[#35323] - [4] Remove all references to LDAP ignore_reqcert_tls
- Fixed in Code Base
- 3 Mar 2022
- Medium
- Build: 4.0-dev
- # 35323
- Diff
- PhilETaylor:ignore_reqcert_tls
User tests: Successful: Unsuccessful:
Summary of Changes
In debugging an LDAP problem for someone, during my code review I noticed the "Ignore Certificate" option in LDAP the Authentication Plugin.
This toggle has a name of ignore_reqcert_tls
The configured value of this toggle is never used in Joomla code, or the upstream Symfony LDAP or even further upstream PHP Ldap code.
Further debugging on how to ignore self-signed and invalid SSL Certificates on LDAP servers leads me to believe that there is no way PHP can set an option at runtime to ignore the invalid certificate.
StackOverflow has this to say https://stackoverflow.com/questions/2689629/how-do-i-solve-ldap-start-tls-unable-to-start-tls-connect-error-in-php
Joomla, as a PHP CMS, cannot be expected to be able to edit files in /etc and therefore we cannot have this feature. I have tested and the putenv mentioned doesnt work on Ubuntu or macOS.
Testing Instructions
Code review.
Actual result BEFORE applying this Pull Request
This option does nothing
Expected result AFTER applying this Pull Request
This option is not shown
Yes its left as a value in the db json until the form is next saved, there is no need to clean up that, it does nothing anyway :)
Documentation Changes Required
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Administration Language & Strings Front End Plugins |
Code that no one ever tested then by the looks of it :)
Ive been looking at the debug option too - and have failed to have it actually log anything, anywhere.
as expected - never tested
@brianteeman commented on 8 Mar 2019
@HLeithner it is very unlikely that we will get 2 testers for this as it is very specialised and not used often. I suspect the only option is to code review
Explanations for getting a Custom College Essay from an Essay Writing Company.pdf
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/35323.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/35323.
Intriguing Topics and Tips for a Process Analysis Essay.pdf
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/35323.
11 Intriguing Topics and Tips for a Process Analysis Essay.pdf
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/35323.
| Labels |
Added:
Language Change
?
|
||
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/35323.
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/35323.
| Status | Pending | ⇒ | Ready to Commit |
RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/35323.
| Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2022-03-03 03:15:21 |
| Closed_By | ⇒ | bembelimen | |
| Labels |
Added:
?
?
Removed: ? |
||
Thx
Folks - I'm trying to get LDAP to work in Joomla 4 and this option is required for my configuration. I'm disappointed it was there and never used, but if it is not there it is a stopper for me. Any updates on this or ideas on a work around?
-Bob
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/35323.
@bobgann Have you really read the description (I.e. initial post) here? The option never has been working and cannot work with putenv. It’s a configuration option of the ldap server client itself which could be used. But why do you want to use that? It opens a security hole. Do you really want to use self signed or invalid LTS certificates?
Thanks @richard67 . Yes I did read it. What I meant was that I was disappointed that "the switch was there but not connected to anything". Not that it worked and was removed. I understand it never worked. A bit frustrating because the documentation discusses it and I'm two days into debuging and just found the core issue. Spent abunch of time digging into blocked ports and configurations.
I am, slightly, concerned about the idea of using self-signed certs, but in the application we have, it is not a big security issue. I realized that is not always the case - but it is in my specific application.
@bobgann Anyway there is nothing Joomla can do here. You have to edit the ldap.conf configuration file of the ldap client itself.
Even if the putenv way would work on Windows, we can not implement an option which works only on a certain OS which is not the one who is h runs the majority of web servers in the www.
@richard67 Actually - I think I can add an environment variable in my apache configuration which tells ldap to do this. I'm trying it on my local xmapp dev server to see if it works.
Looks like it came from here and never had code attached due to merge conflicts in the PR - https://github.com/joomla/joomla-cms/pull/24115/files (also the debug flag is similar).
But there was a similar putenv in the original request 40446f0#diff-69657aead4f01d1e6363b073d9f79d91f91526a2889744c6e8182f6f5a53abc2R201 similar to your SO post