Merge branch 'master' of https://github.com/jasonhoule/BookStack into jasonhoule...

[bookstack] / app / Auth / Access / LdapService.php

diff --git a/app/Auth/Access/LdapService.php b/app/Auth/Access/LdapService.php
index c359cc943014ef3f0e024712f19eefc7c55d6150..c5b586b4dcb8c36c6dbb7d41124f9718e47b9c70 100644 (file)
--- a/app/Auth/Access/LdapService.php
+++ b/app/Auth/Access/LdapService.php
@@ -76,6 +76,7 @@ class LdapService extends ExternalAuthService
         $idAttr = $this->config['id_attribute'];
         $emailAttr = $this->config['email_attribute'];
         $displayNameAttr = $this->config['display_name_attribute'];
+        $thumbnailAttr = $this->config['thumbnail_attribute'];
 
         $user = $this->getUserWithAttributes($userName, ['cn', 'dn', $idAttr, $emailAttr, $displayNameAttr]);
 
@@ -85,10 +86,11 @@ class LdapService extends ExternalAuthService
 
         $userCn = $this->getUserResponseProperty($user, 'cn', null);
         $formatted = [
-            'uid'   => $this->getUserResponseProperty($user, $idAttr, $user['dn']),
-            'name'  => $this->getUserResponseProperty($user, $displayNameAttr, $userCn),
-            'dn'    => $user['dn'],
+            'uid' => $this->getUserResponseProperty($user, $idAttr, $user['dn']),
+            'name' => $this->getUserResponseProperty($user, $displayNameAttr, $userCn),
+            'dn' => $user['dn'],
             'email' => $this->getUserResponseProperty($user, $emailAttr, null),
+            'avatar'=> $this->getUserResponseProperty($user, $thumbnailAttr, null),
         ];
 
         if ($this->config['dump_user_details']) {
@@ -187,6 +189,12 @@ class LdapService extends ExternalAuthService
             throw new LdapException(trans('errors.ldap_extension_not_installed'));
         }
 
+        // Disable certificate verification.
+        // This option works globally and must be set before a connection is created.
+        if ($this->config['tls_insecure']) {
+            $this->ldap->setOption(null, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER);
+        }
+
         $serverDetails = $this->parseServerString($this->config['server']);
         $ldapConnection = $this->ldap->connect($serverDetails['host'], $serverDetails['port']);
 
@@ -198,21 +206,14 @@ class LdapService extends ExternalAuthService
         if ($this->config['version']) {
             $this->ldap->setVersion($ldapConnection, $this->config['version']);
         }
-       
-       // Check if TLS_INSECURE is set. The handle is set to NULL due to the nature of
-        // the LDAP_OPT_X_TLS_REQUIRE_CERT option. It can only be set globally and not per handle.
-       if ($this->config['tls_insecure']) {
-           // Setting also ignored?
-            $this->ldap->setOption($ldapConnection, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER);
-       }
-
-       if ($this->config['start_tls']) {
-           // "&& $this->config['tls_cacertfile']" this condition was removed because:
-           // This ldap option is totally ignored by PHP. (bug: https://bugs.php.net/bug.php?id=73558)
-           // If we set 'TLS_CACERT /config/ca/bundle.pem' into /etc/openldap/ldap.conf and restart php, ldap_start_tls works. 
-           //$this->ldap->setOption($ldapConnection, LDAP_OPT_X_TLS_CACERTFILE, $this->config['tls_cacertfile']);
-           ldap_start_tls($ldapConnection);
-       }
+
+        // Start and verify TLS if it's enabled
+        if ($this->config['start_tls']) {
+            $started = $this->ldap->startTls($ldapConnection);
+            if (!$started) {
+                throw new LdapException('Could not start TLS connection');
+            }
+        }
 
         $this->ldapConnection = $ldapConnection;
         return $this->ldapConnection;