Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Medium Medium
    • Resolution: Obsolete
    • Affects Version/s: 4.1.3, 4.2.0
    • Fix Version/s: Customer request, Future
    • Labels:
      None
    • Environment:

      Operating System: Oracle Enterprise Linux 5.3
      PHP Version: 5.2.10, 5.3.0
      Database and version: MySQL community 5.1.37
      Browser (and version): N/A

      Description

      LDAP user accounts can be verified over unencrypted ldap (389) and perhaps ldaps (636)?

      However, ldaps is deprecated in favor of open 389 + StartTLS, so we have made the following changes in our installations.

      Suggested code to accomplish this enhancement (for eZ Publish 4.1.3, line numbers are approximately the same for 4.2.0):

      In file %

      {eZPublishRoot}/kernel/classes/datatypes/ezuser/ezldapuser.php:

      243a
                      if ( $LDAPStartTLS )
                      {
                          if ( (int)$LDAPVersion < 3 )
                          {
                              eZDebug::writeError( 'LDAP set to encrypt with StartTLS but using protocol version lower than 3!', 'eZLDAPUser::loginUser()' );
                              $ds = false;
                          }
                          else
                          {
                              if ( !ldap_start_tls( $ds ) )
                              {
                                  eZDebug::writeError( 'Unable to negotiate StartTLS connection to LDAP server!', 'eZLDAPUser::loginUser()' );
                                  $ds = false;
                              }
                          }
                      }
                  }
       
                  if ( $ds )
                  {
      .
      168a
                  $LDAPStartTLS           = $LDAPIni->variable( 'LDAPSettings', 'LDAPStartTLS' ) === 'enabled';
      



      In file %{eZPublishRoot}

      /settings/ldap.ini, section LDAPSettings:

      # Enable/disable StartTLS encryption over LDAP connection
      LDAPStartTLS=disabled
      

      It is assumed that if administrators want StartTLS for any LDAP sessions, they will want it for all LDAP sessions, hence the failure upon StartTLS not working.

      Thanks guys!

      Steps to reproduce

      N/A

      1. ldap-start-tls.patch
        5 kB
        (inactive) Gunnstein Lye
      2. ldap-start-tls-v2.patch
        5 kB
        (inactive) Gunnstein Lye

        Activity

        Hide
        (inactive) Gunnstein Lye added a comment -

        Patch against trunk attached. I have not tested this on a working StartTLS enabled server yet.ldap-start-tls.patch

        Show
        (inactive) Gunnstein Lye added a comment - Patch against trunk attached. I have not tested this on a working StartTLS enabled server yet. ldap-start-tls.patch
        Hide
        (inactive) Gunnstein Lye added a comment -

        In reply to comment #026640
        Updated patch from the customer issue. It deals with older LDAP servers in a better way.ldap-start-tls-v2.patch

        Show
        (inactive) Gunnstein Lye added a comment - In reply to comment #026640 Updated patch from the customer issue. It deals with older LDAP servers in a better way. ldap-start-tls-v2.patch
        Hide
        ezrobot added a comment -

        This issue has been automatically closed due to the lack of activity over a long period of time. It is very likely that it is obsolete, but if you think it is still valid, do not hesitate to reopen it and mention why.

        Show
        ezrobot added a comment - This issue has been automatically closed due to the lack of activity over a long period of time. It is very likely that it is obsolete, but if you think it is still valid, do not hesitate to reopen it and mention why.

          People

          • Assignee:
            (inactive) Gunnstein Lye
            Reporter:
            Raynard Sandwick
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated: