From e0fb7aa07b0578cb17052a0e83a1de803ce85a5d Mon Sep 17 00:00:00 2001
From: mlnkng <melaniekung@live.com>
Date: Fri, 23 Feb 2024 11:15:38 -0800
Subject: [PATCH] Use TLS for LDAP Authentication

---
 config/app.yml         |  3 +++
 lib/ldapUser.class.php | 19 ++++++++++++++++++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/config/app.yml b/config/app.yml
index be9ae2e962..9efe1271cb 100644
--- a/config/app.yml
+++ b/config/app.yml
@@ -68,3 +68,6 @@ all:
       response_header: Content-Security-Policy-Report-Only
       # Configure CSP response directives.
       directives: "default-src 'self'; font-src 'self' https://fonts.gstatic.com; img-src 'self' https://*.googleapis.com https://*.gstatic.com *.google.com  *.googleusercontent.com data: https://www.gravatar.com/avatar/ https://*.google-analytics.com https://*.googletagmanager.com blob:; script-src 'self' https://*.googletagmanager.com 'nonce' https://*.googleapis.com https://*.gstatic.com *.google.com https://*.ggpht.com *.googleusercontent.com blob:; style-src 'self' 'nonce' https://fonts.googleapis.com; worker-src 'self' blob:; connect-src 'self' https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://*.googleapis.com *.google.com https://*.gstatic.com  data: blob:; frame-ancestors 'self';"
+
+  ldap:
+      enable_tls_encryption: true
diff --git a/lib/ldapUser.class.php b/lib/ldapUser.class.php
index 6b7099a0e4..43f5028c99 100644
--- a/lib/ldapUser.class.php
+++ b/lib/ldapUser.class.php
@@ -23,6 +23,8 @@ class ldapUser extends myUser implements Zend_Acl_Role_Interface
 
     public function initialize(sfEventDispatcher $dispatcher, sfStorage $storage, $options = [])
     {
+        $this->logger = sfContext::getInstance()->getLogger();
+
         // initialize parent
         parent::initialize($dispatcher, $storage, $options);
 
@@ -113,20 +115,35 @@ protected function getLdapConnection()
 
             $this->ldapConnection = $connection;
 
-            return $connection;
+            return $this->ldapConnection;
         }
     }
 
     protected function ldapBind($username, $password)
     {
+        $tls_encryption = sfConfig::get('app_ldap_enable_tls_encryption', true);
         if ($conn = $this->getLdapConnection()) {
             $base_dn = (string) QubitSetting::getByName('ldapBaseDn');
             $bind_attribute = (string) QubitSetting::getByName('ldapBindAttribute');
             $dn = $bind_attribute.'='.$username.','.$base_dn;
 
+            // Close LDAP connection if TLS encryption failed to start
+            if ($tls_encryption && false == ldap_start_tls($conn)) {
+                $this->logger->err('Error starting TLS encryption for LDAP authentication.');
+                ldap_close($conn);
+
+                return false;
+            }
+            if (!$tls_encryption) {
+                $this->logger->info('TLS encryption turned off for LDAP authentication.');
+            }
+
             // The @ suppresses a warning if the auth fails
             $this->ldapBound = @ldap_bind($conn, $dn, $password);
 
+            // Close LDAP connection
+            ldap_close($conn);
+
             return $this->ldapBound;
         }
     }