From b9103a0eca93750467927e13390502dfc14067c2 Mon Sep 17 00:00:00 2001
From: Christoph Reiter <reiter.christoph@gmail.com>
Date: Thu, 20 Jan 2022 15:59:51 +0100
Subject: [PATCH] ldap: allow specifying the encryption used

So the user can decide between SSL/TLS.
We still default to encryption on and use the default ports since
no one required something different until now and
to not bloat the config.
---
 src/DependencyInjection/Configuration.php | 5 +++++
 src/Service/LDAPApi.php                   | 7 ++++++-
 tests/PersonTest.php                      | 1 +
 3 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/DependencyInjection/Configuration.php b/src/DependencyInjection/Configuration.php
index c91b3c5..02cbf96 100644
--- a/src/DependencyInjection/Configuration.php
+++ b/src/DependencyInjection/Configuration.php
@@ -24,6 +24,11 @@ class Configuration implements ConfigurationInterface
             ->scalarNode('base_dn')->end()
             ->scalarNode('username')->end()
             ->scalarNode('password')->end()
+            ->enumNode('encryption')
+                ->info('simple_tls uses port 636 and is sometimes referred to as "SSL", start_tls uses port 389 and is sometimes referred to as "TLS"')
+                ->values(['start_tls', 'simple_tls'])
+                ->defaultValue('start_tls')
+            ->end()
             ->end();
 
         $attributesBuilder = new TreeBuilder('attributes');
diff --git a/src/Service/LDAPApi.php b/src/Service/LDAPApi.php
index 5eeb746..25bfbe0 100644
--- a/src/Service/LDAPApi.php
+++ b/src/Service/LDAPApi.php
@@ -97,8 +97,13 @@ class LDAPApi implements LoggerAwareInterface, ServiceSubscriberInterface
             'base_dn' => $config['ldap']['base_dn'] ?? '',
             'username' => $config['ldap']['username'] ?? '',
             'password' => $config['ldap']['password'] ?? '',
-            'use_tls' => true,
         ];
+
+        $encryption = $config['ldap']['encryption'];
+        assert(in_array($encryption, ['start_tls', 'simple_tls'], true));
+        $this->providerConfig['use_tls'] = ($encryption === 'start_tls');
+        $this->providerConfig['use_ssl'] = ($encryption === 'simple_tls');
+        $this->providerConfig['port'] = ($encryption === 'start_tls') ? 389 : 636;
     }
 
     public function setDeploymentEnvironment(string $env)
diff --git a/tests/PersonTest.php b/tests/PersonTest.php
index 2bea8c4..d4ff57b 100644
--- a/tests/PersonTest.php
+++ b/tests/PersonTest.php
@@ -40,6 +40,7 @@ class PersonTest extends ApiTestCase
         $this->api = new LDAPApi(self::createClient()->getContainer(), $eventDispatcher);
         $this->api->setConfig([
             'ldap' => [
+                'encryption' => 'simple_tls',
                 'attributes' => [
                     'email' => 'email',
                     'birthday' => 'dateofbirth',
-- 
GitLab