[change-password] Make use of StartTLS configurable

This makes the use of all three kinds of connections possible (ldap://,
ldap:// + TLS, ldaps://). ldap_start_tls will fail with ldaps://.
This commit is contained in:
David Härdeman 2021-08-23 10:02:00 +02:00
parent ba2b903d67
commit aee1d7841b

View file

@ -8,6 +8,7 @@ class ChangePasswordDriverLDAP
private
$sLdapUri = 'ldap://localhost:389',
$bUseStartTLS = True,
$sUserDnFormat = '',
$sPasswordField = 'userPassword',
$sPasswordEncType = 'SHA';
@ -21,6 +22,7 @@ class ChangePasswordDriverLDAP
{
$this->oLogger = $oLogger;
$this->sLdapUri = \trim($oConfig->Get('plugin', 'ldap_uri', ''));
$this->bUseStartTLS = (bool) \trim($oConfig->Get('plugin', 'ldap_use_start_tls', ''));
$this->sUserDnFormat = \trim($oConfig->Get('plugin', 'ldap_user_dn_format', ''));
$this->sPasswordField = \trim($oConfig->Get('plugin', 'ldap_password_field', ''));
$this->sPasswordEncType = \trim($oConfig->Get('plugin', 'ldap_password_enc_type', ''));
@ -37,6 +39,9 @@ class ChangePasswordDriverLDAP
return array(
\RainLoop\Plugins\Property::NewInstance('ldap_uri')->SetLabel('LDAP URI')
->SetDefaultValue('ldap://localhost:389'),
\RainLoop\Plugins\Property::NewInstance('ldap_use_start_tls')->SetLabel('Use StartTLS')
->SetType(\RainLoop\Enumerations\PluginPropertyType::BOOL)
->SetDefaultValue(True),
\RainLoop\Plugins\Property::NewInstance('ldap_user_dn_format')->SetLabel('User DN format')
->SetDescription('LDAP user dn format. Supported tokens: {email}, {email:user}, {email:domain}, {login}, {domain}, {domain:dc}, {imap:login}, {imap:host}, {imap:port}, {gecos}')
->SetDefaultValue('uid={imap:login},ou=Users,{domain:dc}'),
@ -77,8 +82,10 @@ class ChangePasswordDriverLDAP
'LDAP'
);
}
else if (!\ldap_start_tls($oCon)) {
$this->oLogger->Write("ldap_start_tls failed: ".$oCon, \MailSo\Log\Enumerations\Type::WARNING, 'LDAP');
if ($this->bUseStartTLS && !@\ldap_start_tls($oCon))
{
throw new \Exception('ldap_start_tls error '.\ldap_errno($oCon).': '.\ldap_error($oCon));
}
if (!\ldap_bind($oCon, $sUserDn, $sPrevPassword)) {