🚧 Fix Start TLS failed, when connecting to LDAP host ldap://ldap.example.tld on PHP 8.3.21, PHP 8.4.7

[nickvergessen]

• Restores compatibility with PHP 8.3.21 due to the bug in ldap no longer respects TLS_CACERT from ldaprc in ldap_start_tls() php/php-src#18529

The diff might help when after upgrading to PHP 8.3.21 you are faced with:

💥 ldap_start_tls(): Unable to start TLS: Connect error at …/apps/user_ldap/lib/LDAP.php#282
💥 Start TLS failed, when connecting to LDAP host ldap://ldap.example.tld.

Checklist

• Code is properly formatted
• Sign-off message is added to all commits
• Tests (unit, integration, api and/or acceptance) are included
• Screenshots before/after for front-end changes
• Documentation (manuals or wiki) has been updated or is not required
• Backports requested where applicable (ex: critical bugfixes)

[blizzz]

Blocking to make sure this is a workaround in case you are on an affected PHP version.

Maybe we can figure out a reliable way to read out the correct setting from the system, but both Cert and LDAP settings vary across different distributions.

[come-nc]

Blocking to make sure this is a workaround in case you are on an affected PHP version.

Maybe we can figure out a reliable way to read out the correct setting from the system, but both Cert and LDAP settings vary across different distributions.

There was also a feature request to use Nextcloud cert bundle for LDAP as well. Not sure how easy/practical it would be.

[blizzz]

Blocking to make sure this is a workaround in case you are on an affected PHP version.
Maybe we can figure out a reliable way to read out the correct setting from the system, but both Cert and LDAP settings vary across different distributions.

There was also a feature request to use Nextcloud cert bundle for LDAP as well. Not sure how easy/practical it would be.

Guess: like this, only that the path is in a configuration setting and only made active if not empty and the file exists and is readable. Most effort would go into testing, but it is mostly chore not challenge imo… trickiest part perhaps DNS, but perhaps that just works out of the box just using the host name within the docker network.

[come-nc]

There was also a feature request to use Nextcloud cert bundle for LDAP as well. Not sure how easy/practical it would be.

Guess: like this, only that the path is in a configuration setting and only made active if not empty and the file exists and is readable. Most effort would go into testing, but it is mostly chore not challenge imo… trickiest part perhaps DNS, but perhaps that just works out of the box just using the host name within the docker network.

The feature request was about using the certificates managed through the occ security:certificates commands.
I was not sure those were in a file, but it appears we should be able to use ICertificateManager::getAbsoluteBundlePath directly. That’s worth a try.

[blizzz]

There was also a feature request to use Nextcloud cert bundle for LDAP as well. Not sure how easy/practical it would be.

Guess: like this, only that the path is in a configuration setting and only made active if not empty and the file exists and is readable. Most effort would go into testing, but it is mostly chore not challenge imo… trickiest part perhaps DNS, but perhaps that just works out of the box just using the host name within the docker network.

The feature request was about using the certificates managed through the occ security:certificates commands. I was not sure those were in a file, but it appears we should be able to use ICertificateManager::getAbsoluteBundlePath directly. That’s worth a try.

Still rather opt-in… or only for new installations. At least don't break what exists :)

[nickvergessen]

Solved by newest PHP update as expected