From f0626a8dde005d351f61b93fa9f861d20a7562a2 Mon Sep 17 00:00:00 2001
From: Peter Marschall <peter@adpm.de>
Date: Sun, 28 Sep 2025 13:17:29 +0200
Subject: [PATCH] LDAP auth: change 'ldap_ssl_verify_mode' to NONE for ldapi://

For ldapi:// connections, which connect - by definition - to a local UNIX
socket, lower the value of config setting 'ldap_ssl_verify_mode' to "NONE"
to avoid certificate validation failures.
The UNIX socket address can NEVER match any DNS name from a certificate,
making the whole certificate validation moot.

This is a workaround for a limitation of Python's LDAP modules, that do not
consider this edge case.
---
 radicale/auth/ldap.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py
index a627e132..48634327 100644
--- a/radicale/auth/ldap.py
+++ b/radicale/auth/ldap.py
@@ -119,6 +119,9 @@ class Auth(auth.BaseAuth):
         if self._ldap_uri.lower().startswith("ldaps://") and self._ldap_security not in ("tls", "starttls"):
             logger.info("Inferring 'ldap_security' = tls from 'ldap_uri' starting with 'ldaps://'")
             self._ldap_security = "tls"
+        if self._ldap_uri.lower().startswith("ldapi://") and self._ldap_ssl_verify_mode != "NONE":
+            logger.info("Lowering 'ldap_'ldap_ssl_verify_mode' to NONE for 'ldap_uri' starting with 'ldapi://'")
+            self._ldap_ssl_verify_mode = "NONE"
 
         if self._ldap_ssl_ca_file == "" and self._ldap_ssl_verify_mode != "NONE" and self._ldap_security in ("tls", "starttls"):
             logger.warning("Certificate verification not possible: 'ldap_ssl_ca_file' not set")