From c58eef4bacc7f457782a174178d55b03781477bc Mon Sep 17 00:00:00 2001
From: Peter Marschall <peter@adpm.de>
Date: Sun, 14 Sep 2025 10:04:22 +0200
Subject: [PATCH] LDAP auth: infer 'ldap_security = tls' from the URL prefix:
 ldaps:// => LDAPS

LDAP URIs starting with the scheme 'ldaps' are - by definition - meant to use
LDAPS instead of plain LDAP: infer 'ldap_security' = "tls" if it is not set.
---
 radicale/auth/ldap.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py
index 249c3b1a..9df25b83 100644
--- a/radicale/auth/ldap.py
+++ b/radicale/auth/ldap.py
@@ -118,6 +118,10 @@ class Auth(auth.BaseAuth):
         elif tmp == "OPTIONAL":
             self._ldap_ssl_verify_mode = ssl.CERT_OPTIONAL
 
+        if self._ldap_uri.lower().startswith("ldaps://") and self._ldap_security not in ("tls", "starttls"):
+            logger.info("Inferring 'ldap_security' = tls from 'ldap_uri' starting with 'ldaps://'")
+            self._ldap_security = "tls"
+
         logger.info("auth.ldap_uri             : %r" % self._ldap_uri)
         logger.info("auth.ldap_base            : %r" % self._ldap_base)
         logger.info("auth.ldap_reader_dn       : %r" % self._ldap_reader_dn)