From 73b77defe455207162968f567fac9c112516076b Mon Sep 17 00:00:00 2001
From: Peter Marschall <peter@adpm.de>
Date: Sun, 14 Sep 2025 10:27:26 +0200
Subject: [PATCH] LDAP auth: warn on unset ldap_ssl_ca_file when certificate
 verification is wanted

---
 radicale/auth/ldap.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py
index 9df25b83..0783cfcf 100644
--- a/radicale/auth/ldap.py
+++ b/radicale/auth/ldap.py
@@ -122,6 +122,9 @@ class Auth(auth.BaseAuth):
             logger.info("Inferring 'ldap_security' = tls from 'ldap_uri' starting with 'ldaps://'")
             self._ldap_security = "tls"
 
+        if self._ldap_ssl_ca_file == "" and self._ldap_ssl_verify_mode != ssl.CERT_NONE and self._ldap_security in ("tls", "starttls"):
+            logger.warning("Certificate verification not possible: 'ldap_ssl_ca_file' not set")
+
         logger.info("auth.ldap_uri             : %r" % self._ldap_uri)
         logger.info("auth.ldap_base            : %r" % self._ldap_base)
         logger.info("auth.ldap_reader_dn       : %r" % self._ldap_reader_dn)