Change to allow override of CA CERT for LDAP over TLS #4913
Conversation
Using the env LDAP_TLS_CACERTFILE to set a file to use to override the CA CERT used to verify LDAPS connections. This is to make this process easier for docker use.
|
Thanks for offering this @mmoore2012!
Doc Updates (reference for release process)
|
|
Thank you for reviewing this. I can confirm I have tested these changes against a live LDAP system (Windows 2019 Active Directory Domain) . I will try and have a look at sorting a test out, but I have not had much experience with this. |
|
I am struggling with the test. PHP has a function to set the LDAP option value: I will probably need your assistance with this as I am unsure how to verify this has actually been set within PHP. |
|
@mmoore2012 No worries, thanks for attempting and for updating the .env.example.complete, I'll look to add tests when I come to review & merge this. |
Review of #4913 Added testing to cover option. Updated option so it can be used for a CA directory, or a CA file. Updated option name to be somewhat abstracted from original underling PHP option. Tested against Jumpcloud. Testing took hours due to instability which was due to these settings sticking and being unstable on change until php process restart. Also due to little documentation for these options. X_TLS_CACERTDIR option needs cert files to be named via specific hashes which can be achieved via c_rehash utility. This also adds detail on STARTTLS failure, which took a long time to discover due to little detail out there for deeper PHP LDAP debugging.
Review of #4913 Added testing to cover option. Updated option so it can be used for a CA directory, or a CA file. Updated option name to be somewhat abstracted from original underling PHP option. Tested against Jumpcloud. Testing took hours due to instability which was due to these settings sticking and being unstable on change until php process restart. Also due to little documentation for these options. X_TLS_CACERTDIR option needs cert files to be named via specific hashes which can be achieved via c_rehash utility. This also adds detail on STARTTLS failure, which took a long time to discover due to little detail out there for deeper PHP LDAP debugging.
ssddanbrown
changed the title
|
Thanks again @mmoore2012, this has now been merged for next feature release. I also tweaked the title of this to prevent potential confusion for folks searching in the future, since I'm assuming you were using LDAP over TLS, rather than LDAPS. As far as I've been able to tell, ldaps is SSL only and I'm not sure such options would support such connections compared to LDAP over TLS via STARTTLS. |
I struggled to make LDAPS work with the docker app. I did get this to work by injecting the certificate into the alpine container, but this is not great as the changes will get removed on an update to the container.
The changes I propose allow using the env LDAP_TLS_CACERTFILE to set a file to use to override the CA CERT used to verify LDAPS connections. This is to make this process easier for docker use.