feat: Add TLS options for LDAP (#1389)

Optional StartTLS for LDAP and add option to skip TLS verification. Co-authored-by: Jade Ellis <jade@ellis.link> Reviewed-on: https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1389 Reviewed-by: Jade Ellis <jade@ellis.link>
2026-05-26 20:49:55 +00:00 · 2026-04-23 17:39:25 +00:00
parent 19204b097d
commit 980bd475b6
4 changed files with 43 additions and 4 deletions
@@ -0,0 +1 @@
+LDAP can now optionally be connected to using StartTLS, and you may unsafely skip verification. Contributed by @getz
@@ -1966,6 +1966,14 @@
 #
 #uri = ""

+# StartTLS for LDAP connections.
+#
+#use_starttls = false
+
+# Skip TLS certificate verification, possibly dangerous.
+#
+#disable_tls_verification = false
+
 # Root of the searches.
 #
 # example: "ou=users,dc=example,dc=org"
@@ -2324,6 +2324,18 @@ pub struct LdapConfig {
 	#[serde(default)]
 	pub uri: Option<Url>,

+	/// StartTLS for LDAP connections.
+	///
+	/// default: false
+	#[serde(default)]
+	pub use_starttls: bool,
+
+	/// Skip TLS certificate verification, possibly dangerous.
+	///
+	/// default: false
+	#[serde(default)]
+	pub disable_tls_verification: bool,
+
 	/// Root of the searches.
 	///
 	/// example: "ou=users,dc=example,dc=org"
@@ -15,7 +15,7 @@ use conduwuit_core::{debug, error};
 use database::{Deserialized, Ignore, Interfix, Json, Map};
 use futures::{Stream, StreamExt, TryFutureExt};
 #[cfg(feature = "ldap")]
-use ldap3::{LdapConnAsync, Scope, SearchEntry};
+use ldap3::{LdapConnAsync, LdapConnSettings, Scope, SearchEntry};
 use ruma::{
 	DeviceId, KeyId, MilliSecondsSinceUnixEpoch, OneTimeKeyAlgorithm, OneTimeKeyId,
 	OneTimeKeyName, OwnedDeviceId, OwnedKeyId, OwnedMxcUri, OwnedUserId, RoomId, UInt, UserId,
@@ -1285,6 +1285,24 @@ impl Service {
 		}
 	}

+	#[cfg(feature = "ldap")]
+	async fn create_ldap_connection(
+		config: &conduwuit_core::config::LdapConfig,
+		uri: &str,
+	) -> Result<(LdapConnAsync, ldap3::Ldap), ldap3::LdapError> {
+		let mut settings = LdapConnSettings::new();
+
+		if config.use_starttls {
+			settings = settings.set_starttls(true);
+		}
+
+		if config.disable_tls_verification {
+			settings = settings.set_no_tls_verify(true);
+		}
+
+		LdapConnAsync::with_settings(settings, uri).await
+	}
+
 	#[cfg(not(feature = "ldap"))]
 	pub async fn search_ldap(&self, _user_id: &UserId) -> Result<Vec<(String, Option<bool>)>> {
 		Err!(FeatureDisabled("ldap"))
@@ -1302,7 +1320,7 @@ impl Service {
 			.ok_or_else(|| err!(Ldap(error!("LDAP URI is not configured."))))?;

 		debug!(?uri, "LDAP creating connection...");
-		let (conn, mut ldap) = LdapConnAsync::new(uri.as_str())
+		let (conn, mut ldap) = Self::create_ldap_connection(config, uri.as_str())
 			.await
 			.map_err(|e| err!(Ldap(error!(%user_id, "LDAP connection setup error: {e}"))))?;

@@ -1411,9 +1429,9 @@ impl Service {
 			.ok_or_else(|| err!(Ldap(error!("LDAP URI is not configured."))))?;

 		debug!(?uri, "LDAP creating connection...");
-		let (conn, mut ldap) = LdapConnAsync::new(uri.as_str())
+		let (conn, mut ldap) = Self::create_ldap_connection(config, uri.as_str())
 			.await
-			.map_err(|e| err!(Ldap(error!(?user_dn, "LDAP connection setup error: {e}"))))?;
+			.map_err(|e| err!(Ldap(error!(%user_dn, "LDAP connection setup error: {e}"))))?;

 		let driver = self.services.server.runtime().spawn(async move {
 			match conn.drive().await {
				`@@ -0,0 +1 @@`
				`LDAP can now optionally be connected to using StartTLS, and you may unsafely skip verification. Contributed by @getz`