If the ldap_start_tls function fails the connection is made anyway. This will display a warning but not an ERROR and even worse it connects using an unsecured connection. This is really bad behavior. If ldap_start_tls fails no connection should be made let alone an unsecured one.

CommentFileSizeAuthor
#3 l.patch1.58 KBmiglius

Comments

rmunsch’s picture

Confirmed. This is still ocurring, and is really bad. I experiemented with using a couple bogus port numbers with Start-TLS checked: no connection is made, user is NOT logged in.

Setting back to 389 throws this:



    * warning: ldap_start_tls() [function.ldap-start-tls]: Unable to start TLS: Connect error in /var/www/sites/all/modules/ldap_integration/ldap_integration/LDAPInterface.php on line 153.
    * warning: ldap_start_tls() [function.ldap-start-tls]: Unable to start TLS: Connect error in /var/www/sites/all/modules/ldap_integration/ldap_integration/LDAPInterface.php on line 153.
    * warning: ldap_start_tls() [function.ldap-start-tls]: Unable to start TLS: Connect error in /var/www/sites/all/modules/ldap_integration/ldap_integration/LDAPInterface.php on line 153.
    * warning: ldap_start_tls() [function.ldap-start-tls]: Unable to start TLS: Connect error in /var/www/sites/all/modules/ldap_integration/ldap_integration/LDAPInterface.php on line 153.
    * warning: ldap_start_tls() [function.ldap-start-tls]: Unable to start TLS: Connect error in /var/www/sites/all/modules/ldap_integration/ldap_integration/LDAPInterface.php on line 153.
    * warning: ldap_start_tls() [function.ldap-start-tls]: Unable to start TLS: Connect error in /var/www/sites/all/modules/ldap_integration/ldap_integration/LDAPInterface.php on line 153.
    * warning: ldap_start_tls() [function.ldap-start-tls]: Unable to start TLS: Connect error in /var/www/sites/all/modules/ldap_integration/ldap_integration/LDAPInterface.php on line 153.
    * warning: ldap_start_tls() [function.ldap-start-tls]: Unable to start TLS: Connect error in /var/www/sites/all/modules/ldap_integration/ldap_integration/LDAPInterface.php on line 153.

and the user IS LOGGED IN successfully. AD info is read (First Name, Email, etc. fields are read and populated). But the login is done unencrypted, plus this great ugly red box o' warnings appears; module is unusable at this time by anyone who doesn't want to send login data in the clear.

EDIT: argh, didn't check report version. This is on 6.x-1.0-alpha2.

miglius’s picture

Version: 5.x-1.3 » 6.x-1.x-dev
Issue tags: +ldapauth
miglius’s picture

Assigned: Unassigned » miglius
Status: Active » Needs review
StatusFileSize
new1.58 KB

Could you verify if attached patch solves this issue, i.e., drops the connection unless tls is working.

miglius’s picture

Status: Needs review » Fixed
Issue tags: +tls

Haven't received any feedback, but committed the patch anyways.

Status: Fixed » Closed (fixed)
Issue tags: -ldapauth, -tls

Automatically closed -- issue fixed for 2 weeks with no activity.