[Web] allow SSL / TLS connections for LDAP

data/web/inc/functions.inc.php

@@ -2120,10 +2120,19 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
       $stmt->execute();
       $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
       foreach($rows as $row){
-        if ($row["key"] == 'mappers' || $row["key"] == 'templates'){
-          $settings[$row["key"]] = json_decode($row["value"]);
-        } else {
-          $settings[$row["key"]] = $row["value"];
+        switch ($row["key"]) {
+          case "mappers":
+          case "templates":
+            $settings[$row["key"]] = json_decode($row["value"]);
+          break;
+          case "use_ssl":
+          case "use_tls":
+          case "ignore_ssl_errors":
+            $settings[$row["key"]] = boolval($row["value"]);
+          break;
+          default:
+            $settings[$row["key"]] = $row["value"];
+          break;
         }
       }
       // return default client_scopes for generic-oidc if none is set
@@ -2207,9 +2216,12 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
           $_data['filter']            = (!empty($_data['filter'])) ? $_data['filter'] : "";
           $_data['periodic_sync']     = isset($_data['periodic_sync']) ? intval($_data['periodic_sync']) : 0;
           $_data['import_users']      = isset($_data['import_users']) ? intval($_data['import_users']) : 0;
+          $_data['use_ssl']           = isset($_data['use_ssl']) ? boolval($_data['use_ssl']) : false;
+          $_data['use_tls']           = isset($_data['use_tls']) && !$_data['use_ssl'] ? boolval($_data['use_tls']) : false;
+          $_data['ignore_ssl_error']  = isset($_data['ignore_ssl_error']) ? boolval($_data['ignore_ssl_error']) : false;
           $_data['sync_interval']     = (!empty($_data['sync_interval'])) ? intval($_data['sync_interval']) : 15;
           $_data['sync_interval']     = $_data['sync_interval'] < 1 ? 1 : $_data['sync_interval'];
-          $required_settings          = array('authsource', 'host', 'port', 'basedn', 'username_field', 'filter', 'attribute_field', 'binddn', 'bindpass', 'periodic_sync', 'import_users', 'sync_interval');
+          $required_settings          = array('authsource', 'host', 'port', 'basedn', 'username_field', 'filter', 'attribute_field', 'binddn', 'bindpass', 'periodic_sync', 'import_users', 'sync_interval', 'use_ssl', 'use_tls', 'ignore_ssl_error');
         break;
       }
       
@@ -2306,12 +2318,22 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
             !$_data['binddn'] || !$_data['bindpass']){
               return false;
           }
+          $_data['use_ssl'] = isset($_data['use_ssl']) ? boolval($_data['use_ssl']) : false;
+          $_data['use_tls'] = isset($_data['use_tls']) && !$_data['use_ssl'] ? boolval($_data['use_tls']) : false;
+          $_data['ignore_ssl_error'] = isset($_data['ignore_ssl_error']) ? boolval($_data['ignore_ssl_error']) : false;
+          $options = array();
+          if ($_data['ignore_ssl_error']) {
+            $options['LDAP_OPT_X_TLS_REQUIRE_CERT'] = "LDAP_OPT_X_TLS_NEVER";
+          }
           $provider = new \LdapRecord\Connection([
             'hosts'                     => [$_data['host']],
             'port'                      => $_data['port'],
             'base_dn'                   => $_data['basedn'],
             'username'                  => $_data['binddn'],
-            'password'                  => $_data['bindpass']
+            'password'                  => $_data['bindpass'],
+            'use_ssl'                   => $_data['use_ssl'],
+            'use_tls'                   => $_data['use_tls'],
+            'options'                   => $options
           ]);
           try {
             $provider->connect();
@@ -2395,12 +2417,19 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
         case "ldap":
           if ($iam_settings['host'] && $iam_settings['port'] && $iam_settings['basedn'] &&
             $iam_settings['binddn'] && $iam_settings['bindpass']){
+            $options = array();
+            if ($iam_settings['ignore_ssl_error']) {
+              $options['LDAP_OPT_X_TLS_REQUIRE_CERT'] = "LDAP_OPT_X_TLS_NEVER";
+            }
             $provider = new \LdapRecord\Connection([
               'hosts'                     => [$iam_settings['host']],
               'port'                      => $iam_settings['port'],
               'base_dn'                   => $iam_settings['basedn'],
               'username'                  => $iam_settings['binddn'],
-              'password'                  => $iam_settings['bindpass']
+              'password'                  => $iam_settings['bindpass'],
+              'use_ssl'                   => $iam_settings['use_ssl'],
+              'use_tls'                   => $iam_settings['use_tls'],
+              'options'                   => $options
             ]);
             try {
               $provider->connect();

data/web/lang/lang.en-gb.json

@@ -240,7 +240,10 @@
         "iam_userinfo_url": "User info endpoint",
         "iam_username_field": "Username Field",
         "iam_binddn": "Bind DN",
+        "iam_use_ssl": "Use SSL",
+        "iam_use_tls": "Use TLS",
         "iam_version": "Version",
+        "ignore_ssl_error": "Ignore SSL Errors",
         "import": "Import",
         "import_private_key": "Import private key",
         "in_use_by": "In use by",

data/web/templates/admin/tab-config-identity-provider.twig

@@ -302,6 +302,30 @@
               <input type="number" class="form-control" id="iam_ldap_port" name="port" value="{{ iam_settings.port }}" required>
             </div>
           </div>
+          <div class="row mb-2">
+            <label class="control-label col-md-3 text-sm-end">{{ lang.admin.iam_use_ssl }}</label>
+            <div class="col-12 col-md-9">
+              <div class="form-check form-switch">
+                <input class="form-check-input" type="checkbox" role="switch" name="use_ssl" value="1" {% if iam_settings.use_ssl == 1 %}checked{% endif %}>
+              </div>
+            </div>
+          </div>
+          <div class="row mb-2">
+            <label class="control-label col-md-3 text-sm-end">{{ lang.admin.iam_use_tls }}</label>
+            <div class="col-12 col-md-9">
+              <div class="form-check form-switch">
+                <input class="form-check-input" type="checkbox" role="switch" name="use_tls" value="1" {% if iam_settings.use_tls == 1 %}checked{% endif %}>
+              </div>
+            </div>
+          </div>
+          <div class="row mb-4">
+            <label class="control-label col-md-3 text-sm-end">{{ lang.admin.ignore_ssl_error }}</label>
+            <div class="col-12 col-md-9">
+              <div class="form-check form-switch">
+                <input class="form-check-input" type="checkbox" role="switch" name="ignore_ssl_error" value="1" {% if iam_settings.ignore_ssl_error == 1 %}checked{% endif %}>
+              </div>
+            </div>
+          </div>
           <div class="row mb-2">
             <label class="control-label col-md-3 text-sm-end" for="iam_ldap_basedn">{{ lang.admin.iam_basedn }}:</label>
             <div class="col-12 col-md-9 col-lg-4">