fix(LDAP): properly disable are require TLS certificate verification

- the old approach lead connection issues, as ldap_set_option was called
  too late. Specifically it needs to be called before ldap_connect and set
  globally!
- The old approach also connected it to the ldapTLS configuration, which
  has a misleading naming. It indicates StartTLS usage only, not plain TLS
  connections.

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>

.github/workflows/integration-sqlite.yml

@@ -84,9 +84,10 @@ jobs:
         ports:
           - 6379:6379/tcp
       openldap:
-        image: ghcr.io/nextcloud/continuous-integration-openldap:openldap-7 # zizmor: ignore[unpinned-images]
+        image: ghcr.io/nextcloud/continuous-integration-openldap:openldap-8 # zizmor: ignore[unpinned-images]
         ports:
           - 389:389
+          - 636:636
         env:
           SLAPD_DOMAIN: nextcloud.ci
           SLAPD_ORGANIZATION: Nextcloud

apps/user_ldap/lib/Connection.php

@@ -684,6 +684,22 @@ class Connection extends LDAPUtility {
 			return false;
 		}
 
+		if ($this->configuration->turnOffCertCheck) {
+			if ($this->ldap->setOption(null, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER)) {
+				$this->logger->debug(
+					'Turned off SSL certificate validation successfully.',
+					['app' => 'user_ldap']
+				);
+			} else {
+				$this->logger->warning(
+					'Could not turn off SSL certificate validation.',
+					['app' => 'user_ldap']
+				);
+			}
+		} else {
+			$this->ldap->setOption(null, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_DEMAND);
+		}
+
 		$this->ldapConnectionRes = $this->ldap->connect($host, $port) ?: null;
 
 		if ($this->ldapConnectionRes === null) {
@@ -703,20 +719,6 @@ class Connection extends LDAPUtility {
 		}
 
 		if ($this->configuration->ldapTLS) {
-			if ($this->configuration->turnOffCertCheck) {
-				if ($this->ldap->setOption($this->ldapConnectionRes, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER)) {
-					$this->logger->debug(
-						'Turned off SSL certificate validation successfully.',
-						['app' => 'user_ldap']
-					);
-				} else {
-					$this->logger->warning(
-						'Could not turn off SSL certificate validation.',
-						['app' => 'user_ldap']
-					);
-				}
-			}
-
 			if (!$this->ldap->startTls($this->ldapConnectionRes)) {
 				throw new ServerNotAvailableException('Start TLS failed, when connecting to LDAP host ' . $host . '.');
 			}

apps/user_ldap/lib/ILDAPWrapper.php

@@ -151,7 +151,7 @@ interface ILDAPWrapper {
 
 	/**
 	 * Sets the value of the specified option to be $value
-	 * @param \LDAP\Connection $link LDAP link resource
+	 * @param ?\LDAP\Connection $link LDAP link resource
 	 * @param int $option a defined LDAP Server option
 	 * @param mixed $value the new value for the option
 	 * @return bool true on success, false otherwise

build/integration/ldap_features/ldap-openldap.feature

@@ -34,6 +34,22 @@ Feature: LDAP
     And Sending a "GET" to "/remote.php/webdav/welcome.txt" with requesttoken
     Then the HTTP status code should be "200"
 
+  Scenario: Test valid configuration with LDAPS protocol and port by logging in
+    Given modify LDAP configuration
+      | ldapHost         | ldaps://openldap:636 |
+      | turnOffCertCheck |                    1 |
+    And cookies are reset
+    And Logging in using web as "alice"
+    And Sending a "GET" to "/remote.php/webdav/welcome.txt" with requesttoken
+    Then the HTTP status code should be "200"
+
+  Scenario: Test failing LDAPS connection through TLS verification
+    Given modify LDAP configuration
+      | ldapHost         | ldaps://openldap:636 |
+      | turnOffCertCheck |                    0 |
+    And cookies are reset
+    And Expect ServerException on failed web login as "alice"
+
   Scenario: Look for a known LDAP user
     Given As an "admin"
     And sending "GET" to "/cloud/users?search=alice"