From 5b69883c0aad539e2645c34fd46e564b2e56f732 Mon Sep 17 00:00:00 2001 From: Roland Gruber Date: Sun, 3 May 2009 17:31:39 +0000 Subject: [PATCH] added TLS option --- lam/lib/config.inc | 30 +++++++++++++++++++++++++++++- lam/lib/ldap.inc | 9 ++++----- lam/templates/login.php | 8 ++++++++ 3 files changed, 41 insertions(+), 6 deletions(-) diff --git a/lam/lib/config.inc b/lam/lib/config.inc index 091dceba..2b0e1533 100644 --- a/lam/lib/config.inc +++ b/lam/lib/config.inc @@ -174,6 +174,9 @@ class LAMConfig { /** Server address (e.g. ldap://127.0.0.1:389) */ private $ServerURL; + + /** enables/disables TLS encryption */ + private $useTLS; /** Array of string: users with admin rights */ private $Admins; @@ -236,7 +239,7 @@ class LAMConfig { private $loginSearchFilter = 'uid=%USER%'; /** List of all settings in config file */ - private $settings = array("ServerURL", "Passwd", "Admins", "treesuffix", + private $settings = array("ServerURL", "useTLS", "Passwd", "Admins", "treesuffix", "defaultLanguage", "scriptPath", "scriptServer", "scriptRights", "cachetimeout", "modules", "activeTypes", "types", "accessLevel", 'loginMethod', 'loginSearchSuffix', 'loginSearchFilter'); @@ -370,6 +373,7 @@ class LAMConfig { } // check if we have to add new entries (e.g. if user upgraded LAM and has an old config file) if (!in_array("ServerURL", $saved)) array_push($file_array, "\n\n# server address (e.g. ldap://localhost:389 or ldaps://localhost:636)\n" . "serverURL: " . $this->ServerURL . "\n"); + if (!in_array("useTLS", $saved)) array_push($file_array, "\n\n# enable TLS encryption\n" . "useTLS: " . $this->useTLS . "\n"); if (!in_array("Passwd", $saved)) array_push($file_array, "\n\n# password to change these preferences via webfrontend\n" . "passwd: " . $this->Passwd . "\n"); if (!in_array("Admins", $saved)) array_push($file_array, "\n\n# list of users who are allowed to use LDAP Account Manager\n" . "# names have to be seperated by semicolons\n" . @@ -463,6 +467,30 @@ class LAMConfig { else return false; return true; } + + /** + * Returns if TLS is activated. + * + * @return String yes or no + */ + public function getUseTLS() { + return $this->useTLS; + } + + /** + * Sets if TLS is activated. + * + * @param String yes or no + * @return boolean true if $useTLS has correct format + */ + public function setUseTLS($useTLS) { + if (($useTLS == "yes") || ($useTLS == "no")) { + $this->useTLS = $useTLS; + return true; + } + return false; + } + /** * Returns an array of string with all admin names diff --git a/lam/lib/ldap.inc b/lam/lib/ldap.inc index 743e3551..98842947 100644 --- a/lam/lib/ldap.inc +++ b/lam/lib/ldap.inc @@ -100,14 +100,13 @@ class Ldap{ if ($this->server) { // use LDAPv3 ldap_set_option($this->server, LDAP_OPT_PROTOCOL_VERSION, 3); - // start TLS if possible - if (function_exists('ldap_start_tls')) { + // start TLS if specified + $useTLS = $this->conf->getUseTLS(); + if (isset($useTLS) && ($useTLS == "yes")) { @ldap_start_tls($this->server); // connect without TLS if it failed if (ldap_errno($this->server) != 0) { - @ldap_close($this->server); - $this->server = @ldap_connect($this->conf->get_ServerURL()); - ldap_set_option($this->server, LDAP_OPT_PROTOCOL_VERSION, 3); + return ldap_errno($this->server); } } $bind = @ldap_bind($this->server, $user, $passwd); diff --git a/lam/templates/login.php b/lam/templates/login.php index 7783f60a..1781be0f 100644 --- a/lam/templates/login.php +++ b/lam/templates/login.php @@ -234,6 +234,14 @@ function display_LoginPage($config_object) { echo "
"; } } + // check TLS + $useTLS = $config_object->getUseTLS(); + if (isset($useTLS) && ($useTLS == "yes")) { + if (!function_exists('ldap_start_tls')) { + StatusMessage("ERROR", "Your PHP installation does not support TLS encryption!"); + echo "
"; + } + } // check if session expired if (isset($_GET['expired'])) { StatusMessage("ERROR", _("Your session expired, please log in again."));