Add option to disable TLS on LDAP connections.

- Disabling is NOT recommended, but may be necessary for some server configurations.

Add option to disable TLS on LDAP connections.
- Disabling is NOT recommended, but may be necessary for some server configurations.
befa0c10 · Demian Katz · 86391b6f · befa0c10 · befa0c10
Commit befa0c10 authored 7 years ago by Demian Katz
--- a/config/vufind/config.ini
+++ b/config/vufind/config.ini
@@ -460,6 +460,10 @@ database          = mysql://root@localhost/vufind
 ; LDAP with TLS.
 ;host            = ldap.myuniversity.edu
 ;port            = 389       ; LDAPS usually uses port 636 instead
+; By default, when you use regular LDAP (not LDAPS), VuFind uses TLS security.
+; You can set disable_tls to true to bypass TLS if your server does not support
+; it. Note that this setting is ignored if you use ldaps:// in the host setting.
+;disable_tls     = false
 ;basedn          = "o=myuniversity.edu"
 ;username        = uid
 ; separator string for mapping multi-valued ldap-fields to a user attribute

--- a/module/VuFind/src/VuFind/Auth/LDAP.php
+++ b/module/VuFind/src/VuFind/Auth/LDAP.php
@@ -158,9 +158,11 @@ class LDAP extends AbstractBase
        }

        // if the host parameter is not specified as ldaps://
-        // then we need to initiate TLS so we
+        // then (unless TLS is disabled) we need to initiate TLS so we
        // can have a secure connection over the standard LDAP port.
-        if (stripos($host, 'ldaps://') === false) {
+        $disableTls = isset($this->config->LDAP->disable_tls)
+            && $this->config->LDAP->disable_tls;
+        if (stripos($host, 'ldaps://') === false && !$disableTls) {
            $this->debug('Starting TLS');
            if (!@ldap_start_tls($connection)) {
                $this->debug('TLS failed');