LDAP Google GSuite (ldap.google.com) .CER/.KEY

[jberanek]

Goodnight everyone. I am new configuring MRBS with LDAP authentication. The LDAP server is the one that Google offers (G Suite)

https://support.google.com/a/answer/9089736 https://support.google.com/a/topic/9048334 https://support.google.com/a/topic/9173976?hl=en&ref_topic=9048334

How would the configuration be if the Google LDAP? This needs to be used with a certificate (CRT) and a private key (KEY). I have not found anything related to the use of certificates for the LDAP to work. A major Google LDAP provides a username and password if needed.

Thank you.

Reported by: *anonymous

Original Ticket: mrbs/support-requests/1821

[jberanek]

Unfortunately MRBS does not currently support LDAP with client cert/key authentication. Code contributions gratefully received.

Original comment by: jberanek

[jberanek]

Thank you! If I used stunnel as an intermediate server, what would be the configuration? https://support.google.com/a/answer/9089736#stunnel

$ ldap_host = "127.0.0.1"; $ ldap_port = 1636; $ ldap_v3 = false; $ ldap_tls = false; $ ldap_base_dn = "dc = domain, dc = com"; $ ldap_user_attrib = "uid"; $ ldap_unbind_between_attempts = false; $ ldap_debug = true;

Original comment by: *anonymous

[jberanek]

Thank you! If I used stunnel as an intermediate server, what would be the configuration? https://support.google.com/a/answer/9089736#stunnel

Original comment by: *anonymous

[jberanek]

You'd need someone with knowledge of stunnel, and knowledge of GSuite LDAP, unfortunately I'm neither of those.

To use client cert/key in MRBS you'd need a few calls to ldap_set_option ( https://www.php.net/manual/en/function.ldap-set-option.php ) to set LDAP_OPT_X_TLS_CERTFILE and LDAP_OPT_X_TLS_KEYFILE, which requires PHP 7.1.0 or later. This would be in auth/auth_ldap.inc, in the function authLdapAction(), around line 224, just before:

      if (isset($all_ldap_opts['ldap_tls'][$idx]) &&

I believe an alternative is to configure your system's ldap.conf for a client cerificate (setting TLS_CERT and TLS_KEY), but I have no experience of this either.

Original comment by: jberanek

[jberanek]

Plausible, but completely untested changes, as a diff (will also attach new copy of auth_ldap.inc):

diff -r 258656386e21 web/auth/auth_ldap.inc
--- a/web/auth/auth_ldap.inc    Sun Jun 16 16:55:53 2019 +0100
+++ b/web/auth/auth_ldap.inc    Sat Aug 17 21:30:54 2019 +0100
@@ -143,7 +143,9 @@
                         'ldap_disable_referrals',
                         'ldap_deref',
                         'ldap_filter_base_dn',
-                        'ldap_filter_user_attr'
+                        'ldap_filter_user_attr',
+                        'ldap_client_cert',
+                        'ldap_client_key'
                        );

   $all_ldap_opts = array();
@@ -221,6 +223,18 @@
       {
         ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
       }
+      if (isset($all_ldap_opts['ldap_client_cert'][$idx]) &&
+          $all_ldap_opts['ldap_client_cert'][$idx])
+      {
+        // Requires PHP 7.1.0 or later
+        ldap_set_option($ldap, LDAP_OPT_X_TLS_CERTFILE, $all_ldap_opts['ldap_client_cert'][$idx]);
+      }
+      if (isset($all_ldap_opts['ldap_client_key'][$idx]) &&
+          $all_ldap_opts['ldap_client_key'][$idx])
+      {
+        // Requires PHP 7.1.0 or later
+        ldap_set_option($ldap, LDAP_OPT_X_TLS_KEYFILE, $all_ldap_opts['ldap_client_key'][$idx]);
+      }
       if (isset($all_ldap_opts['ldap_tls'][$idx]) &&
           $all_ldap_opts['ldap_tls'][$idx])
       {
diff -r 258656386e21 web/systemdefaults.inc.php
--- a/web/systemdefaults.inc.php        Sun Jun 16 16:55:53 2019 +0100
+++ b/web/systemdefaults.inc.php        Sat Aug 17 21:30:54 2019 +0100
@@ -792,6 +792,11 @@
 // This can be an array.
 $ldap_tls = false;

+// Support configuring a TLS client certificate/key from within MRBS.
+// Requires PHP 7.1.0 or later
+//$ldap_client_cert = 'path-to-cert.crt';
+//$ldap_client_key = 'path-to-key.key';
+
 // LDAP base distinguish name.
 // This can be an array.
 //$ldap_base_dn = "ou=organizationalunit,dc=example,dc=com";

Original comment by: jberanek

Attachments: https://sourceforge.net/p/mrbs/support-requests/_discuss/thread/8cf565f091/9a51/attachment/auth_ldap.inc

[jberanek]

Just reading Google's docs ... are you sure they actually support using their Secure LDAP service as an authentication method and not just as a directory server?

Original comment by: jberanek

[jberanek]

I know other Google users have used one of the POP3 or IMAP auth mechanisms to authenticate against Google services...

[Edit: I think this whole comment is an invalid distraction, a red herring]

Original comment by: jberanek

[jberanek]

Hmm, my IMAP/POP3 suggestion is less good, as MRBS's IMAP auth plugin doesn't support IMAPS or IMAP+TLS and nor does the POP3 one support SSL/TLS :(

Original comment by: jberanek

[jberanek]

For a more complex, but more modern setup you could use MRBS's support for SimpleSAML and hook that up to GSuite. Unfortunately this method was contributed by a user, and I have no experience of configuring it.

https://simplesamlphp.org/docs/stable/simplesamlphp-googleapps

Original comment by: jberanek

[jberanek]

Ah, maybe my IMAP suggestion wasn't completely off base, as long as you use the 'imap_php' auth method:

$auth["type"] = "imap_php";
// 'auth_imap_php' configuration settings
$auth["imap_php"]["hostname"] = "imap.gmail.com";
// Specifies the port number to connect to
$auth["imap_php"]["port"] = 993;
// Use SSL
$auth["imap_php"]["ssl"] = true;

Original comment by: jberanek

[jberanek]

https://support.google.com/a/answer/9048516?hl=en The Secure LDAP service provides a simple and secure way to connect your LDAP-based applications and services to Cloud Identity or G Suite.

Using Secure LDAP, you can use Cloud Directory as a cloud-based LDAP server for authentication, authorization, and directory lookups. The LDAP-based apps (for example, Atlassian Jira) and IT infrastructure (for example, VPN servers) that you connect to the Secure LDAP service can be on-premise or in infrastructure-as-a-service platforms such as Google Compute Engine, AWS, or Azure.

For example Synology offers a guide for using G Suite users on NAS: https://www.synology.com/en-us/knowledgebase/DSM/tutorial/Management/How_to_join_your_Synology_NAS_to_Google_Secure_LDAP

Original comment by: *anonymous

[jberanek]

Yeah, so I have it set up to see if I can (if this is possible) use LDAP. It will be a private room calendar for certain user groups, not everyone has to see it. With LDAP I can with groups, but with the method imap_php no. Can a list of users@domain.com be implemented in any way that, if not allowed, rejects the login?

$auth["type"] = "imap_php"; $auth["imap_php"]["hostname"] = "imap.gmail.com"; $auth["imap_php"]["port"] = 993; $auth["imap_php"]["ssl"] = true; $auth["imap_php"]["tls"] = false; $auth["imap_php"]["novalidate-cert"] = true; $auth['imap_php']['user_domain'] = 'domain.com';

Original comment by: *anonymous

[jberanek]

Thank you very much for helping out!! But...

$ldap_host = "ldap.google.com"; $ldap_v3 = true; $ldap_tls = true; $ldap_base_dn = "dc=domain,dc=com"; $ldap_user_attrib = "uid"; $ldap_debug = true; $ldap_client_cert = 'Google_2022_08_14_xxxxx.crt'; $ldap_client_key = 'Google_2022_08_14_xxxxx.key';

[Mon Aug 19 16:36:42.055780 2019] [proxy_fcgi:error] [pid 4780] [client 2.xxx.112.xxx:3353] AH01071: Got error 'PHP message: authLdapAction: Got LDAP connection\nPHP message: authLdapAction: Constructed dn 'uid=xxx@domain.com,dc=domain,dc=com' and user_search 'uid=xxx@domain.com' using 'uid'\nPHP message: authValidateUserCallback: base_dn 'dc=domain,dc=com' dn 'uid=xxx@domain.com,dc=domain,dc=com' user 'xxx@domain.com'\nPHP message: \nE_USER_WARNING in /var/www/vhosts/domain.com/mrbs.domain.com/auth/auth_ldap.inc at line 783\nNo such object\nMRBS GET: Array\n(\n)\nMRBS POST: Array\n(\n [csrf_token] => e48aa4d3dbaf179d54c89ee6d1c5a55cd01d58bba3a77c426aa4ac78afef113e\n [returl] => \n [target_url] => week.php?year=2019&month=08&day=19&area=1&room=5\n [action] => SetName\n [username] => xxx@domain.com\n [password] => xxx\n)\nMRBS SESSION: Array\n(\n [csrf_token] => e48aa4d3dbaf179d54cdas89ee6d8bba3a77c45a4arwerfd3e\n)\n\nPHP message: authValidateUserCallback: Bind to 'uid=xxx@domain.com,dc=domain,dc=com' failed: No such object\n', referer: https://mrbs.domain.com/week.php?year=2019&month=08&day=19&area=1&room=5

Original comment by: *anonymous

[jberanek]

Could that work? It should be able to implement in some native way and it would be a very good feature for all GSuite users of both educational centers and companies.

Original comment by: *anonymous

[jberanek]

Unless you give me some access to your GSuite domain I will find it difficult to perfect the configuration. I do have a GSuite domain, but it's a "legacy free" domain which I don't believe supports the LDAP service...

Original comment by: jberanek

[jberanek]

It could work, as MRBS has a simpleSAML-based auth/session scheme, which could work with GSuite. But, as I said, this method was not implemented by the core developers, but by a user contributor - so we don't have any experience of configuring it.

Original comment by: jberanek

[jberanek]

Rather than using $ldap_user_attrib you could try setting:

$ldap_search_attrib = 'uid';

This makes MRBS search the directory for the user, then attempt to authenticate with that user's details.

Original comment by: jberanek

[jberanek]

Or, in fact, if you want users to enter their email address rather than their username:

$ldap_search_attrib = 'mail';

Original comment by: jberanek

[jberanek]

Oh, one note about your configuration:

$ldap_client_key = 'Google_2022_08_14_xxxxx.key';

If that file is within your MRBS installation you should make sure you've blocked access to download the file from the web server.

Original comment by: jberanek