Author Topic: Feng Office 2.0 + LDAP + SSL/TLS? (Works w/out SSL, but *need* SSL)  (Read 5300 times)

straffin

  • Newbie
  • *
  • Posts: 3
    • View Profile
    • Email
All,

Anyone have any information on getting an SSL/TLS connection to work with Feng's LDAP integration? Everything works fine with an anonymous bind *without* SSL...

Code: [Select]
$config_ldap = array (
      'binddn'    => '',
      'bindpw'    => '',
      'basedn'    => 'ou=people,dc=domain,dc=com',
      'host'      => 'ldap.domain.com',
      'uid'       => 'uid'
  );

But fails when I add the SSL/TLS information...

Code: [Select]
$config_ldap = array (
      'binddn'    => '',
      'bindpw'    => '',
      'starttls'  => true,
      'basedn'    => 'ou=people,dc=domain,dc=com',
      'host'      => 'ldap.domain.com:636',
      'uid'       => 'uid'
  );

Have also tried it with "ldaps://" in the host, no luck. Anyone?

gvecchi

  • Freshman
  • *
  • Posts: 12
    • View Profile
Re: Feng Office 2.0 + LDAP + SSL/TLS? (Works w/out SSL, but *need* SSL)
« Reply #1 on: March 12, 2012, 12:29:49 pm »
I don't know about SSL/TLS but to get LDAP authentication works properly, I had to add :

Code: [Select]
function isValidPasswordLdap($user, $password, $config) {

                // Connecting using the configuration:
                require_once "Net/LDAP2.php";

                $ldap = Net_LDAP2::connect($config);

                // Testing for connection error
                if (PEAR::isError($ldap)) {
                        return false;
                }
                $filter = Net_LDAP2_Filter::create($config['uid'], 'equals', $user);
                $search = $ldap->search(null, $filter, null);

                if (Net_LDAP2::isError($search)) {
                        return false;
                }

                if ($search->count() != 1) {
                        return false;
                }

                // User exists so we may rebind to authenticate the password
                $entries = $search->entries();
                $bind_result = $ldap->bind($entries[0]->dn(), $password);

                if (PEAR::isError($bind_result)) {
                        return false;
                }
                return true;
        } // isValidPassword

into application/models/contacts/Contact.class.php of 2.0RC source code.

can you confirm this issue?

straffin

  • Newbie
  • *
  • Posts: 3
    • View Profile
    • Email
Re: Feng Office 2.0 + LDAP + SSL/TLS? (Works w/out SSL, but *need* SSL)
« Reply #2 on: March 12, 2012, 01:23:40 pm »
I also have that same code in my Contact.class.php.

As I said non-SSL LDAP Authentication works just dandy. However, non-SSL LDAP Authentication also passes passwords over the wire in clear-text. This is bad.

Based on some more searching and a peek at the Net_LDAP2 docs, I've also now tried adding the following to my ldap.config.php with no success:

Code: [Select]
  $config_ldap = array (
      'binddn'    => '',
      'bindpw'    => '',
      'starttls'  => false,
      'ssl'   => true,
      'basedn'    => 'ou=People,dc=domain,dc=com',
      'host'      => 'ldap.domain.com',
      'port'      => '636',
      'uid'       => 'uid'
  );

Anyone know how to use "ldap_set_option" to debug the connection?

gvecchi

  • Freshman
  • *
  • Posts: 12
    • View Profile
Re: Feng Office 2.0 + LDAP + SSL/TLS? (Works w/out SSL, but *need* SSL)
« Reply #3 on: March 13, 2012, 04:25:01 am »
You can try request an helping hand sending an email to author of ldap.config.php Luca Corbo (luca.corbo <_at_> 2bopen <_dot_> org)

mmccarn

  • Freshman
  • *
  • Posts: 33
    • View Profile
Re: Feng Office 2.0 + LDAP + SSL/TLS? (Works w/out SSL, but *need* SSL)
« Reply #4 on: March 13, 2012, 08:26:03 am »
Anyone know how to use "ldap_set_option" to debug the connection?

You might be able to set the debug option using something like this:
Code: [Select]
  $config_ldap = array (
      'binddn'    => '',
      'bindpw'    => '',
      'starttls'  => false,
      'ssl'   => true,
      'basedn'    => 'ou=People,dc=domain,dc=com',
      'host'      => 'ldap.domain.com',
      'port'      => '636',
      'uid'       => 'uid',
      'options'       => array( 'debug' =>'true')
  );

Since 'starttls' is (sometimes) referred to as 'SSL V3', can you get what you want by enabling starttls?

I have also successfully used an ssh tunnel to encrypt ldap traffic, using a command like this:
ssh user@ldap-server-address -L 6389:localhost:389
* then configure Net_LDAP2 to use port 6389
* I already had an LDAP server on the feng host, hence the alternate port
* configure public key passwordless connections for ssh in order to allow ssh to connect in a script without stopping to ask for a password.