Merge pull request #701 from DirectoryTree/FEATURE-700

Feature 700 - [Feature] Disable mandatory TLS connection for localhost

Author: stevebauman

src/Configuration/DomainConfiguration.php

@@ -38,15 +38,18 @@ class DomainConfiguration
         // The password to use for binding.
         'password' => '',
 
-        // Whether or not to use SSL when connecting.
+        // Whether to use SSL when connecting.
         'use_ssl' => false,
 
-        // Whether or not to use TLS when connecting.
+        // Whether to use TLS when connecting.
         'use_tls' => false,
 
-        // Whether or not to use SASL when connecting.
+        // Whether to use SASL when connecting.
         'use_sasl' => false,
 
+        // Whether to allow password changes over plaintext.
+        'allow_insecure_password_changes' => false,
+
         // SASL options
         'sasl_options' => [
             'mech' => null,
@@ -56,7 +59,7 @@ class DomainConfiguration
             'props' => null,
         ],
 
-        // Whether or not follow referrals is enabled when performing LDAP operations.
+        // Whether follow referrals is enabled when performing LDAP operations.
         'follow_referrals' => false,
 
         // Custom LDAP options.

src/Models/Attributes/TSProperty.php

@@ -202,7 +202,7 @@ protected function getDecodedValueForProp(string $propName, string $propValue):
      * Decode the property by inspecting the nibbles of each blob, checking
      * the control, and adding up the results into a final value.
      *
-     * @param  bool  $string  Whether or not this is simple string data.
+     * @param  bool  $string  Whether this is simple string data.
      */
     protected function decodePropValue(string $hex, bool $string = false): string
     {

src/Models/Concerns/HasPassword.php

@@ -165,10 +165,16 @@ protected function assertSecureConnection(): void
     {
         $connection = $this->getConnection();
 
+        $config = $connection->getConfiguration();
+
+        if ($config->get('allow_insecure_password_changes') === true) {
+            return;
+        }
+
         if ($connection->isConnected()) {
             $secure = $connection->getLdapConnection()->canChangePasswords();
         } else {
-            $secure = $connection->getConfiguration()->get('use_ssl') || $connection->getConfiguration()->get('use_tls');
+            $secure = $config->get('use_ssl') || $config->get('use_tls');
         }
 
         if (! $secure) {

tests/Unit/Configuration/DomainConfigurationTest.php

@@ -98,6 +98,7 @@ public function test_get_all()
             'use_ssl' => false,
             'use_tls' => false,
             'use_sasl' => false,
+            'allow_insecure_password_changes' => false,
             'sasl_options' => [
                 'mech' => null,
                 'realm' => null,

tests/Unit/FakeDirectoryTest.php

@@ -53,6 +53,7 @@ public function test_fake_connection_uses_real_connections_config()
             'use_tls' => true,
             'use_ssl' => false,
             'use_sasl' => false,
+            'allow_insecure_password_changes' => false,
             'timeout' => 5,
             'version' => 3,
             'follow_referrals' => false,