From d87f0f3c15dbdd77f3cd55c200b61aa757be992e Mon Sep 17 00:00:00 2001
From: ssams <6338356+ssams@users.noreply.github.com>
Date: Tue, 25 Apr 2023 21:30:47 +0200
Subject: [PATCH] ldap auth: allow connecting using StartTLS

---
 .env.template                   | 1 +
 docs/features/authentication.md | 1 +
 recipes/settings.py             | 1 +
 3 files changed, 3 insertions(+)

diff --git a/.env.template b/.env.template
index 0a56eec6..1ed99a8e 100644
--- a/.env.template
+++ b/.env.template
@@ -147,6 +147,7 @@ REVERSE_PROXY_AUTH=0
 #AUTH_LDAP_BIND_PASSWORD=
 #AUTH_LDAP_USER_SEARCH_BASE_DN=
 #AUTH_LDAP_TLS_CACERTFILE=
+#AUTH_LDAP_START_TLS=
 
 # Enables exporting PDF (see export docs)
 # Disabled by default, uncomment to enable
diff --git a/docs/features/authentication.md b/docs/features/authentication.md
index 4dd619e6..f218d662 100644
--- a/docs/features/authentication.md
+++ b/docs/features/authentication.md
@@ -96,6 +96,7 @@ AUTH_LDAP_USER_SEARCH_FILTER_STR=(uid=%(user)s)
 AUTH_LDAP_USER_ATTR_MAP={'first_name': 'givenName', 'last_name': 'sn', 'email': 'mail'}
 AUTH_LDAP_ALWAYS_UPDATE_USER=1
 AUTH_LDAP_CACHE_TIMEOUT=3600
+AUTH_LDAP_START_TLS=1
 AUTH_LDAP_TLS_CACERTFILE=/etc/ssl/certs/own-ca.pem
 ```
 
diff --git a/recipes/settings.py b/recipes/settings.py
index c9ffd32c..553382c5 100644
--- a/recipes/settings.py
+++ b/recipes/settings.py
@@ -172,6 +172,7 @@ if LDAP_AUTH:
     from django_auth_ldap.config import LDAPSearch
     AUTHENTICATION_BACKENDS.append('django_auth_ldap.backend.LDAPBackend')
     AUTH_LDAP_SERVER_URI = os.getenv('AUTH_LDAP_SERVER_URI')
+    AUTH_LDAP_START_TLS = bool(int(os.getenv('AUTH_LDAP_START_TLS', False)))
     AUTH_LDAP_BIND_DN = os.getenv('AUTH_LDAP_BIND_DN')
     AUTH_LDAP_BIND_PASSWORD = os.getenv('AUTH_LDAP_BIND_PASSWORD')
     AUTH_LDAP_USER_SEARCH = LDAPSearch(