search

BellevueCollege / wordpress-cas-client

A CAS client plugin for Wordpress sites, forked from http://wordpress.org/support/plugin/wpcas-w-ldap
GNU General Public License v2.0
11 stars 8 forks source link

1 - Provide support for LDAPs connections #16

Closed jonathanwindle-zz closed 11 years ago

jonathanwindle-zz commented 11 years ago

The plugin currently does not support transport layer security when connecting to an LDAP server. LDAP settings should provide option to enable LDAP over SSL.

cmshawns commented 11 years ago

We're currently using PHP's $ldap_connect() function, which according to the documentation does not support SSL connections by default:

To use LDAP with SSL, compile OpenLDAP 2.x.x with SSL support, configure PHP with SSL, and set [the hostname] parameter as ldaps://hostname/.

http://us1.php.net/manual/en/function.ldap-connect.php

@jonathanwindle, can you comment on the potential impacts (both in time-to-deliver and/or the production environment) taking these actions would have?

jonathanwindle-zz commented 11 years ago

@shawn-bellevuecollege I'm investigating this to see if the Ubuntu server packages are compiled this way or if there are options for packages that are compiled this way.

The following screenshots were taken from the phpinfo() output on our current development environment.

<?php
  phpinfo();
?>

shoes-phpinfo-curl shoes-phpinfo-ldap

It would be useful to setup a standalone php script to test ldap vs ldaps connections on both the dev and production environment. This method may be faster than researching the Ubuntu packages.

Additionally this information would be super helpful to include in the plugin documentation related to task #27 and #5.

cmshawns commented 11 years ago

I was able to confirm that we're not able to bind to the LDAP server using the ldaps protocol as specified. Unfortunately, the only error message I can manage to get is:

Can't contact LDAP server

on the ldap_bind() call.

I've shared the PHP script I've been using for troubleshooting this as gist:6679093.

cmshawns commented 11 years ago

@jonathanwindle Another possible option might be to use STARTTLS, which is

I'm unclear if STARTTLS provides a persistently-encrypted connection though, or does it just encrypt the initial authentication?

There's also not a lot of PHP documentation on it :-( http://us1.php.net/manual/en/function.ldap-start-tls.php

jonathanwindle-zz commented 11 years ago

@shawn-bellevuecollege good news. This looks to be a simple certificate validation error.

Adding "TLS_REQCERT never" to /etc/ldap/ldap.conf fixes the problem. http://adldap.sourceforge.net/wiki/doku.php?id=ldap_over_ssl#tell_apache_how_to_use_ldaps

Obviously we don't want to run this way in production. Adding the internal CA certificate for the LDAP server should fix this the right way. I'm going to configure the server Ikea to trust the internal CA cert. I'll report back.

Finding a way to detect the certificate validation error could be valuable to provide feedback to the user in issue #20.

jonathanwindle-zz commented 11 years ago

Adding the internal CA certificate to Ubuntu's CA certificate store resulted in no change. I also attempted to use the TLS_CACERTDIR option in the ldap.conf file but this resulted in inconsistent successful connections.

Finally I ended up using the TLS_CACERT option in the ldap.conf file to point directly at the file for the CA certificate. This ended up resulting in consistent successful connections.

sudo mkdir /usr/share/ca-certificates/bellevuecollege.edu
sudo cp ~/bellevuecollege-CA.crt /usr/share/ca-certificates/bellevuecollege.edu
sudo dpkg-reconfigure ca-certificates
echo "TLS_CACERT /usr/share/ca-certificates/bellevuecollege.edu/bellevuecollege-CA.crt" | sudo tee -a /etc/ldap/ldap.conf

The following is the code I mainly tested with although I did do some testing with the code provided in gist:6679093

<?php
  $server = 'ldaps://example.server.com';
  //$port = 389;
  $port = 636;
  $basedn = 'DC=SERVER,DC=COM';
  $user = '';
  $password = '';

  $ldapconn = ldap_connect($server, $port);
  if ($ldapconn) {
    echo "Connection Successful<br />\n";

    //$ldapbind = ldap_bind($ldapconn, $user, $password);
    $ldapbind = ldap_bind($ldapconn);
    if ($ldapbind) {
      echo 'LDAP Bind Successful';
    } else {
      echo 'LDAP Bind Failed';
    }
  } else {
    echo 'Connection Failed';
  }
?>
cmshawns commented 11 years ago

It appears that the changes in commit 64373b3 have broken the code I was going to submit for this issue. It is my intention to migrate the ldap-related changes to into a new ldapManager class.