[4.x] Fix LDAP over SSL (#37962)

* [4.x] Fix LDAP over SSL

* More precise WHERE clause and a bit code style.

* Select correct encryption type with uri ldaps://

and fix element

* Phase 1 convert BRANCH to PSR-12

* Phase 2 convert BRANCH to PSR-12

* remove leftover codestyle error

* Use more correct namings, based on Thunderbird

* rename DB updates for newer Joomla version

* Renamed SQL files to update on latest release

* Enable the test fixed by this PR

* added certificate configuration options

* Some cleaning

---------

Author: tatankat

administrator/components/com_admin/sql/updates/mysql/4.3.0-2023-01-30.sql

@@ -0,0 +1,36 @@
+UPDATE `#__extensions`
+   SET `params` = REPLACE(`params`, '"negotiate_tls":1', '"encryption":"tls"')
+ WHERE `name` = 'plg_authentication_ldap'
+   AND `type` = 'plugin'
+   AND `element` = 'ldap'
+   AND `folder` = 'authentication'
+   AND `client_id` = 0
+   AND `params` LIKE '{%"negotiate_tls":1%}';
+
+UPDATE `#__extensions`
+   SET `params` = REPLACE(`params`, '"negotiate_tls":0', '"encryption":"none"')
+ WHERE `name` = 'plg_authentication_ldap'
+   AND `type` = 'plugin'
+   AND `element` = 'ldap'
+   AND `folder` = 'authentication'
+   AND `client_id` = 0
+   AND `params` LIKE '{%"negotiate_tls":0%}';
+
+UPDATE `#__extensions`
+   SET `params` = REPLACE(`params`, '"encryption":"none"', '"encryption":"ssl"')
+ WHERE `name` = 'plg_authentication_ldap'
+   AND `type` = 'plugin'
+   AND `element` = 'ldap'
+   AND `folder` = 'authentication'
+   AND `client_id` = 0
+   AND `params` LIKE '{%"host":"ldaps:\\\\/\\\\/%}';
+
+UPDATE `#__extensions`
+   SET `params` = REPLACE(`params`, '"host":"ldaps:\\/\\/', '"host":"')
+ WHERE `name` = 'plg_authentication_ldap'
+   AND `type` = 'plugin'
+   AND `element` = 'ldap'
+   AND `folder` = 'authentication'
+   AND `client_id` = 0
+   AND `params` LIKE '{%"host":"ldaps:\\\\/\\\\/%}';
+

administrator/components/com_admin/sql/updates/postgresql/4.3.0-2023-01-30.sql

@@ -0,0 +1,36 @@
+UPDATE "#__extensions"
+   SET "params" = REPLACE("params", '"negotiate_tls":1', '"encryption":"tls"')
+ WHERE "name" = 'plg_authentication_ldap'
+   AND "type" = 'plugin'
+   AND "element" = 'ldap'
+   AND "folder" = 'authentication'
+   AND "client_id" = 0
+   AND "params" LIKE '{%"negotiate_tls":1%}';
+
+UPDATE "#__extensions"
+   SET "params" = REPLACE("params", '"negotiate_tls":0', '"encryption":"none"')
+ WHERE "name" = 'plg_authentication_ldap'
+   AND "type" = 'plugin'
+   AND "element" = 'ldap'
+   AND "folder" = 'authentication'
+   AND "client_id" = 0
+   AND "params" LIKE '{%"negotiate_tls":0%}';
+
+UPDATE "#__extensions"
+   SET "params" = REPLACE("params", '"encryption":"none"', '"encryption":"ssl"')
+ WHERE "name" = 'plg_authentication_ldap'
+   AND "type" = 'plugin'
+   AND "element" = 'ldap'
+   AND "folder" = 'authentication'
+   AND "client_id" = 0
+   AND "params" LIKE '{%"host":"ldaps:\\/\\/%}';
+
+UPDATE "#__extensions"
+   SET "params" = REPLACE("params", '"host":"ldaps:\/\/', '"host":"')
+ WHERE "name" = 'plg_authentication_ldap'
+   AND "type" = 'plugin'
+   AND "element" = 'ldap'
+   AND "folder" = 'authentication'
+   AND "client_id" = 0
+   AND "params" LIKE '{%"host":"ldaps:\\/\\/%}';
+

administrator/language/en-GB/plg_authentication_ldap.ini

@@ -6,14 +6,17 @@
 PLG_AUTHENTICATION_LDAP="Authentication - LDAP"
 PLG_LDAP_FIELD_AUTHMETHOD_LABEL="Authorisation Method"
 PLG_LDAP_FIELD_BASEDN_LABEL="Base DN"
+PLG_LDAP_FIELD_CACERT_LABEL="Path to the server certificate"
+PLG_LDAP_FIELD_CACERT_DESC="Full path to the file or directory where Joomla can find the LDAP server's (Certificate Authority) certificate. If this is empty, the system defaults for the TLS_CACERT and TLS_CACERTDIR LDAP client options are used."
+PLG_LDAP_FIELD_ENCRYPTION_LABEL="Connection Security"
 PLG_LDAP_FIELD_EMAIL_DESC="LDAP attribute which has the User's email address."
 PLG_LDAP_FIELD_EMAIL_LABEL="Map: Email"
 PLG_LDAP_FIELD_FULLNAME_DESC="LDAP attribute which has the User's full name."
 PLG_LDAP_FIELD_FULLNAME_LABEL="Map: Full Name"
 PLG_LDAP_FIELD_HOST_LABEL="Host"
+PLG_LDAP_FIELD_IGNORE_REQCERT_TLS_LABEL="Ignore Certificate"
 PLG_LDAP_FIELD_LDAPDEBUG_DESC="Enables debug hardcoded to level 7"
 PLG_LDAP_FIELD_LDAPDEBUG_LABEL="Debug"
-PLG_LDAP_FIELD_NEGOCIATE_LABEL="Negotiate TLS"
 PLG_LDAP_FIELD_PASSWORD_DESC="The Connect Password is the password of an administrative account."
 PLG_LDAP_FIELD_PASSWORD_LABEL="Connect Password"
 PLG_LDAP_FIELD_PORT_LABEL="Port"
@@ -31,4 +34,7 @@ PLG_LDAP_FIELD_V3_DESC="Default is LDAP2, but the latest versions of OpenLdap re
 PLG_LDAP_FIELD_V3_LABEL="LDAP V3"
 PLG_LDAP_FIELD_VALUE_BINDSEARCH="Bind and Search"
 PLG_LDAP_FIELD_VALUE_BINDUSER="Bind Directly as User"
+PLG_LDAP_FIELD_VALUE_ENCRYPTIONNONE="None"
+PLG_LDAP_FIELD_VALUE_ENCRYPTIONSSL="SSL/TLS"
+PLG_LDAP_FIELD_VALUE_ENCRYPTIONTLS="STARTTLS"
 PLG_LDAP_XML_DESCRIPTION="<p>Handles User Authentication against an LDAP server.</p><p><strong>Warning! You must have at least one authentication plugin enabled or you will lose all access to your site.</strong></p>"

plugins/authentication/ldap/ldap.xml

@@ -45,25 +45,47 @@
 					type="radio"
 					layout="joomla.form.field.radio.switcher"
 					label="PLG_LDAP_FIELD_V3_LABEL"
-					default="0"
+					default="1"
 					filter="integer"
 					>
 					<option value="0">JNO</option>
 					<option value="1">JYES</option>
 				</field>
 
 				<field
-					name="negotiate_tls"
+					name="encryption"
+					type="list"
+					label="PLG_LDAP_FIELD_ENCRYPTION_LABEL"
+					default="none"
+					validate="options"
+					>
+					<option value="none">PLG_LDAP_FIELD_VALUE_ENCRYPTIONNONE</option>
+					<option value="tls">PLG_LDAP_FIELD_VALUE_ENCRYPTIONTLS</option>
+					<option value="ssl">PLG_LDAP_FIELD_VALUE_ENCRYPTIONSSL</option>
+				</field>
+
+				<field
+					name="ignore_reqcert_tls"
 					type="radio"
-					label="PLG_LDAP_FIELD_NEGOCIATE_LABEL"
-					default="0"
-					filter="integer"
+					label="PLG_LDAP_FIELD_IGNORE_REQCERT_TLS_LABEL"
 					layout="joomla.form.field.radio.switcher"
+					default="1"
+					filter="boolean"
+					showon="encryption!:none"
 					>
 					<option value="0">JNO</option>
 					<option value="1">JYES</option>
 				</field>
 
+				<field
+					name="cacert"
+					type="text"
+					label="PLG_LDAP_FIELD_CACERT_LABEL"
+					description="PLG_LDAP_FIELD_CACERT_DESC"
+					required="false"
+					showon="encryption!:none[AND]ignore_reqcert_tls:0"
+				/>
+
 				<field
 					name="no_referrals"
 					type="radio"

plugins/authentication/ldap/src/Extension/Ldap.php

@@ -95,14 +95,43 @@ public function onUserAuthenticate($credentials, $options, &$response)
         $ldap_fullname = $this->params->get('ldap_fullname', '');
         $ldap_uid      = $this->params->get('ldap_uid', '');
         $auth_method   = $this->params->get('auth_method', '');
+        // Load certificate info
+        $ignore_reqcert_tls = (bool) $this->params->get('ignore_reqcert_tls', '1');
+        $cacert             = $this->params->get('cacert', '');
+
+        // getting certificate file and certificate directory options (both need to be set)
+        if (!$ignore_reqcert_tls && !empty($cacert)) {
+            if (is_dir($cacert)) {
+                $cacertdir = $cacert;
+                $cacertfile = "";
+            } elseif (is_file($cacert)) {
+                $cacertfile = $cacert;
+                $cacertdir = dirname($cacert);
+            } else {
+                $cacertfile = $cacert;
+                $cacertdir = $cacert;
+                Log::add(sprintf('Certificate path for LDAP client is neither an existing file nor directory: "%s"', $cacert), Log::ERROR, $logcategory);
+            }
+        } else {
+            Log::add(sprintf('Not setting any LDAP TLS CA certificate options because %s, system wide settings are used', $ignore_reqcert_tls ? "certificate is ignored" : "no certificate location is configured"), Log::DEBUG, $logcategory);
+        }
 
         $options = [
             'host'       => $this->params->get('host', ''),
             'port'       => (int) $this->params->get('port', ''),
-            'version'    => $this->params->get('use_ldapV3', '0') == '1' ? 3 : 2,
+            'version'    => $this->params->get('use_ldapV3', '1') == '1' ? 3 : 2,
             'referrals'  => (bool) $this->params->get('no_referrals', '0'),
-            'encryption' => $this->params->get('negotiate_tls', '0') == '1' ? 'tls' : 'none',
+            'encryption' => $this->params->get('encryption', 'none'),
+            'options'    => [
+                'x_tls_require_cert' => $ignore_reqcert_tls ? LDAP_OPT_X_TLS_NEVER : LDAP_OPT_X_TLS_DEMAND,
+            ],
         ];
+        // if these are not set, the system defaults are used
+        if (isset($cacertdir) && isset($cacertfile)) {
+            $options['options']['x_tls_cacertdir'] = $cacertdir;
+            $options['options']['x_tls_cacertfile'] = $cacertfile;
+        }
+
         Log::add(sprintf('Creating LDAP session with options: %s', json_encode($options)), Log::DEBUG, $logcategory);
         $connection_string = sprintf('ldap%s://%s:%s', 'ssl' === $options['encryption'] ? 's' : '', $options['host'], $options['port']);
         Log::add(sprintf('Creating LDAP session to connect to "%s" while binding', $connection_string), Log::DEBUG, $logcategory);

tests/Integration/Plugin/Authentication/Ldap/LdapPluginTest.php

@@ -23,6 +23,12 @@
 /**
  * Test class for Ldap plugin
  *
+ * Not testing for:
+ * * different certificate options
+ *   these can't be properly automatically tested as the LDAP_OPT_X_ settings can only be set once in a running process
+ * * working ldap debug option.
+ *   this can only be tested if phpunit stderr is redirected/duplicated/configured to a file
+ *
  * @package     Joomla.IntegrationTest
  * @subpackage  Ldap
  *
@@ -72,38 +78,6 @@ private function getPlugin($options): LdapPlugin
         return $plugin;
     }
 
-    private function acceptCertificates(): void
-    {
-        //TODO make this (and LDAP_OPT_X_CERTFILE and LDAP_OPT_X_TLS_REQUIRE_CERT) Joomla ldap setting
-        $cert = JPATH_ROOT . '/' . JTEST_LDAP_CACERTFILE;
-        ldap_set_option(null, LDAP_OPT_X_TLS_CACERTDIR, dirname($cert));
-        ldap_set_option(null, LDAP_OPT_X_TLS_CACERTFILE, $cert);
-    }
-
-    private function getAdminConnection(array $options): Ldap
-    {
-        $admin_options = [
-            'host' => $options['host'],
-            'port' => (int) $options['port'],
-            'version' => $options['use_ldapV3'] == '1' ? 3 : 2,
-            'referrals'  => (bool) $options['no_referrals'],
-            'encryption' => $options['encryption'],
-            'debug' => (bool) $options['ldap_debug'],
-        ];
-        $ldap = Ldap::create(
-            'ext_ldap',
-            $admin_options
-        );
-        $ldap->bind("cn=admin,cn=config", "configpassword");
-        return $ldap;
-    }
-
-    private function requireEncryption($encryption, $options): void
-    {
-        //$ldap = $this->getAdminConnection($options);
-        //TODO configure openldap (only if given permission in phpunit.xml, so people can use their own ldap server) to require the requested encryption to be sure encryption is used
-    }
-
     private function skipIfAskedFor($options): void
     {
         if (empty($options["host"])) {
@@ -136,6 +110,9 @@ public function setUp(): void
             'ldap_email' => JTEST_LDAP_EMAIL,
             'ldap_uid' => JTEST_LDAP_UID,
             'ldap_debug' => 0,
+            /* the security options can only be set once, these are the best practice settings */
+            'ignore_reqcert_tls' => 0,
+            'cacert' => JPATH_ROOT . '/' . JTEST_LDAP_CACERTFILE,
             /* changing options to test all code */
             'port' => self::LDAPPORT,
             'encryption' => "none",
@@ -235,9 +212,6 @@ public function testOnUserAuthenticateBindAndSearchTLS()
         $this->skipIfAskedFor($options);
         $plugin = $this->getPlugin($options);
 
-        $this->acceptCertificates();
-        $this->requireEncryption("tls", $options);
-
         $response = new AuthenticationResponse();
         $plugin->onUserAuthenticate($this->default_credentials, [], $response);
         $this->assertEquals(Authentication::STATUS_SUCCESS, $response->status);
@@ -252,42 +226,15 @@ public function testOnUserAuthenticateBindAndSearchTLS()
      */
     public function testOnUserAuthenticateBindAndSearchSSL()
     {
-        $this->markTestSkipped("Fix provided in PR #37962");
-
         $options = $this->default_options;
         $options["auth_method"] = "search";
         $options["encryption"] = "ssl";
         $options["port"] = self::SSLPORT;
         $this->skipIfAskedFor($options);
         $plugin = $this->getPlugin($options);
 
-        $this->acceptCertificates();
-        $this->requireEncryption("ssl", $options);
-
-        $response = new AuthenticationResponse();
-        $plugin->onUserAuthenticate($this->default_credentials, [], $response);
-        $this->assertEquals(Authentication::STATUS_SUCCESS, $response->status);
-    }
-
-    /**
-     * @testdox  does log ldap client calls and errors
-     * can only be tested if phpunit stderr is redirected/duplicated/configured to a file
-     * then, we can check if ldap_ calls are present in that file
-     *
-     * @return  void
-     *
-     * @since   4.3.0
-     */
-    /*
-    public function testOnUserAuthenticateWithDebug()
-    {
-        $options = $this->default_options;
-        $options["ldap_debug"] = 1;
-        $plugin = $this->getPlugin($options);
-
         $response = new AuthenticationResponse();
         $plugin->onUserAuthenticate($this->default_credentials, [], $response);
         $this->assertEquals(Authentication::STATUS_SUCCESS, $response->status);
     }
-    */
 }