feat(ldap): Allow to use global default_certificates_bundle_path for ldap

szaimen · szaimen · commit 04f6777701d0 · 2026-01-08T15:51:57.000+01:00
Signed-off-by: Simon L. &lt;szaimen@e.mail.de&gt;
diff --git a/apps/user_ldap/lib/Connection.php b/apps/user_ldap/lib/Connection.php
@@ -686,6 +686,26 @@ private function doConnect($host, $port): bool {
 			$this->ldap->setOption(null, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_DEMAND);
 		}
 
+		/** @var ICertificateManager $certManager */
+		$certManager = Server::get(ICertificateManager::class);
+		$defaultCertificatePath = $certManager->getDefaultCertificatesBundlePath();
+		// We check if default certificate path is actually set to a custom value.
+		// Otherwise this would be a breaking change and cannot be backported.
+		if (!empty($defaultCertificatePath) && $defaultCertificatePath !== \OC::$SERVERROOT . '/resources/config/ca-bundle.crt') {
+			$absoluteBundlePath = $certManager->getAbsoluteBundlePath();
+			if ($this->ldap->setOption(null, LDAP_OPT_X_TLS_CACERTFILE, $absoluteBundlePath)) {
+				$this->logger->debug(
+					'Adjusted the tls certificate file path to ' . $absoluteBundlePath,
+					['app' => 'user_ldap']
+				);
+			} else {
+				$this->logger->warning(
+					'Could not change the tls certificate file path.',
+					['app' => 'user_ldap']
+				);
+			}
+		}
+
 		$this->ldapConnectionRes = $this->ldap->connect($host, $port) ?: null;
 
 		if ($this->ldapConnectionRes === null) {
