From df404476160526d8512fb23b606965b98f7f25f3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maximilian=20N=C3=B6the?= <maximilian.noethe@tu-dortmund.de>
Date: Fri, 13 Mar 2020 21:07:44 +0100
Subject: [PATCH] ldap: add option for ldap starttls support

---
 README.md                              | 1 +
 docker-compose.yml                     | 1 +
 env.example                            | 3 +++
 prosody/rootfs/defaults/saslauthd.conf | 3 +++
 4 files changed, 8 insertions(+)

diff --git a/README.md b/README.md
index 6a8550e..31b5e84 100644
--- a/README.md
+++ b/README.md
@@ -290,6 +290,7 @@ Variable | Description | Example
 `LDAP_TLS_CHECK_PEER` | Require and verify LDAP server certificate | 1
 `LDAP_TLS_CACERT_FILE` | Path to CA cert file. Used when server certificate verify is enabled | /etc/ssl/certs/ca-certificates.crt
 `LDAP_TLS_CACERT_DIR` | Path to CA certs directory. Used when server certificate verify is enabled. | /etc/ssl/certs
+`LDAP_START_TLS` | Enable START_TLS, requires LDAPv3, URL must be ldap:// not ldaps:// | 0
 
 #### Authentication using JWT tokens
 
diff --git a/docker-compose.yml b/docker-compose.yml
index b6aad95..bdf39b6 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -69,6 +69,7 @@ services:
             - LDAP_TLS_CHECK_PEER
             - LDAP_TLS_CACERT_FILE
             - LDAP_TLS_CACERT_DIR
+            - LDAP_START_TLS
             - XMPP_DOMAIN
             - XMPP_AUTH_DOMAIN
             - XMPP_GUEST_DOMAIN
diff --git a/env.example b/env.example
index bea835f..20733cb 100644
--- a/env.example
+++ b/env.example
@@ -134,6 +134,9 @@ TZ=Europe/Amsterdam
 # Path to CA certs directory. Used when server sertificate verify is enabled.
 #LDAP_TLS_CACERT_DIR=/etc/ssl/certs
 
+# Wether to use starttls, implies LDAPv3 and requires ldap:// instead of ldaps://
+# LDAP_START_TLS=1
+
 
 #
 # Advanced configuration options (you generally don't need to change these)
diff --git a/prosody/rootfs/defaults/saslauthd.conf b/prosody/rootfs/defaults/saslauthd.conf
index 8660387..9e6afdb 100644
--- a/prosody/rootfs/defaults/saslauthd.conf
+++ b/prosody/rootfs/defaults/saslauthd.conf
@@ -19,3 +19,6 @@ ldap_tls_ciphers: {{ .Env.LDAP_TLS_CIPHERS }}
     {{ end }}
   {{ end }}
 {{ end }}
+{{ if .Env.LDAP_START_TLS | default "0" | toBool }}
+ldap_start_tls: yes
+{{ end }}