fix(LDAP): properly disable are require TLS certificate verification

- the old approach lead connection issues, as ldap_set_option was called too late. Specifically it needs to be called before ldap_connect and set globally! - The old approach also connected it to the ldapTLS configuration, which has a misleading naming. It indicates StartTLS usage only, not plain TLS connections. Signed-off-by: Arthur Schiwon <[email protected]>
nextcloud · provokateurin · Oct 14, 2025 · Oct 9, 2025 · Oct 14, 2025 · 6ba452b4267d9102792fc55ac41e4761945cc270
commit 6ba452b4267d9102792fc55ac41e4761945cc270
@@ -84,9 +84,10 @@ jobs:
         ports:
           - 6379:6379/tcp
       openldap:
-        image: ghcr.io/nextcloud/continuous-integration-openldap:openldap-7 # zizmor: ignore[unpinned-images]
+        image: ghcr.io/nextcloud/continuous-integration-openldap:openldap-8 # zizmor: ignore[unpinned-images]
         ports:
           - 389:389
+          - 636:636
         env:
           SLAPD_DOMAIN: nextcloud.ci
           SLAPD_ORGANIZATION: Nextcloud

@@ -684,6 +684,22 @@ private function doConnect($host, $port): bool {
 			return false;
 		}
 
+		if ($this->configuration->turnOffCertCheck) {
+			if ($this->ldap->setOption(null, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER)) {
+				$this->logger->debug(
+					'Turned off SSL certificate validation successfully.',
+					['app' => 'user_ldap']
+				);
+			} else {
+				$this->logger->warning(
+					'Could not turn off SSL certificate validation.',
+					['app' => 'user_ldap']
+				);
+			}
+		} else {
+			$this->ldap->setOption(null, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_DEMAND);
+		}
+
 		$this->ldapConnectionRes = $this->ldap->connect($host, $port) ?: null;
 
 		if ($this->ldapConnectionRes === null) {
@@ -703,20 +719,6 @@ private function doConnect($host, $port): bool {
 		}
 
 		if ($this->configuration->ldapTLS) {
-			if ($this->configuration->turnOffCertCheck) {
-				if ($this->ldap->setOption($this->ldapConnectionRes, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER)) {
-					$this->logger->debug(
-						'Turned off SSL certificate validation successfully.',
-						['app' => 'user_ldap']
-					);
-				} else {
-					$this->logger->warning(
-						'Could not turn off SSL certificate validation.',
-						['app' => 'user_ldap']
-					);
-				}
-			}
-
 			if (!$this->ldap->startTls($this->ldapConnectionRes)) {
 				throw new ServerNotAvailableException('Start TLS failed, when connecting to LDAP host ' . $host . '.');
 			}

@@ -151,7 +151,7 @@ public function exopPasswd($link, string $userDN, string $oldPassword, string $p
 
 	/**
 	 * Sets the value of the specified option to be $value
-	 * @param \LDAP\Connection $link LDAP link resource
+	 * @param ?\LDAP\Connection $link LDAP link resource
 	 * @param int $option a defined LDAP Server option
 	 * @param mixed $value the new value for the option
 	 * @return bool true on success, false otherwise

@@ -34,6 +34,22 @@ Feature: LDAP
     And Sending a "GET" to "/remote.php/webdav/welcome.txt" with requesttoken
     Then the HTTP status code should be "200"
 
+  Scenario: Test valid configuration with LDAPS protocol and port by logging in
+    Given modify LDAP configuration
+      | ldapHost         | ldaps://openldap:636 |
+      | turnOffCertCheck |                    1 |
+    And cookies are reset
+    And Logging in using web as "alice"
+    And Sending a "GET" to "/remote.php/webdav/welcome.txt" with requesttoken
+    Then the HTTP status code should be "200"
+
+  Scenario: Test failing LDAPS connection through TLS verification
+    Given modify LDAP configuration
+      | ldapHost         | ldaps://openldap:636 |
+      | turnOffCertCheck |                    0 |
+    And cookies are reset
+    And Expect ServerException on failed web login as "alice"
+
   Scenario: Look for a known LDAP user
     Given As an "admin"
     And sending "GET" to "/cloud/users?search=alice"