LDAP: enable ldap admin password encryption to avoid having clear password in the configuration file -refs BT#20849

main/auth/external_login/ldap.inc.php

@@ -112,7 +112,13 @@ function extldap_authenticate($username, $password, $in_auth_with_no_password =
     }
 
     // Connection as admin to search dn of user
-    $ldapbind = @ldap_bind($ds, $extldap_config['admin_dn'], $extldap_config['admin_password']);
+
+    if (api_get_configuration_value('ldap_encrypt_admin_password') {
+        $ldap_pass = api_decrypt_ldap_password($extldap_config['admin_password']);
+    } else {
+        $ldap_pass = $extldap_config['admin_password'];
+    }
+    $ldapbind = @ldap_bind($ds, $extldap_config['admin_dn'], $ldap_pass);
     if ($ldapbind === false) {
         if ($debug) {
             error_log(
@@ -297,7 +303,12 @@ function extldap_import_all_users()
     //echo "Binding...\n";
     $ldapbind = false;
     //Connection as admin to search dn of user
-    $ldapbind = @ldap_bind($ds, $extldap_config['admin_dn'], $extldap_config['admin_password']);
+    if (api_get_configuration_value('ldap_encrypt_admin_password') {
+        $ldap_pass = api_decrypt_ldap_password($extldap_config['admin_password']);
+    } else {
+        $ldap_pass = $extldap_config['admin_password'];
+    }
+    $ldapbind = @ldap_bind($ds, $extldap_config['admin_dn'], $ldap_pass);
     if ($ldapbind === false) {
         if ($debug) {
             error_log(
@@ -437,7 +448,12 @@ function extldapGetUserAttributeValue($filter, $attribute)
         throw new Exception(get_lang('LDAPConnectFailed'));
     }
 
-    if (false === ldap_bind($ldap, $extldap_config['admin_dn'], $extldap_config['admin_password'])) {
+    if (api_get_configuration_value('ldap_encrypt_admin_password') {
+        $ldap_pass = api_decrypt_ldap_password($extldap_config['admin_password']);
+    } else {
+        $ldap_pass = $extldap_config['admin_password'];
+    }
+    if (false === ldap_bind($ldap, $extldap_config['admin_dn'], $ldap_pass)) {
         throw new Exception(get_lang('LDAPBindFailed'));
     }
 

main/auth/ldap/authldap.php

@@ -338,6 +338,9 @@ function ldap_handle_bind(&$ldap_handler, &$ldap_bind)
     global $ldap_rdn, $ldap_pass, $extldap_config;
     $ldap_rdn = $extldap_config['admin_dn'];
     $ldap_pass = $extldap_config['admin_password'];
+    if (api_get_configuration_value('ldap_encrypt_admin_password') {
+        $ldap_pass = api_decrypt_ldap_password($extldap_config['admin_password']);
+    }
     if (!empty($ldap_rdn) and !empty($ldap_pass)) {
         //error_log('Trying authenticated login :'.$ldap_rdn.'/'.$ldap_pass,0);
         $ldap_bind = ldap_bind($ldap_handler, $ldap_rdn, $ldap_pass);

main/auth/ldap/ldap_var.inc.php

@@ -43,5 +43,7 @@ $ldap_version = $extldap_config['protocol_version'];
 //non-anonymous LDAP mode
 $ldap_rdn = $extldap_config['admin_dn'];
 $ldap_pass = $extldap_config['admin_password'];
-
+if (api_get_configuration_value('ldap_encrypt_admin_password') {
+    $ldap_pass = api_decrypt_ldap_password($extldap_config['admin_password']);
+}
 $ldap_pass_placeholder = "PLACEHOLDER";

main/inc/lib/api.lib.php

@@ -10580,3 +10580,38 @@ function api_flush_settings_cache(int $url_id): bool
 
     return true;
 }
+
+/**
+ * Decrypt sent data with encoded secret defined in app/config/configuration.php
+ * in the variable $_configuration['ldap_admin_password_salt'].
+ *
+ * @param $encryptedText The text to be decrypted
+ *
+ * @return string
+ */
+function api_decrypt_ldap_password(string $encryptedText): string
+{
+    if (!empty(api_get_configuration_value('ldap_admin_password_salt'))) {
+        $secret = api_get_configuration_value('ldap_admin_password_salt');
+    } else {
+        return false;
+    }
+    $secret = hex2bin($secret);
+    $iv = base64_decode(substr($encryptedText, 0, 16), true);
+    $data = base64_decode(substr($encryptedText, 16), true);
+    $tag = substr($data, strlen($data) - 16);
+    $data = substr($data, 0, strlen($data) - 16);
+
+    try {
+      return openssl_decrypt(
+        $data,
+        'aes-256-gcm',
+        $secret,
+        OPENSSL_RAW_DATA,
+        $iv,
+        $tag
+      );
+    } catch (\Exception $e) {
+      return false;
+    }
+}

main/install/configuration.dist.php

@@ -2236,6 +2236,14 @@ VALUES (21, 13, 'send_notification_at_a_specific_date', 'Send notification at a
 // Overwrites the app/config/auth.conf.php settings
 //$_configuration['extldap_config'] = ['host' => '', 'port' => ''];
 
+// To use an encrypted ldap admin password in app/config/auth.conf.php
+// if set to true then you need to put in app/config/auth.conf.php the encrypted passeword in $extldap_config['admin_password']
+// To generate the encrypted password you can use the script tests/scripts/ldap_encrypt_admin_password.php
+//$_configuration['ldap_encrypt_admin_password'] = false;
+
+// Salt to use for admin ldap password decryption
+//$_configuration['ldap_admin_password_salt'] = 'salt';
+
 // Option to hide the teachers info on courses about info page.
 //$_configuration['course_about_teacher_name_hide'] = false;
 

tests/scripts/ldap_encrypt_admin_password.php

@@ -0,0 +1,52 @@
+<?php
+/* For licensing terms, see /license.txt */
+
+/**
+ * This script is to generate the encrypted password for LDAP admin to be used
+ * when the parameter "ldap_encrypt_admin_password" is set to true
+ * this encrypted password will be decrypted by the function api_decrypt_ldap_password
+ */
+
+//exit;
+
+require_once __DIR__.'/../../main/inc/global.inc.php';
+
+// Usage
+echo "This generate the encryption of the password passed in parameter.".PHP_EOL;
+
+$password = '';
+if (!empty($argv[1])) {
+    $password = $argv[1];
+} else {
+    echo "Password not defined in parameter. Please try again, passing it as argument to this script".PHP_EOL;
+    echo "Usage: php ldap_encrypt_admin_password.php password".PHP_EOL;
+    echo "  password    The original clear ldap admin's password".PHP_EOL;
+    exit();
+}
+
+if (!empty(api_get_configuration_value('ldap_encrypt_admin_password'))) {
+    echo "The encrypted password is : " . encrypt(api_get_configuration_value('ldap_encrypt_admin_password'), $password) .PHP_EOL;
+} else {
+    echo "There is no salt defined in app/config/configuration.php for variable 'ldap_admin_password_salt'".PHP_EOL.PHP_EOL;
+}
+
+
+function encrypt($secret, $data)
+{
+  $secret = hex2bin($secret);
+  $iv = random_bytes(12);
+  $tag = '';
+
+  $encrypted = openssl_encrypt(
+    $data,
+    'aes-256-gcm',
+    $secret,
+    OPENSSL_RAW_DATA,
+    $iv,
+    $tag,
+    '',
+    16
+  );
+
+  return base64_encode($iv) . base64_encode($encrypted . $tag);
+}