From f89c98a2596945053ecdd8a2c82052b8d625b3c3 Mon Sep 17 00:00:00 2001
From: Brian Lycett <brian@wheelybird.co.uk>
Date: Mon, 9 Mar 2020 13:57:10 +0000
Subject: [PATCH 1/3] Use the system CA bundle when not using user-supplied CA
 certs.

---
 files/configuration/setup_ldap.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/files/configuration/setup_ldap.sh b/files/configuration/setup_ldap.sh
index 5a315e7..141ffe0 100644
--- a/files/configuration/setup_ldap.sh
+++ b/files/configuration/setup_ldap.sh
@@ -27,6 +27,8 @@ fi
 if [ "${LDAP_TLS_CA_CERT}x" != "x" ] ; then
   echo "$LDAP_TLS_CA_CERT" > $OPENVPN_DIR/ldap-ca.crt
   echo "tls_cacertfile ${OPENVPN_DIR}/ldap-ca.crt" >> $LDAP_CONFIG
+else
+  echo "tls_cacertfile /etc/pki/tls/certs/ca-bundle.crt" >> $LDAP_CONFIG
 fi
 
 if [ "${ACTIVE_DIRECTORY_COMPAT_MODE}" == "true" ]; then

From 07369560365e0b72b72c3dde7ac0d4727da63ee3 Mon Sep 17 00:00:00 2001
From: Brian Lycett <brian@wheelybird.co.uk>
Date: Mon, 9 Mar 2020 13:57:46 +0000
Subject: [PATCH 2/3] Update version in the README

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 4c2809d..0f814e0 100644
--- a/README.md
+++ b/README.md
@@ -72,7 +72,7 @@ docker run \
            -e "LDAP_URI=ldap://ldap.mycompany.com" \
            -e "LDAP_BASE_DN=dc=mycompany,dc=com" \
            --cap-add=NET_ADMIN \
-           wheelybird/openvpn-ldap-otp:v1.1
+           wheelybird/openvpn-ldap-otp:v1.2
 ```
 
 * `--cap-add=NET_ADMIN` is necessary; the container needs to create the tunnel device and create iptable rules.

From 0f9e2d7ed82b9114ad1d40f409e5e8cf835cbf68 Mon Sep 17 00:00:00 2001
From: Brian Lycett <brian@wheelybird.co.uk>
Date: Mon, 9 Mar 2020 14:25:22 +0000
Subject: [PATCH 3/3] Allow different TLS modes

---
 README.md                           | 5 +++--
 files/configuration/set_defaults.sh | 5 +++++
 files/configuration/setup_ldap.sh   | 4 +++-
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 0f814e0..c77a7ed 100644
--- a/README.md
+++ b/README.md
@@ -30,9 +30,10 @@ Configuration is via environmental variables.  Here's a list, along with the def
  * `LDAP_BIND_USER_PASS` (_undefined_): The password for the bind user.
  * `LDAP_FILTER` (_undefined_): A filter to apply to LDAP lookups.  This allows you to limit the lookup results and thereby who will be authenticated.  e.g. `(memberOf=cn=staff,cn=groups,cn=accounts,dc=example,dc=org)`.  See [Filtering](#Filtering) for more information.
  * `LDAP_LOGIN_ATTRIBUTE` (uid):  The LDAP attribute used for the authentication lookup, i.e. which attribute is matched to the username when you log into the OpenVPN server.
- * `LDAP_TLS` (false):  Set to 'true' to enable a TLS connection to the LDAP server.
+ * `LDAP_ENCRYPT_CONNECTION` (off): Options:  `on|starttls|off`. This sets the 'ssl' option in nslcd.  `on` will connect to the LDAP server over TLS (SSL).  `starttls` will initially connect unencrypted and negotiate a TLS connection if one is available.  `off` will disable SSL/TLS.
+ * `LDAP_TLS` (false):  Changes (overrides) `LDAP_ENCRYPT_CONNECTION` to `starttls` (this setting is for backwards-compatibility with previous versions).
  * `LDAP_TLS_VALIDATE_CERT` (true):  Set to 'true' to ensure the TLS certificate can be validated.  'false' will ignore certificate issues - you might need this if you're using a self-signed certificate and not passing in the CA certificate.
- * `LDAP_TLS_CA_CERT` (_undefined_): The contents of the CA certificate file for the LDAP server.  You'll need this to enable TLS if using self-signed certificates.
+ * `LDAP_TLS_CA_CERT` (_undefined_): The contents of the CA certificate file for the LDAP server.  You'll need this to enable TLS when using self-signed certificates.
 
  * `ACTIVE_DIRECTORY_COMPAT_MODE` (false): Sets `LDAP_LOGIN_ATTRIBUTE` to `sAMAccountName` and `LDAP_FILTER` to `(objectClass=user)`, which allows LDAP lookups to work with Active Directory.  This will override any value you've manually set for those settings.
 
diff --git a/files/configuration/set_defaults.sh b/files/configuration/set_defaults.sh
index 3683c9e..6356d01 100644
--- a/files/configuration/set_defaults.sh
+++ b/files/configuration/set_defaults.sh
@@ -47,7 +47,9 @@ if [ "${DEBUG}x" == "x" ];                        then export DEBUG="false";
 if [ "${LOG_TO_STDOUT}x" == "x" ];                then export LOG_TO_STDOUT="true";                       fi
 if [ "${ENABLE_OTP}x" == "x" ];                   then export ENABLE_OTP="false";                         fi
 if [ "${LDAP_LOGIN_ATTRIBUTE}x" == "x" ];         then export LDAP_LOGIN_ATTRIBUTE="uid";                 fi
+if [ "${LDAP_ENCRYPT_CONNECTION}x" == "x" ];      then export LDAP_ENCRYPT_CONNECTION="off";              fi
 if [ "${LDAP_TLS}x" == "x" ];                     then export LDAP_TLS="false";                           fi
+if [ "${LDAP_TLS}" == 'true' ];                   then export LDAP_ENCRYPT_CONNECTION="starttls";         fi
 if [ "${LDAP_TLS_VALIDATE_CERT}x" == "x" ];       then export LDAP_TLS_VALIDATE_CERT="true";              fi
 if [ "${KEY_LENGTH}x" == "x" ];                   then export KEY_LENGTH="2048";                          fi
 if [ "${FAIL2BAN_ENABLED}x" == "x" ];             then export FAIL2BAN_ENABLED="false";                   fi
@@ -60,3 +62,6 @@ if [ "$LOG_TO_STDOUT" == "true" ]; then
 else
  LOG_FILE="${LOG_DIR}/openvpn.log"
 fi
+
+
+
diff --git a/files/configuration/setup_ldap.sh b/files/configuration/setup_ldap.sh
index 141ffe0..e56ea5d 100644
--- a/files/configuration/setup_ldap.sh
+++ b/files/configuration/setup_ldap.sh
@@ -16,8 +16,10 @@ ldap_version 3
 
 EoLDAP
 
-if [ "${LDAP_TLS}" == "true" ] ; then
+if [ "${LDAP_ENCRYPT_CONNECTION}" == "starttls" ] ; then
   echo "ssl start_tls" >> $LDAP_CONFIG
+elif [ "${LDAP_ENCRYPT_CONNECTION}" == "on" ] ; then
+  echo "ssl on" >> $LDAP_CONFIG
 fi
 
 if [ "${LDAP_TLS_VALIDATE_CERT}" == "false" ] ; then