Mantisbt LDAP startTLS

Get help from other users here.

Moderators: Developer, Contributor

Post Reply
manribcam
Posts: 3
Joined: 14 Nov 2018, 19:00

Mantisbt LDAP startTLS

Post by manribcam »

Hello, does any of the most recent mantisbt releases support by default LDAP startTLS encrypted authentication mode?

We have set the LDAP server for startTLS encryption as ldaps is being deprecated. Apparently this is a very old request from mantisbt community but I have found no real useful help that properlly explains how the usage of startTLS usage for LDAP is possible. Therefore:

What is required to use LDAP startTLS connections to the LDAP server?
If required to customize the ldap_api.php library file or even build a new one can you detail what should we change/add?
What linux packages would we require to install on the environment to use LDAP (with startTLS) as authentication method?
Does the above requirement, demands for the configuration of the /etc/openldap/ldap.conf? Any special setting demanded/required in that file?

thanks in advance for the help.
atrol
Site Admin
Posts: 8366
Joined: 26 Mar 2008, 21:37
Location: Germany

Re: Mantisbt LDAP startTLS

Post by atrol »

According this request https://www.mantisbt.org/bugs/view.php?id=15361 the change should be quite simple.

You could try, if changing function ldap_connect_bind in file core/ldap_api.php works for you.

Assuming you are using latest Mamtis version, starting at line 64 you should see the following code

Code: Select all

	$t_ds = @ldap_connect( $t_ldap_server );
	if( $t_ds !== false && $t_ds > 0 ) {
		log_event( LOG_LDAP, 'Connection accepted by LDAP server' );
After the log_event line insert

Code: Select all

		if ( ! @ldap_start_tls( $t_ds ) ){
			ldap_log_error( $t_ds );
			trigger_error( ERROR_LDAP_SERVER_CONNECT_FAILED, ERROR );
		}
Of course, it's a bit strange to read that the used function is not documented
http://php.net/manual/en/function.ldap-start-tls.php
Please use Search before posting and read the Manual
manribcam
Posts: 3
Joined: 14 Nov 2018, 19:00

Re: Mantisbt LDAP startTLS

Post by manribcam »

Hello Atrol and thanks for your reply. I would really appreciate if someone else answers with more inputs on this as I'm sure someone has came along with similar requirements. It is strange why manitsbt does not incorporate such feature when it was requested/debated for some time now and as explained ldaps is being deprecated in favor of startTLS and most of ldap client application do support such.

From your answer I believe that changing the ldap_api.php feature is just the first step, because I believe that at least a new variable should be configured under the config_inc.php file, such as $g_ldap_starttls = true. Is this correct?

Furthermore, do you now if the following linux packages would suffice in order to add ldap client functionality to the mantisbt environment and allow it to connect to an ldap server?
libldap-2.4-2
ldap-utils
libsasl2-modules-ldap (I believe this is optional and only required if using sasl2 auth method)
libsasl2-2 (I believe option just as previous one)
php7.2-ldap
php5-sasl (optional I believe)

+ editing the /etc/openldap/ldap.conf accordingly.

Thanks in advance once again hoping that further details can be explained and shared here.

best regards,
Last edited by manribcam on 29 Nov 2018, 10:15, edited 1 time in total.
atrol
Site Admin
Posts: 8366
Joined: 26 Mar 2008, 21:37
Location: Germany

Re: Mantisbt LDAP startTLS

Post by atrol »

manribcam wrote: 19 Nov 2018, 17:22 From your answer I believe that changing the ldap_api.php feature is just the first step, because I believe that at least a new variable should be configured under the config_inc.php file, such as $g_ldap_starttls = true. Is this correct?
Not correct.
I provided the smallest possible change for you to try if ldap_start_tls works in general.
There is no need to add a configuration option to try it.
manribcam wrote: 19 Nov 2018, 17:22do you now if the following linux packages would suffice in order to add ldap client functionality to the mantisbt environment and allow it to connect to an ldap server?
I don't know.
I would expect that installing the PHP ldap extension is enough for it.
Please use Search before posting and read the Manual
manribcam
Posts: 3
Joined: 14 Nov 2018, 19:00

Re: Mantisbt LDAP startTLS

Post by manribcam »

Hello Atrol, I would really appreciate inputs from other members of the forum that I'm sure that had the same issue and possibly come across with a working solution.

Regarding your answers, from the code you have mentioned to be added to the ldap_api function, how would the starttls connection would be started without an instruction that states for its usage? Wouldn't that be done by some kind of starttls global variable on the configuration file, or what you are saying is that such added code lines would force the usage of starttls?

I believe we need to install some LDAP libraries on the OS, so that PHP can call them. Question is which ones are required? Asking because PHP must call come ldap features within the OS and therefore something is needed for sure.
Also, from what I have seen at least the configuration of a /etc/openldap/ldap.conf file would be required for proper starttls usage under mantisbt, but not sure is such file can simply be manually created.


Really appriciated more inputs from other people that come across with this issue and a solution for it.

best regards and thanks in advance
atrol
Site Admin
Posts: 8366
Joined: 26 Mar 2008, 21:37
Location: Germany

Re: Mantisbt LDAP startTLS

Post by atrol »

manribcam wrote: 29 Nov 2018, 10:15I would really appreciate inputs from other members of the forum that I'm sure that had the same issue and possibly come across with a working solution.
I don't believe that there are a lot of users reading your posts.
The chance that any of those readers has the same problem and is able to help you is quite small.
manribcam wrote: 29 Nov 2018, 10:15how would the starttls connection would be started without an instruction that states for its usage?
Wouldn't that be done by some kind of starttls global variable on the configuration file, or what you are saying is that such added code lines would force the usage of starttls?
I can just reapeat what I wrote before
atrol wrote: 19 Nov 2018, 18:49 I provided the smallest possible change for you to try if ldap_start_tls works in general.
There is no need to add a configuration option to try it.
Do you know or believe?
manribcam wrote: 29 Nov 2018, 10:15 I believe we need to install some LDAP libraries on the OS, so that PHP can call them ....
Did you try my proposal and got errors that there are libraries missing?
Still the same as long as you don't provide some more information
atrol wrote: 19 Nov 2018, 18:49 I would expect that installing the PHP ldap extension is enough for it.
Please use Search before posting and read the Manual
tvleavitt
Posts: 3
Joined: 13 May 2019, 23:07

Re: Mantisbt LDAP startTLS

Post by tvleavitt »

How is it possible that a feature this simple hasn't been integrated into the mainline code? Is it just that everyone who needs it goes ahead and manually integrates it? I find that hard to believe (although I just did it myself in 5 minutes, but then, I've been fixing broken open source p language code for 25 years). This "feature" was requested in 2013!!! The code to implement this has been sitting there since 2014!

FYI, this requires no additional libraries, I think, beyond those required to make LDAP work at all (php-ldap on Ubuntu).
atrol
Site Admin
Posts: 8366
Joined: 26 Mar 2008, 21:37
Location: Germany

Re: Mantisbt LDAP startTLS

Post by atrol »

To follow up at https://mantisbt.org/bugs/view.php?id=15361 where we might get a pull request to merge.
Please use Search before posting and read the Manual
Post Reply