[4] Remove all references to LDAP ignore_reqcert_tls

[PhilETaylor]

Summary of Changes

In debugging an LDAP problem for someone, during my code review I noticed the "Ignore Certificate" option in LDAP the Authentication Plugin.

This toggle has a name of ignore_reqcert_tls

The configured value of this toggle is never used in Joomla code, or the upstream Symfony LDAP or even further upstream PHP Ldap code.

Further debugging on how to ignore self-signed and invalid SSL Certificates on LDAP servers leads me to believe that there is no way PHP can set an option at runtime to ignore the invalid certificate.

StackOverflow has this to say https://stackoverflow.com/questions/2689629/how-do-i-solve-ldap-start-tls-unable-to-start-tls-connect-error-in-php

Joomla, as a PHP CMS, cannot be expected to be able to edit files in /etc and therefore we cannot have this feature. I have tested and the putenv mentioned doesnt work on Ubuntu or macOS.

Testing Instructions

Code review.

Actual result BEFORE applying this Pull Request

This option does nothing

Expected result AFTER applying this Pull Request

This option is not shown
Yes its left as a value in the db json until the form is next saved, there is no need to clean up that, it does nothing anyway :)

Documentation Changes Required

Yes.
https://help.joomla.org/proxy?keyref=Chunk4x:Extensions_Plugin_Manager_Edit_Authentication_Group/en#Authentication_-_LDAP

[wilsonge]

Looks like it came from here and never had code attached due to merge conflicts in the PR - https://github.com/joomla/joomla-cms/pull/24115/files (also the debug flag is similar).

But there was a similar putenv in the original request 40446f0#diff-69657aead4f01d1e6363b073d9f79d91f91526a2889744c6e8182f6f5a53abc2R201 similar to your SO post

[Quy]

I have tested this item ✅ successfully on b0dd71b

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/35323.}

[MUX-ON-WINDOWS]

I have tested this item ✅ successfully on b0dd71b

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/35323.}

[richard67]

RTC

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/35323.}

[bembelimen]

Thx

[bobgann]

Folks - I'm trying to get LDAP to work in Joomla 4 and this option is required for my configuration. I'm disappointed it was there and never used, but if it is not there it is a stopper for me. Any updates on this or ideas on a work around?
-Bob

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/35323.}

[richard67]

@bobgann Have you really read the description (I.e. initial post) here? The option never has been working and cannot work with putenv. It’s a configuration option of the ldap server client itself which could be used. But why do you want to use that? It opens a security hole. Do you really want to use self signed or invalid LTS certificates?

[bobgann]

Thanks @richard67 . Yes I did read it. What I meant was that I was disappointed that "the switch was there but not connected to anything". Not that it worked and was removed. I understand it never worked. A bit frustrating because the documentation discusses it and I'm two days into debuging and just found the core issue. Spent abunch of time digging into blocked ports and configurations.

I am, slightly, concerned about the idea of using self-signed certs, but in the application we have, it is not a big security issue. I realized that is not always the case - but it is in my specific application.

[richard67]

@bobgann Anyway there is nothing Joomla can do here. You have to edit the ldap.conf configuration file of the ldap client itself.

Even if the putenv way would work on Windows, we can not implement an option which works only on a certain OS which is not the one who is h runs the majority of web servers in the www.

[bobgann]

@richard67 Actually - I think I can add an environment variable in my apache configuration which tells ldap to do this. I'm trying it on my local xmapp dev server to see if it works.