Support implicit TLS connections

Update docs to clarify that the :ssl option is also for modern TLS, but the :tls option is only for STARTTLS

These options may benefit from being renamed but they match upstream terminology.

changelog.d/ldaps.fix

@@ -0,0 +1 @@
+LDAPS connections (implicit TLS) are now supported.

docs/configuration/cheatsheet.md

@@ -968,9 +968,9 @@ Pleroma account will be created with the same name as the LDAP user name.
 * `enabled`: enables LDAP authentication
 * `host`: LDAP server hostname
 * `port`: LDAP port, e.g. 389 or 636
-* `ssl`: true to use SSL, usually implies the port 636
+* `ssl`: true to use implicit SSL/TLS, usually port 636
 * `sslopts`: additional SSL options
-* `tls`: true to start TLS, usually implies the port 389
+* `tls`: true to use explicit TLS (STARTTLS), usually port 389
 * `tlsopts`: additional TLS options
 * `base`: LDAP base, e.g. "dc=example,dc=com"
 * `uid`: LDAP attribute name to authenticate the user, e.g. when "cn", the filter will be "cn=username,base"

lib/pleroma/web/auth/ldap_authenticator.ex

@@ -40,34 +40,39 @@ defmodule Pleroma.Web.Auth.LDAPAuthenticator do
     host = Keyword.get(ldap, :host, "localhost")
     port = Keyword.get(ldap, :port, 389)
     ssl = Keyword.get(ldap, :ssl, false)
-    sslopts = Keyword.get(ldap, :sslopts, [])
+    tls = Keyword.get(ldap, :tls, false)
-    tlsopts = Keyword.get(ldap, :tlsopts, [])
     cacertfile = Keyword.get(ldap, :cacertfile) || CAStore.file_path()
 
-    options =
+    default_secure_opts = [
-      [{:port, port}, {:ssl, ssl}, {:timeout, @connection_timeout}] ++
+      verify: :verify_peer,
-        if sslopts != [], do: [{:sslopts, sslopts}], else: []
+      cacerts: decode_certfile(cacertfile),
+      customize_hostname_check: [
+        fqdn_fun: fn _ -> to_charlist(host) end
+      ]
+    ]
 
-    cacerts = decode_certfile(cacertfile)
+    sslopts = Keyword.merge(default_secure_opts, Keyword.get(ldap, :sslopts, []))
+    tlsopts = Keyword.merge(default_secure_opts, Keyword.get(ldap, :tlsopts, []))
+
+    # :sslopts can only be included in :eldap.open/2 when {ssl: true}
+    # or the connection will fail
+    options =
+      if ssl do
+        [{:port, port}, {:ssl, ssl}, {:sslopts, sslopts}, {:timeout, @connection_timeout}]
+      else
+        [{:port, port}, {:ssl, ssl}, {:timeout, @connection_timeout}]
+      end
 
     case :eldap.open([to_charlist(host)], options) do
       {:ok, connection} ->
-        try do
+        cond do
-          if Keyword.get(ldap, :tls, false) do
+          ssl ->
             :application.ensure_all_started(:ssl)
 
+          tls ->
             case :eldap.start_tls(
                    connection,
-                   Keyword.merge(
+                   tlsopts,
-                     [
-                       verify: :verify_peer,
-                       cacerts: cacerts,
-                       customize_hostname_check: [
-                         fqdn_fun: fn _ -> to_charlist(host) end
-                       ]
-                     ],
-                     tlsopts
-                   ),
                    @connection_timeout
                  ) do
               :ok ->
@@ -75,14 +80,15 @@ defmodule Pleroma.Web.Auth.LDAPAuthenticator do
 
               error ->
                 Logger.error("Could not start TLS: #{inspect(error)}")
+                :eldap.close(connection)
             end
-          end
 
-          bind_user(connection, ldap, name, password)
+          true ->
-        after
+            :ok
-          :eldap.close(connection)
         end
 
+        bind_user(connection, ldap, name, password)
+
       {:error, error} ->
         Logger.error("Could not open LDAP connection: #{inspect(error)}")
         {:error, {:ldap_connection_error, error}}