Mantisbt LDAP startTLS

Get help from other users here.

Moderators: Contributor, Developer

Post Reply
manribcam
Posts: 3
Joined: Nov 14, 2018 2:00 pm

Mantisbt LDAP startTLS

Post by manribcam » Nov 14, 2018 2:13 pm

Hello, does any of the most recent mantisbt releases support by default LDAP startTLS encrypted authentication mode?

We have set the LDAP server for startTLS encryption as ldaps is being deprecated. Apparently this is a very old request from mantisbt community but I have found no real useful help that properlly explains how the usage of startTLS usage for LDAP is possible. Therefore:

What is required to use LDAP startTLS connections to the LDAP server?
If required to customize the ldap_api.php library file or even build a new one can you detail what should we change/add?
What linux packages would we require to install on the environment to use LDAP (with startTLS) as authentication method?
Does the above requirement, demands for the configuration of the /etc/openldap/ldap.conf? Any special setting demanded/required in that file?

thanks in advance for the help.

atrol
Site Admin
Posts: 7525
Joined: Mar 26, 2008 4:37 pm
Location: Germany

Re: Mantisbt LDAP startTLS

Post by atrol » Nov 15, 2018 3:17 am

According this request https://www.mantisbt.org/bugs/view.php?id=15361 the change should be quite simple.

You could try, if changing function ldap_connect_bind in file core/ldap_api.php works for you.

Assuming you are using latest Mamtis version, starting at line 64 you should see the following code

Code: Select all

	$t_ds = @ldap_connect( $t_ldap_server );
	if( $t_ds !== false && $t_ds > 0 ) {
		log_event( LOG_LDAP, 'Connection accepted by LDAP server' );
After the log_event line insert

Code: Select all

		if ( ! @ldap_start_tls( $t_ds ) ){
			ldap_log_error( $t_ds );
			trigger_error( ERROR_LDAP_SERVER_CONNECT_FAILED, ERROR );
		}
Of course, it's a bit strange to read that the used function is not documented
http://php.net/manual/en/function.ldap-start-tls.php
Please use Search before posting and read the Manual

manribcam
Posts: 3
Joined: Nov 14, 2018 2:00 pm

Re: Mantisbt LDAP startTLS

Post by manribcam » Nov 19, 2018 12:22 pm

Hello Atrol and thanks for your reply. I would really appreciate if someone else answers with more inputs on this as I'm sure someone has came along with similar requirements. It is strange why manitsbt does not incorporate such feature when it was requested/debated for some time now and as explained ldaps is being deprecated in favor of startTLS and most of ldap client application do support such.

From your answer I believe that changing the ldap_api.php feature is just the first step, because I believe that at least a new variable should be configured under the config_inc.php file, such as $g_ldap_starttls = true. Is this correct?

Furthermore, do you now if the following linux packages would suffice in order to add ldap client functionality to the mantisbt environment and allow it to connect to an ldap server?
libldap-2.4-2
ldap-utils
libsasl2-modules-ldap (I believe this is optional and only required if using sasl2 auth method)
libsasl2-2 (I believe option just as previous one)
php7.2-ldap
php5-sasl (optional I believe)

+ editing the /etc/openldap/ldap.conf accordingly.

Thanks in advance once again hoping that further details can be explained and shared here.

best regards,
Last edited by manribcam on Nov 29, 2018 5:15 am, edited 1 time in total.

atrol
Site Admin
Posts: 7525
Joined: Mar 26, 2008 4:37 pm
Location: Germany

Re: Mantisbt LDAP startTLS

Post by atrol » Nov 19, 2018 1:49 pm

manribcam wrote:
Nov 19, 2018 12:22 pm
From your answer I believe that changing the ldap_api.php feature is just the first step, because I believe that at least a new variable should be configured under the config_inc.php file, such as $g_ldap_starttls = true. Is this correct?
Not correct.
I provided the smallest possible change for you to try if ldap_start_tls works in general.
There is no need to add a configuration option to try it.
manribcam wrote:
Nov 19, 2018 12:22 pm
do you now if the following linux packages would suffice in order to add ldap client functionality to the mantisbt environment and allow it to connect to an ldap server?
I don't know.
I would expect that installing the PHP ldap extension is enough for it.
Please use Search before posting and read the Manual

manribcam
Posts: 3
Joined: Nov 14, 2018 2:00 pm

Re: Mantisbt LDAP startTLS

Post by manribcam » Nov 29, 2018 5:15 am

Hello Atrol, I would really appreciate inputs from other members of the forum that I'm sure that had the same issue and possibly come across with a working solution.

Regarding your answers, from the code you have mentioned to be added to the ldap_api function, how would the starttls connection would be started without an instruction that states for its usage? Wouldn't that be done by some kind of starttls global variable on the configuration file, or what you are saying is that such added code lines would force the usage of starttls?

I believe we need to install some LDAP libraries on the OS, so that PHP can call them. Question is which ones are required? Asking because PHP must call come ldap features within the OS and therefore something is needed for sure.
Also, from what I have seen at least the configuration of a /etc/openldap/ldap.conf file would be required for proper starttls usage under mantisbt, but not sure is such file can simply be manually created.


Really appriciated more inputs from other people that come across with this issue and a solution for it.

best regards and thanks in advance

atrol
Site Admin
Posts: 7525
Joined: Mar 26, 2008 4:37 pm
Location: Germany

Re: Mantisbt LDAP startTLS

Post by atrol » Nov 29, 2018 8:21 am

manribcam wrote:
Nov 29, 2018 5:15 am
I would really appreciate inputs from other members of the forum that I'm sure that had the same issue and possibly come across with a working solution.
I don't believe that there are a lot of users reading your posts.
The chance that any of those readers has the same problem and is able to help you is quite small.
manribcam wrote:
Nov 29, 2018 5:15 am
how would the starttls connection would be started without an instruction that states for its usage?
Wouldn't that be done by some kind of starttls global variable on the configuration file, or what you are saying is that such added code lines would force the usage of starttls?
I can just reapeat what I wrote before
atrol wrote:
Nov 19, 2018 1:49 pm
I provided the smallest possible change for you to try if ldap_start_tls works in general.
There is no need to add a configuration option to try it.
Do you know or believe?
manribcam wrote:
Nov 29, 2018 5:15 am
I believe we need to install some LDAP libraries on the OS, so that PHP can call them ....
Did you try my proposal and got errors that there are libraries missing?
Still the same as long as you don't provide some more information
atrol wrote:
Nov 19, 2018 1:49 pm
I would expect that installing the PHP ldap extension is enough for it.
Please use Search before posting and read the Manual

Post Reply