diff --git a/LibreNMS/Authentication/ActiveDirectoryAuthorizer.php b/LibreNMS/Authentication/ActiveDirectoryAuthorizer.php index b34fbc93a8..35433b7cf0 100644 --- a/LibreNMS/Authentication/ActiveDirectoryAuthorizer.php +++ b/LibreNMS/Authentication/ActiveDirectoryAuthorizer.php @@ -205,6 +205,14 @@ class ActiveDirectoryAuthorizer extends AuthorizerBase // disable referrals and force ldap version to 3 ldap_set_option($this->ldap_connection, LDAP_OPT_REFERRALS, 0); ldap_set_option($this->ldap_connection, LDAP_OPT_PROTOCOL_VERSION, 3); + + $starttls = Config::get('auth_ad_starttls'); + if ($starttls == 'optional' || $starttls == 'required') { + $tls = ldap_start_tls($this->ldap_connection); + if ($starttls == 'required' && $tls === false) { + throw new AuthenticationException('Fatal error: LDAP TLS required but not successfully negotiated:' . ldap_error($this->ldap_connection)); + } + } } public function bind($credentials = []) diff --git a/html/mix-manifest.json b/html/mix-manifest.json index 549c248ce2..f93629ff8a 100644 --- a/html/mix-manifest.json +++ b/html/mix-manifest.json @@ -4,12 +4,12 @@ "/css/vendor.css": "/css/vendor.css?id=2568831af31dbfc3128a", "/css/app.css": "/css/app.css?id=bd093a6a2e2682bb59ef", "/js/vendor.js": "/js/vendor.js?id=c5fd3d75a63757080dbb", - "/js/lang/de.js": "/js/lang/de.js?id=e2912d41c392d8bc4e2c", - "/js/lang/en.js": "/js/lang/en.js?id=7aed3226fceb16d522cd", - "/js/lang/fr.js": "/js/lang/fr.js?id=bd58747a5439aafb8330", - "/js/lang/it.js": "/js/lang/it.js?id=5fdcbbb097408f63d589", + "/js/lang/de.js": "/js/lang/de.js?id=613b5ca9cd06ca15e384", + "/js/lang/en.js": "/js/lang/en.js?id=a32b81c7156d48489ca3", + "/js/lang/fr.js": "/js/lang/fr.js?id=982d149de32e1867610c", + "/js/lang/it.js": "/js/lang/it.js?id=8bcb940703f9b010d5e9", "/js/lang/ru.js": "/js/lang/ru.js?id=f6b7c078755312a0907c", - "/js/lang/uk.js": "/js/lang/uk.js?id=1bba323982918f74fa33", - "/js/lang/zh-CN.js": "/js/lang/zh-CN.js?id=0edc19cb25bb6d36861b", - "/js/lang/zh-TW.js": "/js/lang/zh-TW.js?id=4d13fc5d8fdd20d417d3" + "/js/lang/uk.js": "/js/lang/uk.js?id=510f6f08095080a981a6", + "/js/lang/zh-CN.js": "/js/lang/zh-CN.js?id=4e081fbac70d969894bf", + "/js/lang/zh-TW.js": "/js/lang/zh-TW.js?id=ed26425647721a42ee9d" } diff --git a/misc/config_definitions.json b/misc/config_definitions.json index 3fa7f4ff22..0cd9491a62 100644 --- a/misc/config_definitions.json +++ b/misc/config_definitions.json @@ -466,6 +466,18 @@ "order": 12, "type": "text" }, + "auth_ad_starttls": { + "default": "disabled", + "group": "auth", + "section": "ad", + "order": 13, + "type": "select", + "options": { + "disabled": "Disabled", + "optional": "Optional", + "required": "Required" + } + }, "auth_ldap_attr.uid": { "default": "uid", "group": "auth", diff --git a/resources/lang/de/settings.php b/resources/lang/de/settings.php index cdade3fe55..9f1aebb5f6 100644 --- a/resources/lang/de/settings.php +++ b/resources/lang/de/settings.php @@ -210,6 +210,15 @@ return [ 'description' => 'Active Directory Benutzername', 'help' => 'Benutzt zum durchsuchen des AD Server wenn kein Nutzer eingeloggt ist in (alerts, API, etc)', ], + 'auth_ad_starttls' => [ + 'description' => 'Benutze STARTTLS', + 'help' => 'Benutze STARTTLS um Verbindungen abzusichern. Alternative zu LDAPS.', + 'options' => [ + 'disabled' => 'Deaktiviert', + 'optional' => 'Optional', + 'required' => 'Benötigt', + ], + ], 'auth_ldap_cache_ttl' => [ 'description' => 'LDAP Cache Gültigkeit', 'help' => 'Speichert temporär LDAP Suchergebnisse. Erhöht die Geschwindigkeit, aber die Daten können veraltet sein.', diff --git a/resources/lang/en/settings.php b/resources/lang/en/settings.php index 2b85e14fd5..75b539ad3b 100644 --- a/resources/lang/en/settings.php +++ b/resources/lang/en/settings.php @@ -331,6 +331,15 @@ return [ 'description' => 'Bind username', 'help' => 'Used to query the AD server when no user is logged in (alerts, API, etc)', ], + 'auth_ad_starttls' => [ + 'description' => 'Use STARTTLS', + 'help' => 'Use STARTTLS to secure the connection. Alternative to LDAPS.', + 'options' => [ + 'disabled' => 'Disabled', + 'optional' => 'Optional', + 'required' => 'Required', + ], + ], 'auth_ldap_cache_ttl' => [ 'description' => 'LDAP cache expiration', 'help' => 'Temporarily stores LDAP query results. Improves speeds, but the data may be stale.', diff --git a/resources/lang/fr/settings.php b/resources/lang/fr/settings.php index 38d36cdbfe..b446393f95 100644 --- a/resources/lang/fr/settings.php +++ b/resources/lang/fr/settings.php @@ -257,6 +257,15 @@ return [ 'description' => 'Utilisateur AD "bind"', 'help' => 'Utilisé pour questionner l\'AD quand aucun autre utilisateur n\'est dans le contexte (alerts, API, etc)', ], + 'auth_ad_starttls' => [ + 'description' => 'Utiliser STARTTLS', + 'help' => 'Utiliser STARTTLS pour sécuriser la connexion. Alternative à LDAPS.', + 'options' => [ + 'disabled' => 'Désactivé', + 'optional' => 'Optionnel', + 'required' => 'Obligatoire', + ], + ], 'auth_ldap_cache_ttl' => [ 'description' => 'Expiration du cache LDAP', 'help' => 'Durée du cache LDAP conservant les résultats des requêtes. Meilleure réactivité mais risque de données imprécises/en retard', diff --git a/resources/lang/it/settings.php b/resources/lang/it/settings.php index 3fbb21b66a..54721af148 100644 --- a/resources/lang/it/settings.php +++ b/resources/lang/it/settings.php @@ -331,6 +331,15 @@ return [ 'description' => 'Bind username', 'help' => 'Used to query the AD server when no user is logged in (alerts, API, etc)', ], + 'auth_ad_starttls' => [ + 'description' => 'Use STARTTLS', + 'help' => 'Use STARTTLS to secure the connection. Alternative to LDAPS.', + 'options' => [ + 'disabled' => 'Disabled', + 'optional' => 'Optional', + 'required' => 'Required', + ], + ], 'auth_ldap_cache_ttl' => [ 'description' => 'LDAP cache expiration', 'help' => 'Temporarily stores LDAP query results. Improves speeds, but the data may be stale.', diff --git a/resources/lang/zh-CN/settings.php b/resources/lang/zh-CN/settings.php index eafed78f10..218926a2db 100644 --- a/resources/lang/zh-CN/settings.php +++ b/resources/lang/zh-CN/settings.php @@ -211,6 +211,15 @@ return [ 'description' => '系结使用者名称', 'help' => 'Used to query the AD server when no user is logged in (alerts, API, etc)', ], + 'auth_ad_starttls' => [ + 'description' => '使用 STARTTLS', + 'help' => 'Use STARTTLS to secure the connection. Alternative to LDAPS.', + 'options' => [ + 'disabled' => '停用', + 'optional' => '选用', + 'required' => '必要', + ], + ], 'auth_ldap_cache_ttl' => [ 'description' => 'LDAP 快取有效期', 'help' => 'Temporarily stores LDAP query results. Improves speeds, but the data may be stale.', diff --git a/resources/lang/zh-TW/settings.php b/resources/lang/zh-TW/settings.php index 8b9905e53d..7e295fb6e9 100644 --- a/resources/lang/zh-TW/settings.php +++ b/resources/lang/zh-TW/settings.php @@ -265,6 +265,15 @@ return [ 'description' => '繫結使用者名稱', 'help' => 'Used to query the AD server when no user is logged in (alerts, API, etc)', ], + 'auth_ad_starttls' => [ + 'description' => '使用 STARTTLS', + 'help' => 'Use STARTTLS to secure the connection. Alternative to LDAPS.', + 'options' => [ + 'disabled' => '停用', + 'optional' => '選用', + 'required' => '必要', + ], + ], 'auth_ldap_cache_ttl' => [ 'description' => 'LDAP 快取有效期', 'help' => 'Temporarily stores LDAP query results. Improves speeds, but the data may be stale.',