Details
-
Improvement
-
Resolution: Obsolete
-
Medium
-
4.1.3, 4.2.0
-
None
-
Operating System: Oracle Enterprise Linux 5.3
PHP Version: 5.2.10, 5.3.0
Database and version: MySQL community 5.1.37
Browser (and version): N/A
Description
LDAP user accounts can be verified over unencrypted ldap (389) and perhaps ldaps (636)?
However, ldaps is deprecated in favor of open 389 + StartTLS, so we have made the following changes in our installations.
Suggested code to accomplish this enhancement (for eZ Publish 4.1.3, line numbers are approximately the same for 4.2.0):
In file %
{eZPublishRoot}/kernel/classes/datatypes/ezuser/ezldapuser.php:243a
if ( $LDAPStartTLS )
{
if ( (int)$LDAPVersion < 3 )
{
eZDebug::writeError( 'LDAP set to encrypt with StartTLS but using protocol version lower than 3!', 'eZLDAPUser::loginUser()' );
$ds = false;
}
else
{
if ( !ldap_start_tls( $ds ) )
{
eZDebug::writeError( 'Unable to negotiate StartTLS connection to LDAP server!', 'eZLDAPUser::loginUser()' );
$ds = false;
}
}
}
}
if ( $ds )
{
.
168a
$LDAPStartTLS = $LDAPIni->variable( 'LDAPSettings', 'LDAPStartTLS' ) === 'enabled';
In file %{eZPublishRoot}
/settings/ldap.ini, section LDAPSettings:
# Enable/disable StartTLS encryption over LDAP connection LDAPStartTLS=disabled
It is assumed that if administrators want StartTLS for any LDAP sessions, they will want it for all LDAP sessions, hence the failure upon StartTLS not working.
Thanks guys!
Steps to reproduce
N/A