From befa0c10ba9cf71c028e92f5bea061d45c7d8ab1 Mon Sep 17 00:00:00 2001
From: Demian Katz <demian.katz@villanova.edu>
Date: Mon, 24 Apr 2017 15:27:43 -0400
Subject: [PATCH] Add option to disable TLS on LDAP connections. - Disabling is
NOT recommended, but may be necessary for some server configurations.
---
config/vufind/config.ini | 4 ++++
module/VuFind/src/VuFind/Auth/LDAP.php | 6 ++++--
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/config/vufind/config.ini b/config/vufind/config.ini
index 53cd47677c1..e6fa1aac95f 100644
--- a/config/vufind/config.ini
+++ b/config/vufind/config.ini
@@ -460,6 +460,10 @@ database = mysql://root@localhost/vufind
; LDAP with TLS.
;host = ldap.myuniversity.edu
;port = 389 ; LDAPS usually uses port 636 instead
+; By default, when you use regular LDAP (not LDAPS), VuFind uses TLS security.
+; You can set disable_tls to true to bypass TLS if your server does not support
+; it. Note that this setting is ignored if you use ldaps:// in the host setting.
+;disable_tls = false
;basedn = "o=myuniversity.edu"
;username = uid
; separator string for mapping multi-valued ldap-fields to a user attribute
diff --git a/module/VuFind/src/VuFind/Auth/LDAP.php b/module/VuFind/src/VuFind/Auth/LDAP.php
index d40cbb6557f..b1fdf5644cd 100644
--- a/module/VuFind/src/VuFind/Auth/LDAP.php
+++ b/module/VuFind/src/VuFind/Auth/LDAP.php
@@ -158,9 +158,11 @@ class LDAP extends AbstractBase
}
// if the host parameter is not specified as ldaps://
- // then we need to initiate TLS so we
+ // then (unless TLS is disabled) we need to initiate TLS so we
// can have a secure connection over the standard LDAP port.
- if (stripos($host, 'ldaps://') === false) {
+ $disableTls = isset($this->config->LDAP->disable_tls)
+ && $this->config->LDAP->disable_tls;
+ if (stripos($host, 'ldaps://') === false && !$disableTls) {
$this->debug('Starting TLS');
if (!@ldap_start_tls($connection)) {
$this->debug('TLS failed');
--
GitLab