Previously there were two ways you could enable TLS with the LDAP auth provider:
- In the auth provider configuration, you could tick the "Use TLS". This enabled StartTLS which means the original connection (call to ldap_connect()) was done as a plaintext connection and later ldap_start_tls() was called to upgrade to an encrypted connection.
- Or you could prefix the "LDAP Hostname" field itself with ldaps:// to get an encrypted-from-the-start connection (ldap_connect() used an ldaps:// URL and ldap_start_tls() was never called). This was also mentioned as a supported case in the instructions:
However, D25792: Fix PHP 8.3 "Usage of ldap_connect with two arguments is deprecated" exception changed the code to always prepend ldap:// (or ldaps://, depending on the "Use TLS" option) to the LDAP connection URL. My configuration is using method 2, and with this change applied logins now fail with an error like Unable to connect to LDAP server (ldap://ldaps://ldap.example.com:636).
I also don't see any way to get the current code to create a working encrypted LDAP connection, as ldap_start_tls() will (at least with my LDAP server) error out if it's called with a ldaps:// connection, and the current code will currently either do both of those or neither.