diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc index 9869fab75..d6279c118 100644 --- a/src/etc/inc/auth.inc +++ b/src/etc/inc/auth.inc @@ -685,32 +685,6 @@ function local_group_del($group) mwexecf('/usr/sbin/pw groupdel %s', $group['name']); } -function ldap_setup_caenv($authcfg) -{ - unset($caref); - - if (empty($authcfg['ldap_caref']) || !strstr($authcfg['ldap_urltype'], "SSL")) { - putenv('LDAPTLS_REQCERT=never'); - return; - } - - $caref = lookup_ca($authcfg['ldap_caref']); - if (!$caref) { - log_error(sprintf('LDAP: Could not lookup CA by reference for host %s.', $authcfg['ldap_caref'])); - /* XXX: Prevent for credential leaking since we cannot setup the CA env. Better way? */ - putenv('LDAPTLS_REQCERT=hard'); - return; - } - - @mkdir("/var/run/certs"); - @unlink("/var/run/certs/{$caref['refid']}.ca"); - file_put_contents("/var/run/certs/{$caref['refid']}.ca", base64_decode($caref['crt'])); - @chmod("/var/run/certs/{$caref['refid']}.ca", 0600); - putenv('LDAPTLS_REQCERT=hard'); - /* XXX: Probably even the hashed link should be created for this? */ - putenv("LDAPTLS_CACERTDIR=/var/run/certs"); - putenv("LDAPTLS_CACERT=/var/run/certs/{$caref['refid']}.ca"); -} /** * @param $name string name of the authentication system configured on the authentication server page or 'Local Database' for local authentication @@ -789,9 +763,6 @@ function get_authenticator($authcfg = NULL) if ($authcfg['type'] == 'local') { // avoid gettext type issues on Local Database, authenticator should always be named "Local Database" $authName = 'Local Database'; - } elseif ($authcfg['type'] == 'ldap' || $authcfg['type'] == 'ldap-totp') { - // temporary fix, ldap handler doesn't do this init yet. - ldap_setup_caenv($authcfg); } } diff --git a/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php b/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php index 3e54ec134..3624d8893 100644 --- a/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php +++ b/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php @@ -28,6 +28,8 @@ namespace OPNsense\Auth; +use OPNsense\Core\Config; + /** * Class LDAP connector * @package OPNsense\Auth @@ -240,6 +242,41 @@ class LDAP extends Base implements IAuthConnector if (!empty($config['ldap_port'])) { $this->ldapBindURL .= ":{$config['ldap_port']}"; } + + // setup environment + if (!empty($config['ldap_caref']) && stristr($config['ldap_urltype'], "standard") === false) { + $this->setUpCaEnv($config['ldap_caref']); + } else { + putenv('LDAPTLS_REQCERT=never'); + } + } + + /** + * setup certificate environment + * @param string $caref ca reference + */ + public function setUpCaEnv($caref) + { + $ca = null; + if (isset(Config::getInstance()->object()->ca)) { + foreach (Config::getInstance()->object()->ca as $cert) { + if (isset($cert->refid) && (string)$caref == $cert->refid) { + $ca = $cert; + break; + } + } + } + putenv('LDAPTLS_REQCERT=hard'); + if (!empty($ca)) { + @mkdir("/var/run/certs"); + @unlink("/var/run/certs/{$ca->refid}.ca"); + file_put_contents("/var/run/certs/{$ca->refid}.ca", base64_decode((string)$ca->crt)); + @chmod("/var/run/certs/{$ca->refid}.ca", 0600); + putenv("LDAPTLS_CACERTDIR=/var/run/certs"); + putenv("LDAPTLS_CACERT=/var/run/certs/{$ca->refid}.ca"); + } else { + syslog(LOG_ERR, sprintf('LDAP: Could not lookup CA by reference for host %s.', $caref)); + } } /** diff --git a/src/www/diag_authentication.php b/src/www/diag_authentication.php index 856f633e4..a4721cf59 100644 --- a/src/www/diag_authentication.php +++ b/src/www/diag_authentication.php @@ -50,9 +50,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { if ($authcfg['type'] == 'local') { // avoid gettext type issues on Local Database, authenticator should always be named "Local Database" $authName = 'Local Database'; - } elseif ($authcfg['type'] == 'ldap' || $authcfg['type'] == 'ldap-totp') { - // temporary fix, ldap handler doesn't do this init yet. - ldap_setup_caenv($authcfg); } $authFactory = new OPNsense\Auth\AuthenticationFactory; diff --git a/src/www/system_usermanager_import_ldap.php b/src/www/system_usermanager_import_ldap.php index 4d05fc5ce..c2aa8b566 100644 --- a/src/www/system_usermanager_import_ldap.php +++ b/src/www/system_usermanager_import_ldap.php @@ -74,11 +74,12 @@ foreach ($servers as $server) { } if ($ldap_server !== null) { - // setup peer ca - ldap_setup_caenv($ldap_server); - // connect to ldap server $ldap_auth = new OPNsense\Auth\LDAP($ldap_server['ldap_basedn'], $ldap_server['ldap_protver']); + if (!empty($ldap_server['ldap_caref']) && stristr($ldap_server['ldap_urltype'], "standard") === false) { + // setup peer ca + $ldap_auth->setUpCaEnv($ldap_server['ldap_caref']); + } $ldap_is_connected = $ldap_auth->connect($ldap_server['ldap_full_url'], $ldap_server['ldap_binddn'], $ldap_server['ldap_bindpw']); if ($ldap_is_connected) { diff --git a/src/www/system_usermanager_settings_ldapacpicker.php b/src/www/system_usermanager_settings_ldapacpicker.php index a5eedb7a0..2cbde4d70 100644 --- a/src/www/system_usermanager_settings_ldapacpicker.php +++ b/src/www/system_usermanager_settings_ldapacpicker.php @@ -33,13 +33,6 @@ require_once("auth.inc"); $result = array(); if (isset($_POST['basedn']) && isset($_POST['host'])) { - if (isset($_POST['cert'])) { - $authcfg = array(); - $authcfg['ldap_caref'] = $_POST['cert']; - $authcfg['ldap_urltype'] = 'SSL'; - ldap_setup_caenv($authcfg); - } - $ldap_authcn = isset($_POST['authcn']) ? explode(";", $_POST['authcn']) : array(); if (isset($_POST['urltype']) && strstr($_POST['urltype'], "Standard")) { $ldap_full_url = "ldap://"; @@ -52,6 +45,9 @@ if (isset($_POST['basedn']) && isset($_POST['host'])) { } $ldap_auth = new OPNsense\Auth\LDAP($_POST['basedn'], isset($_POST['proto']) ? $_POST['proto'] : 3); + if (isset($_POST['cert'])) { + $ldap_auth->setUpCaEnv($_POST['cert']); + } $ldap_is_connected = $ldap_auth->connect($ldap_full_url , !empty($_POST['binddn']) ? $_POST['binddn'] : null , !empty($_POST['bindpw']) ? $_POST['bindpw'] : null