LDAP auth: change 'ldap_ssl_verify_mode' to NONE for ldapi://

For ldapi:// connections, which connect - by definition - to a local UNIX socket, lower the value of config setting 'ldap_ssl_verify_mode' to "NONE" to avoid certificate validation failures. The UNIX socket address can NEVER match any DNS name from a certificate, making the whole certificate validation moot. This is a workaround for a limitation of Python's LDAP modules, that do not consider this edge case.
2025-09-30 21:12:05 +00:00 · 2025-09-28 13:17:29 +02:00 · 2025-09-28 13:17:29 +02:00 · f0626a8dde
commit f0626a8dde
parent bcba53ed8d
1 changed files with 3 additions and 0 deletions
--- a/radicale/auth/ldap.py
+++ b/radicale/auth/ldap.py
@ -119,6 +119,9 @@ class Auth(auth.BaseAuth):
        if self._ldap_uri.lower().startswith("ldaps://") and self._ldap_security not in ("tls", "starttls"):
            logger.info("Inferring 'ldap_security' = tls from 'ldap_uri' starting with 'ldaps://'")
            self._ldap_security = "tls"
+        if self._ldap_uri.lower().startswith("ldapi://") and self._ldap_ssl_verify_mode != "NONE":
+            logger.info("Lowering 'ldap_'ldap_ssl_verify_mode' to NONE for 'ldap_uri' starting with 'ldapi://'")
+            self._ldap_ssl_verify_mode = "NONE"

        if self._ldap_ssl_ca_file == "" and self._ldap_ssl_verify_mode != "NONE" and self._ldap_security in ("tls", "starttls"):
            logger.warning("Certificate verification not possible: 'ldap_ssl_ca_file' not set")