diff --git a/app/modules/web/Controllers/ConfigLdapController.php b/app/modules/web/Controllers/ConfigLdapController.php index bf343016..a0ac0389 100644 --- a/app/modules/web/Controllers/ConfigLdapController.php +++ b/app/modules/web/Controllers/ConfigLdapController.php @@ -72,6 +72,7 @@ final class ConfigLdapController extends SimpleControllerBase if ($ldapEnabled) { $configData->setLdapEnabled(true); $configData->setLdapAds($ldapParams->isAds()); + $configData->setLdapTlsEnabled($ldapParams->isTlsEnabled()); $configData->setLdapServer($ldapParams->getServer()); $configData->setLdapBase($ldapParams->getSearchBase()); $configData->setLdapGroup($ldapParams->getGroup()); @@ -121,7 +122,8 @@ final class ConfigLdapController extends SimpleControllerBase ->setGroup($this->request->analyzeString('ldap_group')) ->setBindDn($this->request->analyzeString('ldap_binduser')) ->setBindPass($this->request->analyzeEncrypted('ldap_bindpass')) - ->setAds($this->request->analyzeBool('ldap_ads_enabled', false)); + ->setAds($this->request->analyzeBool('ldap_ads_enabled', false)) + ->setTlsEnabled($this->request->analyzeBool('ldap_tls_enabled', false)); } /** diff --git a/app/modules/web/themes/material-blue/views/config/ldap.inc b/app/modules/web/themes/material-blue/views/config/ldap.inc index 6dd34859..ee3a49b1 100644 --- a/app/modules/web/themes/material-blue/views/config/ldap.inc +++ b/app/modules/web/themes/material-blue/views/config/ldap.inc @@ -66,6 +66,23 @@ +
  • +
    + +
    + + + + + + + +
    • + diff --git a/lib/SP/Config/ConfigData.php b/lib/SP/Config/ConfigData.php index b0a61203..9111d45b 100644 --- a/lib/SP/Config/ConfigData.php +++ b/lib/SP/Config/ConfigData.php @@ -389,6 +389,10 @@ final class ConfigData implements JsonSerializable * @var int */ private $accountExpireTime = 10368000; + /** + * @var bool + */ + private $ldapTlsEnabled = false; /** * @return array @@ -2145,4 +2149,20 @@ final class ConfigData implements JsonSerializable return $this; } + + /** + * @return bool + */ + public function isLdapTlsEnabled(): bool + { + return (bool)$this->ldapTlsEnabled; + } + + /** + * @param bool $ldapTlsEnabled + */ + public function setLdapTlsEnabled(bool $ldapTlsEnabled) + { + $this->ldapTlsEnabled = (int)$ldapTlsEnabled; + } } \ No newline at end of file diff --git a/lib/SP/Providers/Auth/Ldap/LdapConnection.php b/lib/SP/Providers/Auth/Ldap/LdapConnection.php index 4f4ff5b6..d4dbcbaf 100644 --- a/lib/SP/Providers/Auth/Ldap/LdapConnection.php +++ b/lib/SP/Providers/Auth/Ldap/LdapConnection.php @@ -57,6 +57,10 @@ final class LdapConnection implements LdapConnectionInterface * @var bool */ private $isBound = false; + /** + * @var bool + */ + private $isTls; /** * @var bool */ @@ -132,7 +136,7 @@ final class LdapConnection implements LdapConnectionInterface // Conexión al servidor LDAP if (!is_resource($this->ldapHandler)) { - $this->eventDispatcher->notifyEvent('ldap.connection', + $this->eventDispatcher->notifyEvent('ldap.connect', new Event($this, EventMessage::factory() ->addDescription(__u('No es posible conectar con el servidor de LDAP')) ->addDetail(__u('Servidor'), $this->ldapParams->getServer())) @@ -144,6 +148,8 @@ final class LdapConnection implements LdapConnectionInterface @ldap_set_option($this->ldapHandler, LDAP_OPT_NETWORK_TIMEOUT, self::TIMEOUT); @ldap_set_option($this->ldapHandler, LDAP_OPT_PROTOCOL_VERSION, 3); + $this->isTls = $this->connectTls(); + return true; } @@ -160,13 +166,51 @@ final class LdapConnection implements LdapConnectionInterface ) { $this->eventDispatcher->notifyEvent('ldap.check.params', new Event($this, EventMessage::factory() - ->addDescription(__u('Los parámetros de LDAP no están configurados'))) - ); + ->addDescription(__u('Los parámetros de LDAP no están configurados')))); throw new LdapException(__u('Los parámetros de LDAP no están configurados')); } } + /** + * Connect through TLS + * + * @throws LdapException + */ + private function connectTls(): bool + { + if ($this->ldapParams->isTlsEnabled()) { + $result = @ldap_start_tls($this->ldapHandler); + + if ($result === false) { + $this->eventDispatcher->notifyEvent('ldap.connect.tls', + new Event($this, EventMessage::factory() + ->addDescription(__u('No es posible conectar con el servidor de LDAP')) + ->addDetail(__u('Servidor'), $this->ldapParams->getServer()) + ->addDetail(__u('TLS'), __u('ON')) + ->addDetail(__u('LDAP ERROR'), self::getLdapErrorMessage($this->ldapHandler)))); + + throw new LdapException(__u('No es posible conectar con el servidor de LDAP')); + } + + return true; + } + + return false; + } + + /** + * Registrar error de LDAP y devolver el mensaje de error + * + * @param $ldapHandler + * + * @return string + */ + public static function getLdapErrorMessage($ldapHandler) + { + return sprintf('%s (%d)', ldap_error($ldapHandler), ldap_errno($ldapHandler)); + } + /** * Realizar la autentificación con el servidor de LDAP. * @@ -200,18 +244,6 @@ final class LdapConnection implements LdapConnectionInterface return true; } - /** - * Registrar error de LDAP y devolver el mensaje de error - * - * @param $ldapHandler - * - * @return string - */ - public static function getLdapErrorMessage($ldapHandler) - { - return sprintf('%s (%d)', ldap_error($ldapHandler), ldap_errno($ldapHandler)); - } - /** * @return int */ diff --git a/lib/SP/Providers/Auth/Ldap/LdapParams.php b/lib/SP/Providers/Auth/Ldap/LdapParams.php index 0a4c8b2c..770093cd 100644 --- a/lib/SP/Providers/Auth/Ldap/LdapParams.php +++ b/lib/SP/Providers/Auth/Ldap/LdapParams.php @@ -61,6 +61,10 @@ final class LdapParams * @var bool */ protected $ads; + /** + * @var bool + */ + protected $tlsEnabled; /** * Devolver el puerto del servidor si está establecido @@ -210,4 +214,24 @@ final class LdapParams return $this; } + /** + * @return bool + */ + public function isTlsEnabled(): bool + { + return $this->tlsEnabled; + } + + /** + * @param bool $tlsEnabled + * + * @return LdapParams + */ + public function setTlsEnabled(bool $tlsEnabled) + { + $this->tlsEnabled = $tlsEnabled; + + return $this; + } + } \ No newline at end of file