From 853c96478bd6d7172e4c0344dca8c69a1465ac45 Mon Sep 17 00:00:00 2001
From: Denis Flaven <denis.flaven@combodo.com>
Date: Wed, 16 Sep 2015 15:31:22 +0000
Subject: [PATCH] #1106, #1122: Added a new option 'start_tls' (false by
 default) and improved debugging capabilities for troubleshooting when
 something goes wrong with LDAP. Thanks to Karl (karkoff1212) for the hint.

SVN:trunk[3764]
---
 .../2.x/authent-ldap/model.authent-ldap.php   | 26 ++++++++++++++++---
 .../2.x/authent-ldap/module.authent-ldap.php  |  1 +
 2 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/datamodels/2.x/authent-ldap/model.authent-ldap.php b/datamodels/2.x/authent-ldap/model.authent-ldap.php
index 2b6ae0d1a..6434fe8de 100755
--- a/datamodels/2.x/authent-ldap/model.authent-ldap.php
+++ b/datamodels/2.x/authent-ldap/model.authent-ldap.php
@@ -71,20 +71,38 @@ class UserLDAP extends UserInternal
 		
 		$sDefaultLDAPUser = MetaModel::GetModuleSetting('authent-ldap', 'default_user', '');
 		$sDefaultLDAPPwd = MetaModel::GetModuleSetting('authent-ldap', 'default_pwd', '');
+		$bLDAPStartTLS = MetaModel::GetModuleSetting('authent-ldap', 'start_tls', false);
 		
-		
+		$aOptions = MetaModel::GetModuleSetting('authent-ldap', 'options', array());
+		if (array_key_exists(LDAP_OPT_DEBUG_LEVEL, $aOptions))
+		{
+			// Set debug level before trying to connect, so that debug info appear in the PHP error log if ldap_connect goes wrong
+			$bRet = ldap_set_option($hDS, LDAP_OPT_DEBUG_LEVEL, $aOptions[LDAP_OPT_DEBUG_LEVEL]);
+			$this->LogMessage("ldap_set_option('$name', '$value') returned ".($bRet ? 'true' : 'false'));
+		}
 		$hDS = @ldap_connect($sLDAPHost, $iLDAPPort);
 		if ($hDS === false)
 		{
 			$this->LogMessage("ldap_authentication: can not connect to the LDAP server '$sLDAPHost' (port: $iLDAPPort). Check the configuration file config-itop.php.");
 			return false;
 		}
-		$aOptions = MetaModel::GetModuleSetting('authent-ldap', 'options', array());
 		foreach($aOptions as $name => $value)
 		{
-			ldap_set_option($hDS, $name, $value);
+			$bRet = ldap_set_option($hDS, $name, $value);
+			$this->LogMessage("ldap_set_option('$name', '$value') returned ".($bRet ? 'true' : 'false'));
 		}
-				
+		if ($bLDAPStartTLS)
+		{
+			$this->LogMessage("ldap_authentication: start tls required.");
+			$hStartTLS = ldap_start_tls($hDS);
+			//$this->LogMessage("ldap_authentication: hStartTLS = '$hStartTLS'");
+			if (!$hStartTLS)
+			{
+				$this->LogMessage("ldap_authentication: start tls failed.");
+				return false;
+			}
+		}
+		
 		if ($bind = @ldap_bind($hDS, $sDefaultLDAPUser, $sDefaultLDAPPwd))
 		{
 			// Search for the person, using the specified query expression
diff --git a/datamodels/2.x/authent-ldap/module.authent-ldap.php b/datamodels/2.x/authent-ldap/module.authent-ldap.php
index d9ce1a370..28fc27cf2 100755
--- a/datamodels/2.x/authent-ldap/module.authent-ldap.php
+++ b/datamodels/2.x/authent-ldap/module.authent-ldap.php
@@ -56,6 +56,7 @@ SetupWebPage::AddModule(
 				LDAP_OPT_PROTOCOL_VERSION => 3,
 				LDAP_OPT_REFERRALS => 0,
 			),
+			'start_tls' => false,
 			'debug' => false,
 		),
 	)