponents = $this->ldap->explodeDn($userGroupSearchResponse[$groupsAttr][$i], 1);
              if (!in_array($dnComponents[0], $ldapGroups)) {
                  $ldapGroups[] = $dnComponents[0];
              }
          }
 +
          return $ldapGroups;
      }
  
diff --combined config/services.php
index 857a7caa2,98b1fce8e..ba1648891
--- a/config/services.php
+++ b/config/services.php
@@@ -59,7 -59,6 +59,7 @@@ return 
          'name'          => 'Google',
          'auto_register' => env('GOOGLE_AUTO_REGISTER', false),
          'auto_confirm' => env('GOOGLE_AUTO_CONFIRM_EMAIL', false),
 +        'select_account' => env('GOOGLE_SELECT_ACCOUNT', false),
      ],
  
      'slack'   => [
@@@ -149,6 -148,7 +149,7 @@@
  		'user_to_groups' => env('LDAP_USER_TO_GROUPS',false),
  		'group_attribute' => env('LDAP_GROUP_ATTRIBUTE', 'memberOf'),
  		'remove_from_groups' => env('LDAP_REMOVE_FROM_GROUPS',false),
+ 		'tls_insecure' => env('LDAP_TLS_INSECURE', false),
  	]
  
  ];