From bc11f6784ccd74ccc1a96d4d559368d74daa69fc Mon Sep 17 00:00:00 2001
From: Benjamin Renard <brenard@easter-eggs.com>
Date: Thu, 12 Dec 2024 19:33:38 +0100
Subject: [PATCH] Auth/LDAP: fix handling starttls parameter and add options
 one

---
 example/includes/config.yml | 10 +++++++++-
 skel/config.yml             | 12 ++++++++++--
 src/Auth/Ldap.php           |  6 +++++-
 3 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/example/includes/config.yml b/example/includes/config.yml
index 94f2532..cdae6d6 100644
--- a/example/includes/config.yml
+++ b/example/includes/config.yml
@@ -1,5 +1,5 @@
 # Public root URL
-public_root_url: "http://127.0.0.1/eesyphp"
+public_root_url: "/"
 
 # Application root data directory
 data_directory: "${root_directory_path}/data"
@@ -302,6 +302,14 @@ auth:
     # LDAP bind password (optional)
     #bind_password: 'secret'
 
+    # LDAP options (optional)
+    # See https://www.php.net/manual/en/function.ldap-set-option.php for available options.
+    # Note: Options may defined by using PHP LDAP_OPT_* constant names.
+    # Default: LDAP_OPT_X_TLS_CERTFILE = /etc/ssl/certs/ca-certificates.crt
+    #options:
+    #  LDAP_OPT_X_TLS_REQUIRE_CERT: LDAP_OPT_X_TLS_NEVER
+    #  LDAP_OPT_X_TLS_CERTFILE: "/etc/ssl/certs/ca-certificates.crt"
+
     # User search filter by username. The keyword "[username]" will be replace before search by
     # the looked username (default: "uid=[username]")
     #user_filter_by_uid: 'uid=[username]'
diff --git a/skel/config.yml b/skel/config.yml
index 48551f2..8a5d306 100644
--- a/skel/config.yml
+++ b/skel/config.yml
@@ -93,8 +93,8 @@ templates:
 # Translations
 #
 i18n:
-  # Default locale (see locales directory for available languages list)
-  default_locale: "en_US.UTF8"
+  # Default locale (see locales directory for available languages list, default: 'en_US.UTF8')
+  #default_locale: 'en_US.UTF8'
 
 #
 # Session
@@ -302,6 +302,14 @@ auth:
     # LDAP bind password (optional)
     #bind_password: 'secret'
 
+    # LDAP options (optional)
+    # See https://www.php.net/manual/en/function.ldap-set-option.php for available options.
+    # Note: Options may defined by using PHP LDAP_OPT_* constant names.
+    # Default: LDAP_OPT_X_TLS_CERTFILE = /etc/ssl/certs/ca-certificates.crt
+    #options:
+    #  LDAP_OPT_X_TLS_REQUIRE_CERT: LDAP_OPT_X_TLS_NEVER
+    #  LDAP_OPT_X_TLS_CERTFILE: "/etc/ssl/certs/ca-certificates.crt"
+
     # User search filter by username. The keyword "[username]" will be replace before search by
     # the looked username (default: "uid=[username]")
     #user_filter_by_uid: 'uid=[username]'
diff --git a/src/Auth/Ldap.php b/src/Auth/Ldap.php
index f8f6633..493cd0d 100644
--- a/src/Auth/Ldap.php
+++ b/src/Auth/Ldap.php
@@ -43,6 +43,9 @@ class Ldap extends Backend {
         'binddn' => null,
         'bindpw' => null,
         'starttls' => false,
+        'options' => [
+          "LDAP_OPT_X_TLS_CERTFILE" => "/etc/ssl/certs/ca-certificates.crt",
+        ],
         'user_filter_by_uid' => 'uid=[username]',
         'user_basedn' => null,
         'bind_with_username' => false,
@@ -88,7 +91,8 @@ class Ldap extends Backend {
       'basedn' => App :: get('auth.ldap.basedn', null, 'string'),
       'binddn' => App :: get('auth.ldap.bind_dn', null, 'string'),
       'bindpw' => App :: get('auth.ldap.bind_password', null, 'string'),
-      'starttls' => App :: get('starttls', null, 'bool'),
+      'starttls' => App :: get('auth.ldap.starttls', null, 'bool'),
+      'options' => App :: get('auth.ldap.options', null, 'array'),
     );
     if ($port = App :: get('auth.ldap.port', null, 'int'))
       self :: $ldap_config['port'] = $port;