From f427267f5b78fff3d15d4ffbc060c9c2fba057c8 Mon Sep 17 00:00:00 2001
From: bpatath <github@bp.patathouse.fr>
Date: Sat, 23 May 2020 23:16:48 +0200
Subject: [PATCH] Add SSL configuration for LDAP

---
 .env.example    |  8 ++++++++
 config/ldap.php | 19 +++++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/.env.example b/.env.example
index f3536bedeb..1210610742 100644
--- a/.env.example
+++ b/.env.example
@@ -180,8 +180,16 @@ ADLDAP_PORT=389
 ADLDAP_TIMEOUT=5
 ADLDAP_BASEDN=""
 ADLDAP_FOLLOW_REFFERALS=false
+
+# SSL/TLS settings
 ADLDAP_USE_SSL=false
 ADLDAP_USE_TLS=false
+ADLDAP_SSL_CACERTDIR=
+ADLDAP_SSL_CACERTFILE=
+ADLDAP_SSL_CERTFILE=
+ADLDAP_SSL_KEYFILE=
+ADLDAP_SSL_CIPHER_SUITE=
+ADLDAP_SSL_REQUIRE_CERT=
 
 # You can set the following variables from a file by appending them with _FILE:
 ADLDAP_ADMIN_USERNAME=
diff --git a/config/ldap.php b/config/ldap.php
index 13e18bd41b..1c4c57da8b 100644
--- a/config/ldap.php
+++ b/config/ldap.php
@@ -38,6 +38,24 @@ if ('ActiveDirectory' === envNonEmpty('ADLDAP_CONNECTION_SCHEME', 'OpenLDAP')) {
     $schema = ActiveDirectory::class;
 }
 
+/*
+ * Get SSL parameters from .env file.
+ */
+$ssl_ca_dir =  envNonEmpty('ADLDAP_SSL_CACERTDIR', null);
+$ssl_ca_file = envNonEmpty('ADLDAP_SSL_CACERTFILE', null);
+$ssl_cert =    envNonEmpty('ADLDAP_SSL_CERTFILE', null);
+$ssl_key =     envNonEmpty('ADLDAP_SSL_KEYFILE', null);
+$ssl_ciphers = envNonEmpty('ADLDAP_SSL_CIPHER_SUITE', null);
+$ssl_require = envNonEmpty('ADLDAP_SSL_REQUIRE_CERT', null);
+
+$ssl_options = [];
+if ($ssl_ca_dir  !== null) $ssl_options[LDAP_OPT_X_TLS_CACERTDIR   ] = $ssl_ca_dir;
+if ($ssl_ca_file !== null) $ssl_options[LDAP_OPT_X_TLS_CACERTFILE  ] = $ssl_ca_file;
+if ($ssl_cert    !== null) $ssl_options[LDAP_OPT_X_TLS_CERTFILE    ] = $ssl_cert;
+if ($ssl_key     !== null) $ssl_options[LDAP_OPT_X_TLS_KEYFILE     ] = $ssl_key;
+if ($ssl_ciphers !== null) $ssl_options[LDAP_OPT_X_TLS_CIPHER_SUITE] = $ssl_ciphers;
+if ($ssl_require !== null) $ssl_options[LDAP_OPT_X_TLS_REQUIRE_CERT] = $ssl_require;
+
 return [
     /*
     |--------------------------------------------------------------------------
@@ -254,6 +272,7 @@ return [
                 'use_ssl' => env('ADLDAP_USE_SSL', false),
                 'use_tls' => env('ADLDAP_USE_TLS', false),
 
+                'custom_options' => $ssl_options,
             ],
 
         ],