View Issue Details

IDProjectCategoryView StatusLast Update
0015361mantisbtldappublic2019-05-14 14:41
Reporterillmnec Assigned To 
PrioritynormalSeverityfeatureReproducibilityalways
Status newResolutionopen 
Product Version1.2.12 
Summary0015361: Add STARTTLS Support to LDAP
Description

It would be great if Mantis supported STARTTLS as this is the officially supported method for encrypted LDAP connections (LDAPS is being deprecated).

This can be done very simply by adding
ldap_start_tls($t_ds);
somwhere after the connection has been made (line 530 in core/ldap_api.php of version 1.2.12). This will silently enable the TLS connection, if the LDAP server accepts such a connection.

Obviously, the proper method would require adding a new variable to the configuraton ($g_ldap_starttls) and then checking if the connection is really encrypted before continuing.

Tagspatch

Activities

illmnec

illmnec

2014-09-18 14:41

reporter  

mantis_patch_ldap_starttls.patch (2,079 bytes)   
diff -rupN mantisbt-1.2.17/config_defaults_inc.php mantisbt-1.2.17-ldap-starttls/config_defaults_inc.php
--- mantisbt-1.2.17/config_defaults_inc.php	2014-03-03 14:19:50.000000000 -0500
+++ mantisbt-1.2.17-ldap-starttls/config_defaults_inc.php	2014-09-18 14:37:37.000000000 -0400
@@ -1765,6 +1765,13 @@
 	$g_ldap_bind_passwd		= '';
 
 	/**
+	 * Should the connection use STARTTLS (use ldap:// url for server address)
+	 *
+	 * @global string $g_ldap_starttls
+	 */
+	$g_ldap_starttls		= FALSE;
+
+	/**
 	 * Should we send to the LDAP email address or what MySql tells us
 	 * @global int $g_use_ldap_email
 	 */
diff -rupN mantisbt-1.2.17/core/constant_inc.php mantisbt-1.2.17-ldap-starttls/core/constant_inc.php
--- mantisbt-1.2.17/core/constant_inc.php	2014-03-03 14:19:50.000000000 -0500
+++ mantisbt-1.2.17-ldap-starttls/core/constant_inc.php	2014-09-18 14:37:37.000000000 -0400
@@ -312,6 +312,7 @@ define( 'ERROR_LDAP_SERVER_CONNECT_FAILE
 define( 'ERROR_LDAP_UPDATE_FAILED', 1402 );
 define( 'ERROR_LDAP_USER_NOT_FOUND', 1403 );
 define( 'ERROR_LDAP_EXTENSION_NOT_LOADED', 1404 );
+define( 'ERROR_LDAP_UNABLE_TO_STARTTLS', 1405 );
 
 # ERROR_CATEGORY_*
 define( 'ERROR_CATEGORY_DUPLICATE', 1500 );
diff -rupN mantisbt-1.2.17/core/ldap_api.php mantisbt-1.2.17-ldap-starttls/core/ldap_api.php
--- mantisbt-1.2.17/core/ldap_api.php	2014-03-03 14:19:50.000000000 -0500
+++ mantisbt-1.2.17-ldap-starttls/core/ldap_api.php	2014-09-18 14:37:37.000000000 -0400
@@ -50,6 +50,13 @@ function ldap_connect_bind( $p_binddn = 
     log_event( LOG_LDAP, "Attempting connection to LDAP URI '{$t_ldap_server}'." );
     $t_ds = @ldap_connect( $t_ldap_server );
     
+	$t_ldap_starttls = config_get( 'ldap_starttls');
+	if ($t_ldap_starttls) {
+		if (! @ldap_start_tls($t_ds)){
+			log_event( LOG_LDAP, "Error: Cannot initiate STARTTLS on LDAP Server" );
+			trigger_error( ERROR_LDAP_UNABLE_TO_STARTTLS, ERROR );
+		}
+	}
 	if ( $t_ds !== false && $t_ds > 0 ) {
 		log_event( LOG_LDAP, "Connection accepted by LDAP server" );
 		$t_protocol_version = config_get( 'ldap_protocol_version' );
illmnec

illmnec

2014-09-18 14:43

reporter   ~0041247

Added a patch that adds the functionality to mantisbt 1.2.17.
Three files are modified:
core/ldap_api.php (connection handling)
core/constant_inc.php (new ERROR definition)
config_defaults_inc.php (new g_ldap_starttls config variable requires default value)

tvleavitt

tvleavitt

2019-05-14 07:02

reporter   ~0062060

Bump. Can someone please take 5 minutes and integrate this? It's pretty damn trivial (just got it working myself). The request dates back six years, the code has been there since late 2014, and the effort required is nil.

dregad

dregad

2019-05-14 09:32

developer   ~0062061

just got it working myself

@tvleavitt would you mind submitting a Pull Request on our Github repository [1] with the changes, making sure that your submissions adhere to our Coding Guidelines [2] ? Thanks !

Note that the provided patch is not complete - an error message for ERROR_LDAP_UNABLE_TO_STARTTLS should be defined in strings_english.txt, and the Admin Guide should document the new config as well.

[1] https://github.com/mantisbt/mantisbt
[2] http://www.mantisbt.org/wiki/doku.php/mantisbt:coding_guidelines

tvleavitt

tvleavitt

2019-05-14 11:32

reporter   ~0062063

I'll do my best to get to it this week. I'm not overly familiar with Git and pull requests, etc. but I'm sure I can figure it out. How do I edit / update the Admin Guide? Adhering to the Coding Guidelines should be pretty trivial, the patches are tiny and basically exact duplicates of similar functions. I presume that the lang/strings_english.txt bit would map to the item specified in core/constant_inc.php in the patch.

dregad

dregad

2019-05-14 14:41

developer   ~0062064

I'll do my best to get to it this week.

Awesome, thanks

I'm not overly familiar with Git and pull requests, etc. but I'm sure I can figure it out.

If you need help just let me know. Feel free to ping me on Gitter

How do I edit / update the Admin Guide?

That's XML files (docbook format)

I presume that the lang/strings_english.txt bit would map to the item specified in core/constant_inc.php in the patch

Correct, just copy paste the line for another error message and update it as needed

Issue History

Date Modified Username Field Change
2013-01-10 13:42 illmnec New Issue
2013-01-11 07:25 dregad Status new => acknowledged
2014-09-18 14:41 illmnec File Added: mantis_patch_ldap_starttls.patch
2014-09-18 14:43 illmnec Note Added: 0041247
2014-09-22 11:35 dregad Tag Attached: patch
2014-09-22 13:52 grangeway Assigned To => grangeway
2014-09-22 13:52 grangeway Status acknowledged => assigned
2014-11-07 17:05 atrol Assigned To grangeway =>
2014-11-07 17:05 atrol Status assigned => new
2019-05-14 07:02 tvleavitt Note Added: 0062060
2019-05-14 09:32 dregad Note Added: 0062061
2019-05-14 11:32 tvleavitt Note Added: 0062063
2019-05-14 14:41 dregad Note Added: 0062064