From 402bf53a5c24ac34ca7df63396640c9c0f2dc21c Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 4 Apr 2025 13:18:42 +0200
Subject: [PATCH] [Web] Improve clarity of LDAP SSL/TLS settings

---
 data/web/lang/lang.de-de.json                 |  4 ++-
 data/web/lang/lang.en-gb.json                 |  4 ++-
 .../admin/tab-config-identity-provider.twig   | 28 +++++++++++++++----
 3 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/data/web/lang/lang.de-de.json b/data/web/lang/lang.de-de.json
index 45c6e9f50..98d601738 100644
--- a/data/web/lang/lang.de-de.json
+++ b/data/web/lang/lang.de-de.json
@@ -238,7 +238,9 @@
         "iam_username_field": "Username Feld",
         "iam_binddn": "Bind DN",
         "iam_use_ssl": "Benutze SSL",
-        "iam_use_tls": "Benutze TLS",
+        "iam_use_ssl_info": "TLS wird gegenüber SSL empfohlen. SSL gilt als veralteter Mechanismus für die sichere Ausführung von LDAP-Operationen.<br><br>Wenn SSL aktiviert ist und der Port auf 389 gesetzt wurde, wird dieser automatisch auf 636 geändert.",
+        "iam_use_tls": "Benutze StartTLS",
+        "iam_use_tls_info": "Wenn TLS aktiviert wird, muss der Standardport deines LDAP-Servers (389) verwendet werden. SSL-Ports können dabei nicht verwendet werden.",
         "iam_version": "Version",
         "ignore_ssl_error": "Ignoriere SSL Fehler",
         "import": "Importieren",
diff --git a/data/web/lang/lang.en-gb.json b/data/web/lang/lang.en-gb.json
index 5d6911e91..9c1f30483 100644
--- a/data/web/lang/lang.en-gb.json
+++ b/data/web/lang/lang.en-gb.json
@@ -245,7 +245,9 @@
         "iam_username_field": "Username Field",
         "iam_binddn": "Bind DN",
         "iam_use_ssl": "Use SSL",
-        "iam_use_tls": "Use TLS",
+        "iam_use_ssl_info": "TLS is recommended over SSL. SSL is labelled as a deprecated mechanism for securely running LDAP operations.<br><br>If enabling SSL, and port is set to 389, it will be automatically overridden to use 636.",
+        "iam_use_tls": "Use StartTLS",
+        "iam_use_tls_info": "If enabling TLS, you must use the default port for your LDAP server (389). SSL ports cannot be used.",
         "iam_version": "Version",
         "ignore_ssl_error": "Ignore SSL Errors",
         "import": "Import",
diff --git a/data/web/templates/admin/tab-config-identity-provider.twig b/data/web/templates/admin/tab-config-identity-provider.twig
index 9d4dcd286..dce26f8c3 100644
--- a/data/web/templates/admin/tab-config-identity-provider.twig
+++ b/data/web/templates/admin/tab-config-identity-provider.twig
@@ -392,11 +392,11 @@
           <input type="hidden" name="authsource" value="ldap">
           <div class="row mb-2">
             <div class="col-md-3 d-flex align-items-center justify-content-md-end">
-              <i style="font-size: 16px; cursor: pointer;" class="bi bi-patch-question-fill m-2 ms-0" data-bs-toggle="tooltip" data-bs-html="true" data-bs-placement="bottom" title="{{ lang.admin.iam_host_info }}"></i>
+              <i style="font-size: 16px; cursor: pointer;" class="bi bi-patch-question-fill mx-2 ms-0" data-bs-toggle="tooltip" data-bs-html="true" data-bs-placement="bottom" title="{{ lang.admin.iam_host_info }}"></i>
               <label class="control-label" for="iam_ldap_host">{{ lang.admin.iam_host }}:</label>
             </div>
             <div class="col-12 col-md-9 col-lg-4 d-flex">
-            <input type="text" class="form-control" id="iam_ldap_host" name="host" value="{{ iam_settings.host }}" required>
+              <input type="text" class="form-control" id="iam_ldap_host" name="host" value="{{ iam_settings.host }}" required>
             </div>
           </div>
           <div class="row mb-2">
@@ -409,21 +409,37 @@
           </div>
           <div class="row mb-2">
             <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+              <i style="font-size: 16px; cursor: pointer;" class="bi bi-patch-question-fill mx-2 ms-0" data-bs-toggle="tooltip" data-bs-html="true" data-bs-placement="bottom" title="{{ lang.admin.iam_use_ssl_info }}"></i>
               <label class="control-label">{{ lang.admin.iam_use_ssl }}</label>
             </div>
-            <div class="col-12 col-md-9">
+            <div class="col-12 col-md-9 d-flex align-items-center">
               <div class="form-check form-switch">
-                <input class="form-check-input" type="checkbox" role="switch" name="use_ssl" value="1" {% if iam_settings.use_ssl == 1 %}checked{% endif %}>
+                <input class="form-check-input"
+                       type="checkbox"
+                       role="switch"
+                       id="use_ssl"
+                       name="use_ssl"
+                       value="1"
+                       onchange="if(this.checked) document.getElementById('use_tls').checked = false"
+                       {% if iam_settings.use_ssl == 1 %}checked{% endif %}>
               </div>
             </div>
           </div>
           <div class="row mb-2">
             <div class="col-md-3 d-flex align-items-center justify-content-md-end">
+              <i style="font-size: 16px; cursor: pointer;" class="bi bi-patch-question-fill mx-2 ms-0" data-bs-toggle="tooltip" data-bs-html="true" data-bs-placement="bottom" title="{{ lang.admin.iam_use_tls_info }}"></i>
               <label class="control-label">{{ lang.admin.iam_use_tls }}</label>
             </div>
-            <div class="col-12 col-md-9">
+            <div class="col-12 col-md-9 d-flex align-items-center">
               <div class="form-check form-switch">
-                <input class="form-check-input" type="checkbox" role="switch" name="use_tls" value="1" {% if iam_settings.use_tls == 1 %}checked{% endif %}>
+                <input class="form-check-input"
+                       type="checkbox"
+                       role="switch"
+                       id="use_tls"
+                       name="use_tls"
+                       value="1"
+                       onchange="if(this.checked) document.getElementById('use_ssl').checked = false"
+                       {% if iam_settings.use_tls == 1 %}checked{% endif %}>
               </div>
             </div>
           </div>