LDAP Client x509 Certificate Authentication

[precurse]

Google announced their LDAP service: https://support.google.com/cloudidentity/answer/9089736 and we wanted to see if we could get it working for our users.

However, it requires a client certificate to authenticate to the server, which SimpleSAMLphp doesn't support: https://simplesamlphp.org/docs/stable/ldap:ldap . It seems to only support username/password for client authentication.

It would be nice to be able to support client cert/key for authentication in addition to username/password. OpenLDAP supports it using TLS_CERT and TLS_KEY.

It seems that support for this may have only come into PHP in version 7.1: http://php.net/manual/en/function.ldap-set-option.php

[tvdijen]

Hi @precurse ! I've just released v2.0.0-rc1 of this module which is a complete rewrite. It's based on symfony/ldap and allows you to pass connection options supported by the symfony package.. I think what you would need is this, am I right? You should now be able to pass them in the options array of the ldap-authsource.

If this is indeed what you're after, I invite you to run a few tests with this module. You have to use SSP v2.0.0-beta.8 + v2.0.0-rc1 of this module. Your feedback is highly appreciated.

[precurse]

Thanks @tvdijen. Oh wow, I totally forgot I had this ticket open :)

I'm no longer in a role that would let me test this unfortunately, but from quickly eyeballing the source it looks right. Thanks for the follow up.

I'll close the ticket, but feel free to re-open if you want someone else to confirm if this works.

Cheers!

[tvdijen]

Sorry for taking so long...
I suspect this to become a more common use-case, so I'm keeping this open for now. Thanks for getting back!