support connect ldap server with starttls (#5969)

* support connect ldap server with starttls

* add more doc for start_tls option

conf/ldap.toml

@@ -8,6 +8,8 @@ host = "127.0.0.1"
 port = 389
 # Set to true if ldap server supports TLS
 use_ssl = false
+# Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)
+start_tls = false
 # set to true if you want to skip ssl cert validation
 ssl_skip_verify = false
 # set to the path to your root CA certificate or leave unset to use system defaults

docs/sources/installation/ldap.md

@@ -27,6 +27,8 @@ host = "127.0.0.1"
 port = 389
 # Set to true if ldap server supports TLS
 use_ssl = false
+# Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)
+start_tls = false
 # set to true if you want to skip ssl cert validation
 ssl_skip_verify = false
 # set to the path to your root CA certificate or leave unset to use system defaults

pkg/login/ldap.go

@@ -48,7 +48,16 @@ func (a *ldapAuther) Dial() error {
 				ServerName:         host,
 				RootCAs:            certPool,
 			}
-			a.conn, err = ldap.DialTLS("tcp", address, tlsCfg)
+			if a.server.StartTLS {
+				a.conn, err = ldap.Dial("tcp", address)
+				if err == nil {
+					if err = a.conn.StartTLS(tlsCfg); err == nil {
+						return nil
+					}
+				}
+			} else {
+				a.conn, err = ldap.DialTLS("tcp", address, tlsCfg)
+			}
 		} else {
 			a.conn, err = ldap.Dial("tcp", address)
 		}

pkg/login/settings.go

@@ -19,6 +19,7 @@ type LdapServerConf struct {
 	Host          string           `toml:"host"`
 	Port          int              `toml:"port"`
 	UseSSL        bool             `toml:"use_ssl"`
+	StartTLS      bool             `toml:"start_tls"`
 	SkipVerifySSL bool             `toml:"ssl_skip_verify"`
 	RootCACert    string           `toml:"root_ca_cert"`
 	BindDN        string           `toml:"bind_dn"`