Add LDAP_TLS_NO_VERIFY option, don't require LDAP_ENABLED outside .env (#6845)

Fix #6816, fix #6790

config/initializers/devise.rb

@@ -55,6 +55,8 @@ module Devise
   @@ldap_bind_dn = nil
   mattr_accessor :ldap_password
   @@ldap_password = nil
+  mattr_accessor :ldap_tls_no_verify
+  @@ldap_tls_no_verify = false
 
   class Strategies::PamAuthenticatable
     def valid?
@@ -357,5 +359,6 @@ Devise.setup do |config|
     config.ldap_bind_dn        = ENV.fetch('LDAP_BIND_DN')
     config.ldap_password       = ENV.fetch('LDAP_PASSWORD')
     config.ldap_uid            = ENV.fetch('LDAP_UID', 'cn')
+    config.ldap_tls_no_verify  = ENV['LDAP_TLS_NO_VERIFY'] == 'true'
   end
 end

lib/devise/ldap_authenticatable.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-if ENV['LDAP_ENABLED'] == 'true'
 require 'net/ldap'
 require 'devise/strategies/authenticatable'
 
@@ -15,7 +14,7 @@ if ENV['LDAP_ENABLED'] == 'true'
             base: Devise.ldap_base,
             encryption: {
               method: Devise.ldap_method,
-                tls_options: OpenSSL::SSL::SSLContext::DEFAULT_PARAMS,
+              tls_options: tls_options,
             },
             auth: {
               method: :simple,
@@ -41,9 +40,14 @@ if ENV['LDAP_ENABLED'] == 'true'
       def password
         params[:user][:password]
       end
+
+      def tls_options
+        OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.tap do |options|
+          options[:verify_mode] = OpenSSL::SSL::VERIFY_NONE if Devise.ldap_tls_no_verify
+        end
+      end
     end
   end
 end
 
 Warden::Strategies.add(:ldap_authenticatable, Devise::Strategies::LdapAuthenticatable)
-end