ldap: add option for ldap starttls support

README.md

@@ -290,6 +290,7 @@ Variable | Description | Example
 `LDAP_TLS_CHECK_PEER` | Require and verify LDAP server certificate | 1
 `LDAP_TLS_CACERT_FILE` | Path to CA cert file. Used when server certificate verify is enabled | /etc/ssl/certs/ca-certificates.crt
 `LDAP_TLS_CACERT_DIR` | Path to CA certs directory. Used when server certificate verify is enabled. | /etc/ssl/certs
+`LDAP_START_TLS` | Enable START_TLS, requires LDAPv3, URL must be ldap:// not ldaps:// | 0
 
 #### Authentication using JWT tokens
 

docker-compose.yml

@@ -69,6 +69,7 @@ services:
             - LDAP_TLS_CHECK_PEER
             - LDAP_TLS_CACERT_FILE
             - LDAP_TLS_CACERT_DIR
+            - LDAP_START_TLS
             - XMPP_DOMAIN
             - XMPP_AUTH_DOMAIN
             - XMPP_GUEST_DOMAIN

env.example

@@ -134,6 +134,9 @@ TZ=Europe/Amsterdam
 # Path to CA certs directory. Used when server sertificate verify is enabled.
 #LDAP_TLS_CACERT_DIR=/etc/ssl/certs
 
+# Wether to use starttls, implies LDAPv3 and requires ldap:// instead of ldaps://
+# LDAP_START_TLS=1
+
 
 #
 # Advanced configuration options (you generally don't need to change these)

prosody/rootfs/defaults/saslauthd.conf

@@ -19,3 +19,6 @@ ldap_tls_ciphers: {{ .Env.LDAP_TLS_CIPHERS }}
     {{ end }}
   {{ end }}
 {{ end }}
+{{ if .Env.LDAP_START_TLS | default "0" | toBool }}
+ldap_start_tls: yes
+{{ end }}