search

adldap / adLDAP

adLDAP is a PHP class that provides LDAP authentication and integration with Active Directory.
GNU Lesser General Public License v2.1
424 stars 204 forks source link

TLS not used in 4.0.4 #130

Closed box293 closed 7 years ago

box293 commented 7 years ago

Looking at the v5 code I think this has already been addressed (code is different so I can't be certain) but I did not see it listed here as an issue so I thought it was worth reporting.

        // Connect to the AD/LDAP server as the username/password
        $domainController = $this->randomController();
        if ($this->useSSL) {
            $this->ldapConnection = ldap_connect("ldaps://" . $domainController, $this->adPort);
        } else {
            $this->ldapConnection = ldap_connect($domainController, $this->adPort);
        }

Basically there is no if statement for it to connect using TLS.

I noticed when looking at logs. This is when I used TLS and an IP Address:

ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ldap_result ld 0x7f3a0faab8d0 msgid 2
wait4msg ld 0x7f3a0faab8d0 msgid 2 (infinite timeout)
wait4msg continue ld 0x7f3a0faab8d0 msgid 2 all 1
** ld 0x7f3a0faab8d0 Connections:
* host: 10.25.14.51  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed Jun 21 14:18:07 2017

This is when I used SSL and an IP Address:

ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 10.25.14.51:636
ldap_new_socket: 20
ldap_prepare_socket: 20
ldap_connect_to_host: Trying 10.25.14.51:636
ldap_pvt_connect: fd: 20 tm: -1 async: 0
attempting to connect: 
connect success
TLS: certificate [CN=DC01.BOX293.local] is valid
TLS certificate verification: subject: CN=DC01.BOX293.local, issuer: CN=BOX293-DC02-CA,DC=BOX293,DC=local, cipher: AES-256, security level: high, secret key bits: 256, total key bits: 256, cache hits: 0, cache misses: 0, cache not reusable: 0
TLS: hostname (10.25.14.51) does not match common name in certificate (DC01.BOX293.local).
ldap_err2string

I wouldn't have been aware of it if I did not incorrectly try connecting with an IP address and SSL. When I connect with a DNS entry and SSL it works correctly (as it should) however when you use TLS it just connects on 389.

This small change made it work:

        // Connect to the AD/LDAP server as the username/password
        $domainController = $this->randomController();
        if ($this->useSSL) {
            $this->ldapConnection = ldap_connect("ldaps://" . $domainController, $this->adPort);
        } elseif ($this->useTLS) {
            $this->ldapConnection = ldap_connect("ldaps://" . $domainController, $this->adPort);
        } else {
            $this->ldapConnection = ldap_connect($domainController, $this->adPort);
        }
box293 commented 7 years ago

A colleague told me that the TLS connection is slightly different an moves to TLS after the initial connection attempt. Sorry for the incorrect bug report.