owncloud · wkloucek · May 31, 2022 · May 31, 2022 · May 31, 2022
diff --git a/changelog/unreleased/fix-ldap-insecure-options.md b/changelog/unreleased/fix-ldap-insecure-options.md
@@ -0,0 +1,9 @@
+Bugfix: Fix LDAP insecure options
+
+We've fixed multiple LDAP insecure options:
+
+* The Graph LDAP insecure option default was set to `true` and now defaults to `false`. This is possible after #3888, since the Graph also now uses the LDAP CAcert by default.
+* The Graph LDAP insecure option was configurable by the environment variable `OCIS_INSECURE`, which was replaced by the dedicated `LDAP_INSECURE` variable. This variable is also used by all other services using LDAP.
+* The IDP insecure option for the user backend now also picks up configuration from `LDAP_INSECURE`.
+
+https://github.com/owncloud/ocis/pull/3897
diff --git a/extensions/graph/pkg/config/config.go b/extensions/graph/pkg/config/config.go
@@ -39,7 +39,7 @@ type Spaces struct {
 type LDAP struct {
 	URI           string `yaml:"uri" env:"LDAP_URI;GRAPH_LDAP_URI"`
 	CACert        string `yaml:"cacert" env:"LDAP_CACERT;GRAPH_LDAP_CACERT" desc:"The certificate to verify TLS connections"`
-	Insecure      bool   `yaml:"insecure" env:"OCIS_INSECURE;GRAPH_LDAP_INSECURE"`
+	Insecure      bool   `yaml:"insecure" env:"LDAP_INSECURE;GRAPH_LDAP_INSECURE"`
 	BindDN        string `yaml:"bind_dn" env:"LDAP_BIND_DN;GRAPH_LDAP_BIND_DN"`
 	BindPassword  string `yaml:"bind_password" env:"LDAP_BIND_PASSWORD;GRAPH_LDAP_BIND_PASSWORD"`
 	UseServerUUID bool   `yaml:"use_server_uuid" env:"GRAPH_LDAP_SERVER_UUID"`

diff --git a/extensions/graph/pkg/config/defaults/defaultconfig.go b/extensions/graph/pkg/config/defaults/defaultconfig.go
@@ -42,7 +42,7 @@ func DefaultConfig() *config.Config {
 			Backend: "ldap",
 			LDAP: config.LDAP{
 				URI:                      "ldaps://localhost:9235",
-				Insecure:                 true,
+				Insecure:                 false,
 				CACert:                   path.Join(defaults.BaseDataPath(), "idm", "ldap.crt"),
 				BindDN:                   "uid=libregraph,ou=sysusers,o=libregraph-idm",
 				UseServerUUID:            false,

diff --git a/extensions/graph/pkg/service/v0/graph_test.go b/extensions/graph/pkg/service/v0/graph_test.go
@@ -37,6 +37,7 @@ var _ = Describe("Graph", func() {
 	JustBeforeEach(func() {
 		ctx = context.Background()
 		cfg = defaults.FullDefaultConfig()
+		cfg.Identity.LDAP.CACert = "" // skip the startup checks, we don't use LDAP at all in this tests
 		cfg.TokenManager.JWTSecret = "loremipsum"
 
 		gatewayClient = &mocks.GatewayClient{}

diff --git a/extensions/idp/pkg/config/config.go b/extensions/idp/pkg/config/config.go
@@ -81,7 +81,7 @@ type Settings struct {
 	AuthorizationEndpointURI string `yaml:"authorization_endpoint_uri" env:"IDP_ENDPOINT_URI"`
 	EndsessionEndpointURI    string `yaml:"end_session_endpoint_uri" env:"IDP_ENDSESSION_ENDPOINT_URI"`
 
-	Insecure bool `yaml:"insecure" env:"IDP_INSECURE" desc:"Allow insecure connections to the backend."`
+	Insecure bool `yaml:"insecure" env:"LDAP_INSECURE;IDP_INSECURE" desc:"Allow insecure connections to the user backend (eg. LDAP, CS3 api, ...)."`
 
 	TrustedProxy []string `yaml:"trusted_proxy"` //TODO: how to configure this via env?