From 3acb8c4d90c26a98973f77eeb3fca466f0356cb4 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 11 Feb 2019 19:27:27 +0100
Subject: [PATCH] Auth/LDAP, move tls options
 https://github.com/opnsense/core/issues/3206

---
 src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php b/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php
index 2d3f92a7a..ce0d70024 100644
--- a/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php
@@ -318,15 +318,16 @@ class LDAP extends Base implements IAuthConnector
         );
 
         $this->closeLDAPHandle();
-        $this->ldapHandle = @ldap_connect($bind_url);
 
+        // Note: All TLS options must be set before ldap_connect is called
         if (!empty($this->ldapCAcert)) {
-            putenv('LDAPTLS_REQCERT=hard');
-            ldap_set_option($this->ldapHandle, LDAP_OPT_X_TLS_CACERTDIR, '/var/run/certs');
-            ldap_set_option($this->ldapHandle, LDAP_OPT_X_TLS_CACERTFILE, "/var/run/certs/{$this->ldapCAcert}.ca");
+            ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_HARD);
+            ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTDIR, '/var/run/certs');
+            ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, "/var/run/certs/{$this->ldapCAcert}.ca");
         } else {
-            putenv('LDAPTLS_REQCERT=never');
+            ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER);
         }
+        $this->ldapHandle = @ldap_connect($bind_url);
 
         if ($this->useStartTLS) {
             ldap_set_option($this->ldapHandle, LDAP_OPT_PROTOCOL_VERSION, 3);