# HG changeset patch
# User Mads Kiilerich <madski@unity3d.com>
# Date 2016-07-28 14:34:49
# Node ID d0f6bd6190c80c299cc6c699f2cda973633cbcae
# Parent  5a5bab2b773c5631c5c721cf4165c0355873ac3d

auth: change default LDAP to LDAPS on port 636 - insecure authentication is kind of pointless

This will only change the default value for new systems. Existing installations
will keep using whatever value they have in the database.

diff --git a/docs/setup.rst b/docs/setup.rst
--- a/docs/setup.rst
+++ b/docs/setup.rst
@@ -163,7 +163,7 @@ Here's a typical LDAP setup::
  Host                 = host.example.com
  Account              = <account>
  Password             = <password>
- Connection Security  = LDAPS connection
+ Connection Security  = LDAPS
  Certificate Checks   = DEMAND
 
  Search settings
@@ -457,7 +457,7 @@ could set the request headers however yo
     from mod_python import apache
     import ldap
 
-    LDAP_SERVER = "ldap://server.mydomain.com:389"
+    LDAP_SERVER = "ldaps://server.mydomain.com:636"
     LDAP_USER = ""
     LDAP_PASS = ""
     LDAP_ROOT = "dc=mydomain,dc=com"
diff --git a/kallithea/bin/ldap_sync.conf b/kallithea/bin/ldap_sync.conf
--- a/kallithea/bin/ldap_sync.conf
+++ b/kallithea/bin/ldap_sync.conf
@@ -3,7 +3,7 @@ api_url = http://kallithea.example.com/_
 api_user = admin
 api_key = XXXXXXXXXXXX
 
-ldap_uri = ldap://ldap.example.com:389
+ldap_uri = ldaps://ldap.example.com:636
 ldap_user = cn=kallithea,dc=example,dc=com
 ldap_key = XXXXXXXXX
 base_dn = dc=example,dc=com
diff --git a/kallithea/lib/auth_modules/auth_ldap.py b/kallithea/lib/auth_modules/auth_ldap.py
--- a/kallithea/lib/auth_modules/auth_ldap.py
+++ b/kallithea/lib/auth_modules/auth_ldap.py
@@ -50,7 +50,7 @@ except ImportError:
 class AuthLdap(object):
 
     def __init__(self, server, base_dn, port=None, bind_dn='', bind_pass='',
-                 tls_kind='PLAIN', tls_reqcert='DEMAND', cacertdir=None, ldap_version=3,
+                 tls_kind='LDAPS', tls_reqcert='DEMAND', cacertdir=None, ldap_version=3,
                  ldap_filter='(&(objectClass=user)(!(objectClass=computer)))',
                  search_scope='SUBTREE', attr_login='uid'):
         if ldap is None:
@@ -215,7 +215,7 @@ class KallitheaAuthPlugin(auth_modules.K
                 "type": "select",
                 "values": self._tls_kind_values,
                 "description": "TLS Type",
-                "default": 'PLAIN',
+                "default": 'LDAPS',
                 "formname": "Connection Security"
             },
             {