Index: kernel/classes/datatypes/ezuser/ezldapuser.php =================================================================== --- kernel/classes/datatypes/ezuser/ezldapuser.php (revision 24246) +++ kernel/classes/datatypes/ezuser/ezldapuser.php (working copy) @@ -166,6 +166,7 @@ $LDAPDebugTrace = $LDAPIni->variable( 'LDAPSettings', 'LDAPDebugTrace' ) === 'enabled'; $LDAPVersion = $LDAPIni->variable( 'LDAPSettings', 'LDAPVersion' ); + $LDAPStartTLS = $LDAPIni->variable( 'LDAPSettings', 'LDAPStartTLS' ) === 'enabled'; $LDAPServer = $LDAPIni->variable( 'LDAPSettings', 'LDAPServer' ); $LDAPPort = $LDAPIni->variable( 'LDAPSettings', 'LDAPPort' ); $LDAPFollowReferrals = (int) $LDAPIni->variable( 'LDAPSettings', 'LDAPFollowReferrals' ); @@ -236,7 +237,23 @@ } if ( function_exists( 'ldap_connect' ) ) + { $ds = ldap_connect( $LDAPServer, $LDAPPort ); + + if ( $LDAPStartTLS ) + { + if ( (int)$LDAPVersion < 3 ) + { + eZDebug::writeError( 'LDAP set to encrypt with StartTLS, but using protocol version lower than 3!', __METHOD__ ); + $ds = false; + } + else if ( !ldap_start_tls( $ds ) ) + { + eZDebug::writeError( 'Unable to negotiate StartTLS connection to LDAP server!', __METHOD__ ); + $ds = false; + } + } + } else $ds = false; Index: settings/ldap.ini =================================================================== --- settings/ldap.ini (revision 24246) +++ settings/ldap.ini (working copy) @@ -9,6 +9,8 @@ LDAPDebugTrace=disabled # Set LDAP version number LDAPVersion=2 +# Enable/disable StartTLS encryption over LDAP connection. This requires LDAP version 3. +LDAPStartTLS=disabled # Determines whether the LDAP library automatically follows referrals returned by LDAP servers or not. # set to 1 to enable LDAPFollowReferrals=0 Index: tests/tests/kernel/datatypes/ezuser/ezldapuser_test.php =================================================================== --- tests/tests/kernel/datatypes/ezuser/ezldapuser_test.php (revision 24246) +++ tests/tests/kernel/datatypes/ezuser/ezldapuser_test.php (working copy) @@ -524,6 +524,58 @@ } /** + * Test scenario for LDAP login with StartTLS encryption + * + * Test Outline + * ------------ + * 1. Set LDAP version 2 and enable StartTLS + * 2. Login with username and password + * 3. Check that this fails + * 4. Set LDAP version 3 + * 5. Login with username and password + * 6. Check parent nodes of user object + * + * @result: + * @expected: + * The first login fails. + * The second login succeeds, user is placed in the StarWars, Rogues and RebelAlliance groups. + */ + public function testLoginUserStartTLS() + { + if ( !self::ldapIsEnabled() ) + { + $this->markTestSkipped( 'LDAP is not loaded' ); + return; + } + + $this->ldapINI->setVariable( 'LDAPSettings', 'LDAPGroupMappingType', 'UseGroupAttribute' ); + $this->ldapINI->setVariable( 'LDAPSettings', 'LDAPCreateMissingGroups', 'disabled' ); + $this->ldapINI->setVariable( 'LDAPSettings', 'LDAPUserGroupAttributeType', 'name' ); + $this->ldapINI->setVariable( 'LDAPSettings', 'LDAPUserGroupAttribute', 'ou' ); + $this->ldapINI->setVariable( 'LDAPSettings', 'LDAPVersion', 2 ); + $this->ldapINI->setVariable( 'LDAPSettings', 'LDAPStartTLS', 'enabled' ); + + $user = eZLDAPUser::loginUser( 'han.solo', 'leiaishot' ); + self::assertEquals( false, $user ); + + $this->ldapINI->setVariable( 'LDAPSettings', 'LDAPVersion', 3 ); + + $user = eZLDAPUser::loginUser( 'han.solo', 'leiaishot' ); + if ( $user instanceof eZUser ) + { + $contentObject = $user->attribute( 'contentobject' ); + $parentNodeIDs = $contentObject->attribute( 'parent_nodes' ); + sort( $parentNodeIDs ); + self::assertEquals( array( $this->starWarsGroupNodeId, $this->rebelGroupNodeId, $this->rogueGroupNodeId ), + $parentNodeIDs ); + } + else + { + $this->markTestSkipped( 'LDAP StartTLS is not available' ); + } + } + + /** * Test scenario for ... * * Test Outline