diff --git a/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php b/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php
index 71bb2d523..9e049aa79 100644
--- a/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php
@@ -92,9 +92,9 @@ class LDAP extends Base implements IAuthConnector
private $ldapScope = 'subtree';
/**
- * @var null|string certificate reference (in /var/run/certs/)
+ * @var null|string url type (standard, startTLS, SSL)
*/
- private $ldapCAcert = null;
+ private $ldapURLType = null;
/**
* @var array list of already known usernames vs distinguished names
@@ -265,46 +265,20 @@ class LDAP extends Base implements IAuthConnector
// Encryption types: Standard ( none ), StartTLS and SSL
if (strstr($config['ldap_urltype'], "Standard")) {
$this->ldapBindURL = "ldap://";
+ $this->ldapURLType = "standard";
} elseif (strstr($config['ldap_urltype'], "StartTLS")) {
$this->ldapBindURL = "ldap://";
$this->useStartTLS = true;
+ $this->ldapURLType = "StartTLS";
} else {
$this->ldapBindURL = "ldaps://";
+ $this->ldapURLType = "SSL";
}
$this->ldapBindURL .= strpos($config['host'], "::") !== false ? "[{$config['host']}]" : $config['host'];
if (!empty($config['ldap_port'])) {
$this->ldapBindURL .= ":{$config['ldap_port']}";
}
-
- // setup environment
- if (!empty($config['ldap_caref']) && stristr($config['ldap_urltype'], "standard") === false) {
- $this->setupCaEnv($config['ldap_caref']);
- }
- }
-
- /**
- * setup certificate environment
- * @param string $caref ca reference
- */
- public function setupCaEnv($caref)
- {
- $this->ldapCAcert = null;
- if (isset(Config::getInstance()->object()->ca)) {
- foreach (Config::getInstance()->object()->ca as $cert) {
- if (isset($cert->refid) && (string)$caref == $cert->refid) {
- $this->ldapCAcert = (string)$cert->refid;
- @mkdir("/var/run/certs");
- @unlink("/var/run/certs/{$this->ldapCAcert}.ca");
- file_put_contents("/var/run/certs/{$this->ldapCAcert}.ca", base64_decode((string)$cert->crt));
- @chmod("/var/run/certs/{$this->ldapCAcert}.ca", 0644);
- break;
- }
- }
- }
- if (empty($this->ldapCAcert)) {
- syslog(LOG_ERR, sprintf('LDAP: Could not lookup CA by reference for host %s.', $caref));
- }
}
/**
@@ -335,10 +309,9 @@ class LDAP extends Base implements IAuthConnector
$this->closeLDAPHandle();
// Note: All TLS options must be set before ldap_connect is called
- if (!empty($this->ldapCAcert)) {
+ if ($this->ldapURLType != "standard") {
ldap_set_option(null, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_HARD);
- ldap_set_option(null, LDAP_OPT_X_TLS_CACERTDIR, '/var/run/certs');
- ldap_set_option(null, LDAP_OPT_X_TLS_CACERTFILE, "/var/run/certs/{$this->ldapCAcert}.ca");
+ ldap_set_option(null, LDAP_OPT_X_TLS_CACERTFILE, "/etc/ssl/cert.pem");
} else {
ldap_set_option(null, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER);
}
diff --git a/src/www/system_authservers.php b/src/www/system_authservers.php
index ab11c97bb..6490004e3 100644
--- a/src/www/system_authservers.php
+++ b/src/www/system_authservers.php
@@ -73,7 +73,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$pconfig['name'] = $a_server[$id]['name'];
if (in_array($pconfig['type'], array("ldap", "ldap-totp"))) {
- $pconfig['ldap_caref'] = $a_server[$id]['ldap_caref'];
$pconfig['ldap_host'] = $a_server[$id]['host'];
$pconfig['ldap_port'] = $a_server[$id]['ldap_port'];
$pconfig['ldap_urltype'] = $a_server[$id]['ldap_urltype'];
@@ -221,9 +220,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
}
if (in_array($server['type'], array("ldap", "ldap-totp"))) {
- if (!empty($pconfig['ldap_caref'])) {
- $server['ldap_caref'] = $pconfig['ldap_caref'];
- }
$server['host'] = $pconfig['ldap_host'];
$server['ldap_port'] = $pconfig['ldap_port'];
$server['ldap_urltype'] = $pconfig['ldap_urltype'];
@@ -315,7 +311,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
// list of all possible fields for auth item (used for form init)
$all_authfields = array(
- 'type','name','ldap_caref','ldap_host','ldap_port','ldap_urltype','ldap_protver','ldap_scope',
+ 'type','name','ldap_host','ldap_port','ldap_urltype','ldap_protver','ldap_scope',
'ldap_basedn','ldap_authcn','ldap_extended_query','ldap_binddn','ldap_bindpw','ldap_attr_user',
'ldap_read_properties', 'ldap_sync_memberof', 'radius_host',
'radius_auth_port','radius_acct_port','radius_secret','radius_timeout','radius_srvcs'
@@ -436,9 +432,6 @@ $( document ).ready(function() {
'proto': $("#ldap_protver").val(),
'authcn': $("#ldapauthcontainers").val(),
};
- if ($("#ldap_caref").val() != undefined) {
- request_data['cert'] = $("#ldap_caref").val();
- }
//
if ($("#ldap_port").val() == '' || $("#ldap_host").val() == '' || $("#ldap_scope").val() == '' || $("#ldap_basedn").val() == '') {
BootstrapDialog.show({
@@ -628,7 +621,7 @@ endif; ?>
- | |
+ |
- |
-
-
- | |
-
-
-
-
-
-
+
+ Trust");?>
-
- .
-
|
diff --git a/src/www/system_usermanager_settings_ldapacpicker.php b/src/www/system_usermanager_settings_ldapacpicker.php
index 2cf1d274d..0e6a595ab 100644
--- a/src/www/system_usermanager_settings_ldapacpicker.php
+++ b/src/www/system_usermanager_settings_ldapacpicker.php
@@ -45,16 +45,13 @@ if (isset($_POST['basedn']) && isset($_POST['host'])) {
}
$ldap_auth = new OPNsense\Auth\LDAP($_POST['basedn'], isset($_POST['proto']) ? $_POST['proto'] : 3);
- if (isset($_POST['cert'])) {
- $ldap_auth->setupCaEnv($_POST['cert']);
- }
- $ldap_is_connected = $ldap_auth->connect($ldap_full_url
- , !empty($_POST['binddn']) ? $_POST['binddn'] : null
- , !empty($_POST['bindpw']) ? $_POST['bindpw'] : null
+ $ldap_is_connected = $ldap_auth->connect(
+ $ldap_full_url,
+ !empty($_POST['binddn']) ? $_POST['binddn'] : null,
+ !empty($_POST['bindpw']) ? $_POST['bindpw'] : null
);
$ous = false;
-
if ($ldap_is_connected) {
$ous = $ldap_auth->listOUs();
}