Secure authentication using Active Directory

[adminhp]

Hello,

Due to the Netlogon vulnerability in Active Directory, Microsoft will be enforcing secure authentication on all domain controllers starting Tuesday, Feb 9, 2021.

I am using Timetracker version 1.19 and currently connecting to AD without secure authentication. How can I configure Timetracker to connect to AD securely? Please see below my current config.

define('AUTH_MODULE', 'ldap');
$GLOBALS['AUTH_MODULE_PARAMS'] = array(
'server' => '10.x.x.x', // Domain controller IP address or name.
'type' => 'ad', // Type of server.
'base_dn' => 'DC=xxx,DC=org', // Base distinguished name in LDAP catalog.
'default_domain' => 'xxx.org', // Default domain.
'member_of' => array()); // List of groups, membership in which is required for user to be authen

[peter]

How can I configure Timetracker to connect to AD securely?

If what you want to do is to use LDAPS protocol instead of LDAP, you may consider introducing a port to configuration parameters, and also to modify ldap_connect call in WEB-INF/lib/auth/Auth_ldap.class.php so that it uses https and also a different port to connect to your AD.

Hope it helps.

[adminhp]

Thank you Peter. A colleague fixed the issue. Below is what we had to do.

Config.php
define('AUTH_MODULE', 'ldap');
$GLOBALS['AUTH_MODULE_PARAMS'] = array(
'server' => 'ldaps://servername.xxx.org:636', // Domain controller IP address or name.
'type' => 'ad', // Type of server.
'base_dn' => 'DC=xxx,DC=org', // Base distinguished name in LDAP catalog.
'default_domain' => 'xxx.org', // Default domain.
'member_of' => array()); // List of groups, membership in which is required for user to be authen

Auth_ldap.class.php
Copy CA certificates to a folder on the server say C:\SSL.

Add the following to the Auth_ldap.class.php and put it above the other ldap_set_options.

ldap_set_option(null, LDAP_OPT_X_TLS_CACERTDIR, 'C:\\SSL');
ldap_set_option(null, LDAP_OPT_X_TLS_CACERTFILE, 'C:\\SSL\\certname.cer');