New manager options for ldap certificate validation (#2250)

_example/conf/lmConf-1.json

@@ -86,7 +86,7 @@
    "authentication" : "Demo",
    "cfgAuthor" : "The LemonLDAP::NG team",
    "cfgNum" : 1,
-   "cfgVersion" : "2.0.8",
+   "cfgVersion" : "2.0.9",
    "cookieName" : "lemonldap",
    "demoExportedVars" : {
       "cn" : "cn",

lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm

@@ -144,6 +144,7 @@ sub defaultValues {
         'ldapServer'                      => 'ldap://localhost',
         'ldapTimeout'                     => 120,
         'ldapUsePasswordResetAttribute'   => 1,
+        'ldapVerify'                      => 'require',
         'ldapVersion'                     => 3,
         'linkedInAuthnLevel'              => 1,
         'linkedInFields'             => 'id,first-name,last-name,email-address',

lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/ReConstants.pm

@@ -45,7 +45,7 @@ our $authParameters = {
   githubParams => [qw(githubAuthnLevel githubClientID githubClientSecret githubUserField githubScope)],
   gpgParams => [qw(gpgAuthnLevel gpgDb)],
   kerberosParams => [qw(krbAuthnLevel krbKeytab krbByJs krbRemoveDomain)],
-  ldapParams => [qw(ldapAuthnLevel ldapExportedVars ldapServer ldapPort ldapBase managerDn managerPassword ldapTimeout ldapVersion ldapRaw LDAPFilter AuthLDAPFilter mailLDAPFilter ldapSearchDeref ldapGroupBase ldapGroupObjectClass ldapGroupAttributeName ldapGroupAttributeNameUser ldapGroupAttributeNameSearch ldapGroupDecodeSearchedValue ldapGroupRecursive ldapGroupAttributeNameGroup ldapPpolicyControl ldapSetPassword ldapChangePasswordAsUser ldapPwdEnc ldapUsePasswordResetAttribute ldapPasswordResetAttribute ldapPasswordResetAttributeValue ldapAllowResetExpiredPassword ldapITDS)],
+  ldapParams => [qw(ldapAuthnLevel ldapExportedVars ldapServer ldapPort ldapVerify ldapBase managerDn managerPassword ldapTimeout ldapVersion ldapRaw ldapCAFile ldapCAPath LDAPFilter AuthLDAPFilter mailLDAPFilter ldapSearchDeref ldapGroupBase ldapGroupObjectClass ldapGroupAttributeName ldapGroupAttributeNameUser ldapGroupAttributeNameSearch ldapGroupDecodeSearchedValue ldapGroupRecursive ldapGroupAttributeNameGroup ldapPpolicyControl ldapSetPassword ldapChangePasswordAsUser ldapPwdEnc ldapUsePasswordResetAttribute ldapPasswordResetAttribute ldapPasswordResetAttributeValue ldapAllowResetExpiredPassword ldapITDS)],
   linkedinParams => [qw(linkedInAuthnLevel linkedInClientID linkedInClientSecret linkedInFields linkedInUserField linkedInScope)],
   nullParams => [qw(nullAuthnLevel)],
   oidcParams => [qw(oidcAuthnLevel oidcRPCallbackGetParam oidcRPStateTimeout)],

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm

@@ -1584,6 +1584,12 @@ qr/^(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-zA-Z0-
             'test'    => qr/^(?:\w+=.*|)$/,
             'type'    => 'text'
         },
+        'ldapCAFile' => {
+            'type' => 'text'
+        },
+        'ldapCAPath' => {
+            'type' => 'text'
+        },
         'ldapChangePasswordAsUser' => {
             'default' => 0,
             'type'    => 'bool'
@@ -1709,6 +1715,23 @@ m[^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
             'default' => 1,
             'type'    => 'bool'
         },
+        'ldapVerify' => {
+            'default' => 'require',
+            'select'  => [ {
+                    'k' => 'none',
+                    'v' => 'None'
+                },
+                {
+                    'k' => 'optional',
+                    'v' => 'Optional'
+                },
+                {
+                    'k' => 'require',
+                    'v' => 'Require'
+                }
+            ],
+            'type' => 'select'
+        },
         'ldapVersion' => {
             'default' => 3,
             'type'    => 'int'

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm

@@ -3270,6 +3270,25 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
             type          => 'bool',
             documentation => 'Support for IBM Tivoli Directory Server',
         },
+        ldapVerify => {
+            type          => 'bool',
+            documentation => 'Whether to validate LDAP certificates',
+            type          => "select",
+            select        => [
+                { k => 'none',     v => 'None' },
+                { k => 'optional', v => 'Optional' },
+                { k => 'require',  v => 'Require' },
+            ],
+            default => 'require',
+        },
+        ldapCAFile => {
+            type          => 'text',
+            documentation => 'Location of the certificate file for LDAP connections',
+        },
+        ldapCAPath => {
+            type          => 'text',
+            documentation => 'Location of the CA directory for LDAP connections',
+        },
 
         # SSL
         SSLAuthnLevel => {

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm

@@ -248,10 +248,11 @@ sub tree {
                                     help  => 'authldap.html#connection',
                                     form  => 'simpleInputContainer',
                                     nodes => [
-                                        'ldapServer',      'ldapPort',
-                                        'ldapBase',        'managerDn',
-                                        'managerPassword', 'ldapTimeout',
-                                        'ldapVersion',     'ldapRaw'
+                                        'ldapServer',  'ldapPort',
+                                        'ldapVerify',  'ldapBase',
+                                        'managerDn',   'managerPassword',
+                                        'ldapTimeout', 'ldapVersion',
+                                        'ldapRaw', 'ldapCAFile', 'ldapCAPath',
                                     ]
                                 },
                                 {

lemonldap-ng-manager/site/htdocs/static/languages/ar.json

@@ -412,6 +412,8 @@
 "ldapAllowResetExpiredPassword":"السماح بإعادة تعيين كلمة مرور منتهية الصلاحية",
 "ldapAuthnLevel":"مستوى إثبات الهوية",
 "ldapBase":"قاعدة بحث المستخدمين",
+"ldapCAFile": "CA file path",
+"ldapCAPath": "CA directory path",
 "ldapChangePasswordAsUser":"تغيير كمستخدم",
 "ldapConnection":"الاتصال",
 "ldapExportedVars":"المتغيرات المصدرة",
@@ -440,6 +442,7 @@
 "ldapSetPassword":"تعديل كلمة المرور مع عملية موسعة",
 "ldapTimeout":"مهلة",
 "ldapUsePasswordResetAttribute":"استخدام سمة إعادة الضبط",
+"ldapVerify":"Verify LDAP server certificate",
 "ldapVersion":"الإصدار",
 "level":"Level",
 "linkedInAuthnLevel":"مستوى إثبات الهوية",
@@ -1146,4 +1149,4 @@
 "samlRelayStateTimeout":"تناوب حالة مهلة الجلسة ",
 "samlUseQueryStringSpecific":"استخدام أسلوب query_string المعين",
 "samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
-}
+}

lemonldap-ng-manager/site/htdocs/static/languages/de.json

@@ -412,6 +412,8 @@
 "ldapAllowResetExpiredPassword":"Allow to reset an expired password",
 "ldapAuthnLevel":"Authentication level",
 "ldapBase":"Users search base",
+"ldapCAFile": "CA file path",
+"ldapCAPath": "CA directory path",
 "ldapChangePasswordAsUser":"Change as user",
 "ldapConnection":"Connection",
 "ldapExportedVars":"Exported variables",
@@ -440,6 +442,7 @@
 "ldapSetPassword":"Password modify extended operation",
 "ldapTimeout":"Timeout",
 "ldapUsePasswordResetAttribute":"Use reset attribute",
+"ldapVerify":"Verify LDAP server certificate",
 "ldapVersion":"Version",
 "level":"Level",
 "linkedInAuthnLevel":"Authentication level",
@@ -1146,4 +1149,4 @@
 "samlRelayStateTimeout":"RelayState session timeout",
 "samlUseQueryStringSpecific":"Use specific query_string method",
 "samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
-}
+}

lemonldap-ng-manager/site/htdocs/static/languages/en.json

@@ -412,6 +412,8 @@
 "ldapAllowResetExpiredPassword":"Allow to reset an expired password",
 "ldapAuthnLevel":"Authentication level",
 "ldapBase":"Users search base",
+"ldapCAFile": "CA file path",
+"ldapCAPath": "CA directory path",
 "ldapChangePasswordAsUser":"Change as user",
 "ldapConnection":"Connection",
 "ldapExportedVars":"Exported variables",
@@ -440,6 +442,7 @@
 "ldapSetPassword":"Password modify extended operation",
 "ldapTimeout":"Timeout",
 "ldapUsePasswordResetAttribute":"Use reset attribute",
+"ldapVerify":"Verify LDAP server certificate",
 "ldapVersion":"Version",
 "level":"Level",
 "linkedInAuthnLevel":"Authentication level",

lemonldap-ng-manager/site/htdocs/static/languages/fr.json

@@ -412,6 +412,8 @@
 "ldapAllowResetExpiredPassword":"Autoriser le changement de mot de passe expiré",
 "ldapAuthnLevel":"Niveau d'authentification",
 "ldapBase":"Base de recherche des utilisateurs",
+"ldapCAFile": "Autorité de certification (fichier)",
+"ldapCAPath": "Autorité de certification (répertoire)",
 "ldapChangePasswordAsUser":"Changement en tant qu'utilisateur",
 "ldapConnection":"Connexion",
 "ldapExportedVars":"Variables exportées",
@@ -440,6 +442,7 @@
 "ldapSetPassword":"Opération étendue password modify",
 "ldapTimeout":"Temps maximum d'inactivité",
 "ldapUsePasswordResetAttribute":"Utiliser l'attribut de réinitialisation",
+"ldapVerify":"Vérifier le certificat du serveur LDAP",
 "ldapVersion":"Version",
 "level":"Niveau",
 "linkedInAuthnLevel":"Niveau d'authentification",

lemonldap-ng-manager/site/htdocs/static/languages/it.json

@@ -412,6 +412,8 @@
 "ldapAllowResetExpiredPassword":"Consenti di reimpostare una password scaduta",
 "ldapAuthnLevel":"Livello di autenticazione",
 "ldapBase":"Base di ricerca degli utenti",
+"ldapCAFile": "CA file path",
+"ldapCAPath": "CA directory path",
 "ldapChangePasswordAsUser":"Cambia come utente",
 "ldapConnection":"Connessione",
 "ldapExportedVars":"Variabili esportate",
@@ -440,6 +442,7 @@
 "ldapSetPassword":"Operazione prolungata di modifica password",
 "ldapTimeout":"Timeout",
 "ldapUsePasswordResetAttribute":"Utilizza l'attributo di ripristino",
+"ldapVerify":"Verify LDAP server certificate",
 "ldapVersion":"Versione",
 "level":"Livello",
 "linkedInAuthnLevel":"Livello di autenticazione",
@@ -1146,4 +1149,4 @@
 "samlRelayStateTimeout":"Timeout di sessione di RelayState",
 "samlUseQueryStringSpecific":"Utilizza il metodo specifico query_string",
 "samlOverrideIDPEntityID":"Sostituisci l'ID entità quando agisce come IDP"
-}
+}

lemonldap-ng-manager/site/htdocs/static/languages/pl.json

@@ -412,6 +412,8 @@
 "ldapAllowResetExpiredPassword":"Pozwól resetować wygasłe hasło",
 "ldapAuthnLevel":"Poziom uwierzytelnienia",
 "ldapBase":"Baza wyszukiwania użytkowników",
+"ldapCAFile": "CA file path",
+"ldapCAPath": "CA directory path",
 "ldapChangePasswordAsUser":"Zmień jako użytkownik",
 "ldapConnection":"Połączenie",
 "ldapExportedVars":"Wyeksportowane zmienne",
@@ -440,6 +442,7 @@
 "ldapSetPassword":"Rozszerzona operacja modyfikacji hasła",
 "ldapTimeout":"Limit czasu",
 "ldapUsePasswordResetAttribute":"Użyj atrybutu reset",
+"ldapVerify":"Verify LDAP server certificate",
 "ldapVersion":"Wersja",
 "level":"Poziom",
 "linkedInAuthnLevel":"Poziom uwierzytelnienia",
@@ -1146,4 +1149,4 @@
 "samlRelayStateTimeout":"Limit czasu sesji RelayState",
 "samlUseQueryStringSpecific":"Użyj określonej metody query_string",
 "samlOverrideIDPEntityID":"Zastąp identyfikator jednostki podczas działania jako IDP"
-}
+}

lemonldap-ng-manager/site/htdocs/static/languages/tr.json

@@ -412,6 +412,8 @@
 "ldapAllowResetExpiredPassword":"Süresi dolmuş bir parolayı sıfırlamaya izin ver",
 "ldapAuthnLevel":"Doğrulama seviyesi",
 "ldapBase":"Kullanıcı arama tabanı",
+"ldapCAFile": "CA file path",
+"ldapCAPath": "CA directory path",
 "ldapChangePasswordAsUser":"Kullanıcı olarak değiştir",
 "ldapConnection":"Bağlantı",
 "ldapExportedVars":"Dışa aktarılan değişkenler",
@@ -440,6 +442,7 @@
 "ldapSetPassword":"Parola değiştirme işlemi genişletilmiş",
 "ldapTimeout":"Zaman aşımı",
 "ldapUsePasswordResetAttribute":"Sıfırlama niteliklerini kullan",
+"ldapVerify":"Verify LDAP server certificate",
 "ldapVersion":"Sürüm",
 "level":"Seviye",
 "linkedInAuthnLevel":"Doğrulama seviyesi",
@@ -1146,4 +1149,4 @@
 "samlRelayStateTimeout":"RelayState oturum zaman aşımı",
 "samlUseQueryStringSpecific":"Spesifik query_string metodu kullan",
 "samlOverrideIDPEntityID":"IDP olarak davrandığında Varlık ID'yi geçersiz kıl"
-}
+}

lemonldap-ng-manager/site/htdocs/static/languages/vi.json

@@ -412,6 +412,8 @@
 "ldapAllowResetExpiredPassword":"Cho phép đặt lại mật khẩu đã hết hạn",
 "ldapAuthnLevel":"Mức xác thực",
 "ldapBase":"Cơ sở tìm kiếm người dùng",
+"ldapCAFile": "CA file path",
+"ldapCAPath": "CA directory path",
 "ldapChangePasswordAsUser":"Thay đổi như người dùng",
 "ldapConnection":"Kết nối",
 "ldapExportedVars":"Biến đã được xuất",
@@ -440,6 +442,7 @@
 "ldapSetPassword":"Mật khẩu sửa đổi hoạt động mở rộng",
 "ldapTimeout":"Thời gian chờ",
 "ldapUsePasswordResetAttribute":"Sử dụng thuộc tính đặt lại",
+"ldapVerify":"Verify LDAP server certificate",
 "ldapVersion":"Phiên bản",
 "level":"Mức",
 "linkedInAuthnLevel":"Mức xác thực",
@@ -1146,4 +1149,4 @@
 "samlRelayStateTimeout":"Thời gian hết hạn phiên RelayState ",
 "samlUseQueryStringSpecific":"Sử dụng phương pháp query_string cụ thể",
 "samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
-}
+}

lemonldap-ng-manager/site/htdocs/static/languages/zh.json

@@ -412,6 +412,8 @@
 "ldapAllowResetExpiredPassword":"Allow to reset an expired password",
 "ldapAuthnLevel":"认证等级",
 "ldapBase":"Users search base",
+"ldapCAFile": "CA file path",
+"ldapCAPath": "CA directory path",
 "ldapChangePasswordAsUser":"Change as user",
 "ldapConnection":"连接",
 "ldapExportedVars":"Exported variables",
@@ -440,6 +442,7 @@
 "ldapSetPassword":"Password modify extended operation",
 "ldapTimeout":"Timeout",
 "ldapUsePasswordResetAttribute":"Use reset attribute",
+"ldapVerify":"Verify LDAP server certificate",
 "ldapVersion":"版本",
 "level":"Level",
 "linkedInAuthnLevel":"认证等级",
@@ -1146,4 +1149,4 @@
 "samlRelayStateTimeout":"RelayState session timeout",
 "samlUseQueryStringSpecific":"Use specific query_string method",
 "samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
-}
+}