From 20f9a50cee8ec22a20409d1abee26d5c33a1dabc Mon Sep 17 00:00:00 2001
From: Boddy4 <body@piwiteam.fr>
Date: Wed, 18 Nov 2020 01:05:29 +0100
Subject: [PATCH] LDAP: Added TLS support

---
 .env.example.complete           |  1 +
 app/Auth/Access/LdapService.php | 21 +++++++++++++++------
 app/Config/services.php         |  1 +
 3 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/.env.example.complete b/.env.example.complete
index 19643a49f..750896f30 100644
--- a/.env.example.complete
+++ b/.env.example.complete
@@ -195,6 +195,7 @@ LDAP_DN=false
 LDAP_PASS=false
 LDAP_USER_FILTER=false
 LDAP_VERSION=false
+LDAP_START_TLS=false
 LDAP_TLS_INSECURE=false
 LDAP_ID_ATTRIBUTE=uid
 LDAP_EMAIL_ATTRIBUTE=mail
diff --git a/app/Auth/Access/LdapService.php b/app/Auth/Access/LdapService.php
index 92234edcf..c359cc943 100644
--- a/app/Auth/Access/LdapService.php
+++ b/app/Auth/Access/LdapService.php
@@ -187,12 +187,6 @@ class LdapService extends ExternalAuthService
             throw new LdapException(trans('errors.ldap_extension_not_installed'));
         }
 
-         // Check if TLS_INSECURE is set. The handle is set to NULL due to the nature of
-         // the LDAP_OPT_X_TLS_REQUIRE_CERT option. It can only be set globally and not per handle.
-        if ($this->config['tls_insecure']) {
-            $this->ldap->setOption(null, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER);
-        }
-
         $serverDetails = $this->parseServerString($this->config['server']);
         $ldapConnection = $this->ldap->connect($serverDetails['host'], $serverDetails['port']);
 
@@ -204,6 +198,21 @@ class LdapService extends ExternalAuthService
         if ($this->config['version']) {
             $this->ldap->setVersion($ldapConnection, $this->config['version']);
         }
+	
+	// Check if TLS_INSECURE is set. The handle is set to NULL due to the nature of
+        // the LDAP_OPT_X_TLS_REQUIRE_CERT option. It can only be set globally and not per handle.
+	if ($this->config['tls_insecure']) {
+	    // Setting also ignored?
+            $this->ldap->setOption($ldapConnection, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER);
+	}
+
+	if ($this->config['start_tls']) {
+	    // "&& $this->config['tls_cacertfile']" this condition was removed because:
+	    // This ldap option is totally ignored by PHP. (bug: https://bugs.php.net/bug.php?id=73558)
+	    // If we set 'TLS_CACERT /config/ca/bundle.pem' into /etc/openldap/ldap.conf and restart php, ldap_start_tls works. 
+	    //$this->ldap->setOption($ldapConnection, LDAP_OPT_X_TLS_CACERTFILE, $this->config['tls_cacertfile']);
+	    ldap_start_tls($ldapConnection);
+	}
 
         $this->ldapConnection = $ldapConnection;
         return $this->ldapConnection;
diff --git a/app/Config/services.php b/app/Config/services.php
index fcde621d2..699339614 100644
--- a/app/Config/services.php
+++ b/app/Config/services.php
@@ -132,6 +132,7 @@ return [
         'group_attribute' => env('LDAP_GROUP_ATTRIBUTE', 'memberOf'),
         'remove_from_groups' => env('LDAP_REMOVE_FROM_GROUPS', false),
         'tls_insecure' => env('LDAP_TLS_INSECURE', false),
+        'start_tls' => env('LDAP_START_TLS', false),
     ],
 
 ];