diff --git a/lam/lib/config.inc b/lam/lib/config.inc
index 091dceba..2b0e1533 100644
--- a/lam/lib/config.inc
+++ b/lam/lib/config.inc
@@ -174,6 +174,9 @@ class LAMConfig {
/** Server address (e.g. ldap://127.0.0.1:389) */
private $ServerURL;
+
+ /** enables/disables TLS encryption */
+ private $useTLS;
/** Array of string: users with admin rights */
private $Admins;
@@ -236,7 +239,7 @@ class LAMConfig {
private $loginSearchFilter = 'uid=%USER%';
/** List of all settings in config file */
- private $settings = array("ServerURL", "Passwd", "Admins", "treesuffix",
+ private $settings = array("ServerURL", "useTLS", "Passwd", "Admins", "treesuffix",
"defaultLanguage", "scriptPath", "scriptServer", "scriptRights", "cachetimeout",
"modules", "activeTypes", "types", "accessLevel", 'loginMethod', 'loginSearchSuffix',
'loginSearchFilter');
@@ -370,6 +373,7 @@ class LAMConfig {
}
// check if we have to add new entries (e.g. if user upgraded LAM and has an old config file)
if (!in_array("ServerURL", $saved)) array_push($file_array, "\n\n# server address (e.g. ldap://localhost:389 or ldaps://localhost:636)\n" . "serverURL: " . $this->ServerURL . "\n");
+ if (!in_array("useTLS", $saved)) array_push($file_array, "\n\n# enable TLS encryption\n" . "useTLS: " . $this->useTLS . "\n");
if (!in_array("Passwd", $saved)) array_push($file_array, "\n\n# password to change these preferences via webfrontend\n" . "passwd: " . $this->Passwd . "\n");
if (!in_array("Admins", $saved)) array_push($file_array, "\n\n# list of users who are allowed to use LDAP Account Manager\n" .
"# names have to be seperated by semicolons\n" .
@@ -463,6 +467,30 @@ class LAMConfig {
else return false;
return true;
}
+
+ /**
+ * Returns if TLS is activated.
+ *
+ * @return String yes or no
+ */
+ public function getUseTLS() {
+ return $this->useTLS;
+ }
+
+ /**
+ * Sets if TLS is activated.
+ *
+ * @param String yes or no
+ * @return boolean true if $useTLS has correct format
+ */
+ public function setUseTLS($useTLS) {
+ if (($useTLS == "yes") || ($useTLS == "no")) {
+ $this->useTLS = $useTLS;
+ return true;
+ }
+ return false;
+ }
+
/**
* Returns an array of string with all admin names
diff --git a/lam/lib/ldap.inc b/lam/lib/ldap.inc
index 743e3551..98842947 100644
--- a/lam/lib/ldap.inc
+++ b/lam/lib/ldap.inc
@@ -100,14 +100,13 @@ class Ldap{
if ($this->server) {
// use LDAPv3
ldap_set_option($this->server, LDAP_OPT_PROTOCOL_VERSION, 3);
- // start TLS if possible
- if (function_exists('ldap_start_tls')) {
+ // start TLS if specified
+ $useTLS = $this->conf->getUseTLS();
+ if (isset($useTLS) && ($useTLS == "yes")) {
@ldap_start_tls($this->server);
// connect without TLS if it failed
if (ldap_errno($this->server) != 0) {
- @ldap_close($this->server);
- $this->server = @ldap_connect($this->conf->get_ServerURL());
- ldap_set_option($this->server, LDAP_OPT_PROTOCOL_VERSION, 3);
+ return ldap_errno($this->server);
}
}
$bind = @ldap_bind($this->server, $user, $passwd);
diff --git a/lam/templates/login.php b/lam/templates/login.php
index 7783f60a..1781be0f 100644
--- a/lam/templates/login.php
+++ b/lam/templates/login.php
@@ -234,6 +234,14 @@ function display_LoginPage($config_object) {
echo "
";
}
}
+ // check TLS
+ $useTLS = $config_object->getUseTLS();
+ if (isset($useTLS) && ($useTLS == "yes")) {
+ if (!function_exists('ldap_start_tls')) {
+ StatusMessage("ERROR", "Your PHP installation does not support TLS encryption!");
+ echo "
";
+ }
+ }
// check if session expired
if (isset($_GET['expired'])) {
StatusMessage("ERROR", _("Your session expired, please log in again."));