You are not logged in.

Announcement

 Téléchargez la dernière version stable de GLPI      -     Et vous, que pouvez vous faire pour le projet GLPI ? :  Contribuer
 Download last stable version of GLPI                      -     What can you do for GLPI ? :  Contribute

Pages: 1

#1 2023-07-25 14:24:23

eulglpi
Member
Registered: 2023-06-09
Posts: 8

Ldaps only sometimes works

Hello!

Configuration: GLPI 10.0.6, Windows Server 2022 Standard, IIS webserver

We have encountered a problem where we have configured LDAPS, which sometimes gives successful test results and sometimes unsuccessful ones. After extensive searching, using Wireshark, we found that when the connection is successful, the test sends the client hello message with TLSv1.2 protocol, while when it is unsuccessful, it uses TLSv1.

We have disabled the use of legacy TLS in IIS and blocked it in the registry, yet GLPI still attempts the test with TLSv1. We have searched a lot on forums and other websites but have not found a solution. If you have any ideas, please don't hesitate to share.

Thanks,
EULGLPI

Offline

#2 2023-07-26 02:27:23

cconard96
Moderator
Registered: 2018-07-31
Posts: 2,813
Website

Re: Ldaps only sometimes works

It may be possible to force GLPI to use TLS 1.2 as the minimum supported version. In src/AuthLDAP.php, if you search for "$ldap_options" you will find the array of default LDAP options. Adding a comma to the last entry followed by "LDAP_OPT_X_TLS_PROTOCOL_MIN => LDAP_OPT_X_TLS_PROTOCOL_TLS1_2" should set the minimum TLS version to 1.2.

If that works, I'll make an official patch that adds an option in the form to allow choosing the minimum TLS version.

GLPI Collaborator and Plugin Developer.
My non-English comments are automated translations. Sorry for any confusion that causes.
Mes commentaires non anglais sont des traductions automatiques. Désolé pour toute confusion qui cause.
Mis comentarios que no están en inglés son traducciones automáticas. Perdón por cualquier confusión que cause.

Offline

#3 2023-07-26 09:43:54

eulglpi
Member
Registered: 2023-06-09
Posts: 8

Re: Ldaps only sometimes works

cconard96 wrote:

It may be possible to force GLPI to use TLS 1.2 as the minimum supported version. In src/AuthLDAP.php, if you search for "$ldap_options" you will find the array of default LDAP options. Adding a comma to the last entry followed by "LDAP_OPT_X_TLS_PROTOCOL_MIN => LDAP_OPT_X_TLS_PROTOCOL_TLS1_2" should set the minimum TLS version to 1.2.

If that works, I'll make an official patch that adds an option in the form to allow choosing the minimum TLS version.

If I search for $ldap_options, it does not return any results in AuthLDAP.php.

Offline

#4 2023-07-26 09:56:18

eulglpi
Member
Registered: 2023-06-09
Posts: 8

Re: Ldaps only sometimes works

eulglpi wrote:
cconard96 wrote:

It may be possible to force GLPI to use TLS 1.2 as the minimum supported version. In src/AuthLDAP.php, if you search for "$ldap_options" you will find the array of default LDAP options. Adding a comma to the last entry followed by "LDAP_OPT_X_TLS_PROTOCOL_MIN => LDAP_OPT_X_TLS_PROTOCOL_TLS1_2" should set the minimum TLS version to 1.2.

If that works, I'll make an official patch that adds an option in the form to allow choosing the minimum TLS version.

If I search for $ldap_options, it does not return any results in AuthLDAP.php.

I've only found this segment: {

        $ds = @ldap_connect($host, intval($port));
        if ($ds) {
            @ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
            @ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
            @ldap_set_option($ds, LDAP_OPT_DEREF, $deref_options);
            @ldap_set_option($ds, LDAP_OPT_NETWORK_TIMEOUT, $timeout);
           

            if (!empty($tls_certfile) && file_exists($tls_certfile)) {
                @ldap_set_option(null, LDAP_OPT_X_TLS_CERTFILE, $tls_certfile);
            }

            if (!empty($tls_keyfile) && file_exists($tls_keyfile)) {
                @ldap_set_option(null, LDAP_OPT_X_TLS_KEYFILE, $tls_keyfile);
            }

            if ($use_tls) {
                if (!@ldap_start_tls($ds)) {
                    return false;
                }
            }
           // Auth bind
            if ($use_bind) {
                if ($login != '') {
                    $b = @ldap_bind($ds, $login, $password);
                } else { // Anonymous bind
                    $b = @ldap_bind($ds);
                }
            } else {
                $b = true;
            }

            if ($b) {
                return $ds;
            }
        }
        return false;
    }

But if i put anywhere what you wrote my site crashes

Offline

#5 2023-07-26 12:20:36

cconard96
Moderator
Registered: 2018-07-31
Posts: 2,813
Website

Re: Ldaps only sometimes works

Place with the other options being set.
@ldap_set_option($ds, LDAP_OPT_X_TLS_PROTOCOL_MIN, LDAP_OPT_X_TLS_PROTOCOL_TLS1_2);


Apparently this code was re-organized between 10.0.6 and the current version.

GLPI Collaborator and Plugin Developer.
My non-English comments are automated translations. Sorry for any confusion that causes.
Mes commentaires non anglais sont des traductions automatiques. Désolé pour toute confusion qui cause.
Mis comentarios que no están en inglés son traducciones automáticas. Perdón por cualquier confusión que cause.

Offline

#6 2023-07-26 13:00:16

eulglpi
Member
Registered: 2023-06-09
Posts: 8

Re: Ldaps only sometimes works

"Unfortunately, it still doesn't work. The page no longer crashes; however, Wireshark indicates that it is still attempting TLSv1 after pressing the 'test' button.

Offline

#7 2023-07-31 09:00:49

eulglpi
Member
Registered: 2023-06-09
Posts: 8

Re: Ldaps only sometimes works

Do you have any other ideas? We haven't found a solution.

Offline

Pages: 1

Board footer

Powered by FluxBB