Merge remote-tracking branch 'origin/main' into illegal-car-mods

src/admin/Cargo.toml

@@ -89,6 +89,7 @@ serde_yaml.workspace = true
 tokio.workspace = true
 tracing-subscriber.workspace = true
 tracing.workspace = true
+ctor.workspace = true
 
 [lints]
 workspace = true

src/admin/mod.rs

@@ -29,6 +29,8 @@ pub(crate) use crate::{context::Context, utils::get_room_info};
 
 pub(crate) const PAGE_SIZE: usize = 100;
 
+use ctor::{ctor, dtor};
+
 conduwuit::mod_ctor! {}
 conduwuit::mod_dtor! {}
 conduwuit::rustc_flags_capture! {}

src/admin/user/commands.rs

@@ -1,8 +1,8 @@
 use std::{collections::BTreeMap, fmt::Write as _};
 
 use api::client::{
-	full_user_deactivate, join_room_by_id_helper, leave_all_rooms, leave_room, update_avatar_url,
-	update_displayname,
+	full_user_deactivate, join_room_by_id_helper, leave_all_rooms, leave_room, remote_leave_room,
+	update_avatar_url, update_displayname,
 };
 use conduwuit::{
 	Err, Result, debug, debug_warn, error, info, is_equal_to,
@@ -68,7 +68,8 @@ pub(super) async fn create_user(&self, username: String, password: Option<String
 	// Create user
 	self.services
 		.users
-		.create(&user_id, Some(password.as_str()))?;
+		.create(&user_id, Some(password.as_str()), None)
+		.await?;
 
 	// Default to pretty displayname
 	let mut displayname = user_id.localpart().to_owned();
@@ -284,6 +285,7 @@ pub(super) async fn reset_password(&self, username: String, password: Option<Str
 		.services
 		.users
 		.set_password(&user_id, Some(new_password.as_str()))
+		.await
 	{
 		| Err(e) => return Err!("Couldn't reset the password for user {user_id}: {e}"),
 		| Ok(()) => {
@@ -924,3 +926,29 @@ pub(super) async fn redact_event(&self, event_id: OwnedEventId) -> Result {
 	))
 	.await
 }
+
+#[admin_command]
+pub(super) async fn force_leave_remote_room(
+	&self,
+	user_id: String,
+	room_id: OwnedRoomOrAliasId,
+) -> Result {
+	let user_id = parse_local_user_id(self.services, &user_id)?;
+	let (room_id, _) = self
+		.services
+		.rooms
+		.alias
+		.resolve_with_servers(&room_id, None)
+		.await?;
+
+	assert!(
+		self.services.globals.user_is_local(&user_id),
+		"Parsed user_id must be a local user"
+	);
+	remote_leave_room(self.services, &user_id, &room_id, None)
+		.boxed()
+		.await?;
+
+	self.write_str(&format!("{user_id} has been joined to {room_id}.",))
+		.await
+}

src/admin/user/mod.rs

@@ -103,6 +103,12 @@ pub enum UserCommand {
 		room_id: OwnedRoomOrAliasId,
 	},
 
+	/// - Manually leave a remote room for a local user.
+	ForceLeaveRemoteRoom {
+		user_id: String,
+		room_id: OwnedRoomOrAliasId,
+	},
+
 	/// - Forces the specified user to drop their power levels to the room
 	///   default, if their permissions allow and the auth check permits
 	ForceDemote {

src/api/Cargo.toml

@@ -49,6 +49,9 @@ jemalloc_stats = [
 	"conduwuit-core/jemalloc_stats",
 	"conduwuit-service/jemalloc_stats",
 ]
+ldap = [
+    "conduwuit-service/ldap"
+]
 release_max_log_level = [
 	"conduwuit-core/release_max_log_level",
 	"conduwuit-service/release_max_log_level",
@@ -90,6 +93,7 @@ serde.workspace = true
 sha1.workspace = true
 tokio.workspace = true
 tracing.workspace = true
+ctor.workspace = true
 
 [lints]
 workspace = true

src/api/client/account.rs

@@ -373,7 +373,7 @@ pub(crate) async fn register_route(
 	let password = if is_guest { None } else { body.password.as_deref() };
 
 	// Create user
-	services.users.create(&user_id, password)?;
+	services.users.create(&user_id, password, None).await?;
 
 	// Default to pretty displayname
 	let mut displayname = user_id.localpart().to_owned();
@@ -659,7 +659,8 @@ pub(crate) async fn change_password_route(
 
 	services
 		.users
-		.set_password(sender_user, Some(&body.new_password))?;
+		.set_password(sender_user, Some(&body.new_password))
+		.await?;
 
 	if body.logout_devices {
 		// Logout all devices except the current one

src/api/client/admin/mod.rs

@@ -0,0 +1,3 @@
+mod suspend;
+
+pub(crate) use self::suspend::*;

src/api/client/admin/suspend.rs

@@ -0,0 +1,89 @@
+use axum::extract::State;
+use conduwuit::{Err, Result};
+use futures::future::{join, join3};
+use ruma::api::client::admin::{get_suspended, set_suspended};
+
+use crate::Ruma;
+
+/// # `GET /_matrix/client/v1/admin/suspend/{userId}`
+///
+/// Check the suspension status of a target user
+pub(crate) async fn get_suspended_status(
+	State(services): State<crate::State>,
+	body: Ruma<get_suspended::v1::Request>,
+) -> Result<get_suspended::v1::Response> {
+	let sender_user = body.sender_user();
+
+	let (admin, active) =
+		join(services.users.is_admin(sender_user), services.users.is_active(&body.user_id)).await;
+	if !admin {
+		return Err!(Request(Forbidden("Only server administrators can use this endpoint")));
+	}
+	if !services.globals.user_is_local(&body.user_id) {
+		return Err!(Request(InvalidParam("Can only check the suspended status of local users")));
+	}
+	if !active {
+		return Err!(Request(NotFound("Unknown user")));
+	}
+	Ok(get_suspended::v1::Response::new(
+		services.users.is_suspended(&body.user_id).await?,
+	))
+}
+
+/// # `PUT /_matrix/client/v1/admin/suspend/{userId}`
+///
+/// Set the suspension status of a target user
+pub(crate) async fn put_suspended_status(
+	State(services): State<crate::State>,
+	body: Ruma<set_suspended::v1::Request>,
+) -> Result<set_suspended::v1::Response> {
+	let sender_user = body.sender_user();
+
+	let (sender_admin, active, target_admin) = join3(
+		services.users.is_admin(sender_user),
+		services.users.is_active(&body.user_id),
+		services.users.is_admin(&body.user_id),
+	)
+	.await;
+
+	if !sender_admin {
+		return Err!(Request(Forbidden("Only server administrators can use this endpoint")));
+	}
+	if !services.globals.user_is_local(&body.user_id) {
+		return Err!(Request(InvalidParam("Can only set the suspended status of local users")));
+	}
+	if !active {
+		return Err!(Request(NotFound("Unknown user")));
+	}
+	if body.user_id == *sender_user {
+		return Err!(Request(Forbidden("You cannot suspend yourself")));
+	}
+	if target_admin {
+		return Err!(Request(Forbidden("You cannot suspend another server administrator")));
+	}
+	if services.users.is_suspended(&body.user_id).await? == body.suspended {
+		// No change
+		return Ok(set_suspended::v1::Response::new(body.suspended));
+	}
+
+	let action = if body.suspended {
+		services
+			.users
+			.suspend_account(&body.user_id, sender_user)
+			.await;
+		"suspended"
+	} else {
+		services.users.unsuspend_account(&body.user_id).await;
+		"unsuspended"
+	};
+
+	if services.config.admin_room_notices {
+		// Notify the admin room that an account has been un/suspended
+		services
+			.admin
+			.send_text(&format!("{} has been {} by {}.", body.user_id, action, sender_user))
+			.await;
+	}
+
+	Ok(set_suspended::v1::Response::new(body.suspended))
+}

src/api/client/capabilities.rs

@@ -19,7 +19,7 @@ use crate::Ruma;
 /// of this server.
 pub(crate) async fn get_capabilities_route(
 	State(services): State<crate::State>,
-	_body: Ruma<get_capabilities::v3::Request>,
+	body: Ruma<get_capabilities::v3::Request>,
 ) -> Result<get_capabilities::v3::Response> {
 	let available: BTreeMap<RoomVersionId, RoomVersionStability> =
 		Server::available_room_versions().collect();
@@ -45,5 +45,14 @@ pub(crate) async fn get_capabilities_route(
 		json!({"enabled": services.config.forget_forced_upon_leave}),
 	)?;
 
+	if services
+		.users
+		.is_admin(body.sender_user.as_ref().unwrap())
+		.await
+	{
+		// Advertise suspension API
+		capabilities.set("uk.timedout.msc4323", json!({"suspend":true, "lock": false}))?;
+	}
+
 	Ok(get_capabilities::v3::Response { capabilities })
 }

src/api/client/membership/join.rs

@@ -156,31 +156,34 @@ pub(crate) async fn join_room_by_id_or_alias_route(
 			.await?;
 
 			let mut servers = body.via.clone();
-			servers.extend(
-				services
-					.rooms
-					.state_cache
-					.servers_invite_via(&room_id)
-					.map(ToOwned::to_owned)
-					.collect::<Vec<_>>()
-					.await,
-			);
+			if servers.is_empty() {
+				debug!("No via servers provided for join, injecting some.");
+				servers.extend(
+					services
+						.rooms
+						.state_cache
+						.servers_invite_via(&room_id)
+						.map(ToOwned::to_owned)
+						.collect::<Vec<_>>()
+						.await,
+				);
 
-			servers.extend(
-				services
-					.rooms
-					.state_cache
-					.invite_state(sender_user, &room_id)
-					.await
-					.unwrap_or_default()
-					.iter()
-					.filter_map(|event| event.get_field("sender").ok().flatten())
-					.filter_map(|sender: &str| UserId::parse(sender).ok())
-					.map(|user| user.server_name().to_owned()),
-			);
+				servers.extend(
+					services
+						.rooms
+						.state_cache
+						.invite_state(sender_user, &room_id)
+						.await
+						.unwrap_or_default()
+						.iter()
+						.filter_map(|event| event.get_field("sender").ok().flatten())
+						.filter_map(|sender: &str| UserId::parse(sender).ok())
+						.map(|user| user.server_name().to_owned()),
+				);
 
-			if let Some(server) = room_id.server_name() {
-				servers.push(server.to_owned());
+				if let Some(server) = room_id.server_name() {
+					servers.push(server.to_owned());
+				}
 			}
 
 			servers.sort_unstable();

src/api/client/membership/leave.rs

@@ -215,7 +215,7 @@ pub async fn leave_room(
 	Ok(())
 }
 
-async fn remote_leave_room(
+pub async fn remote_leave_room(
 	services: &Services,
 	user_id: &UserId,
 	room_id: &RoomId,

src/api/client/membership/mod.rs

@@ -29,7 +29,7 @@ pub(crate) use self::{
 };
 pub use self::{
 	join::join_room_by_id_helper,
-	leave::{leave_all_rooms, leave_room},
+	leave::{leave_all_rooms, leave_room, remote_leave_room},
 };
 use crate::{Ruma, client::full_user_deactivate};
 

src/api/client/message.rs

@@ -321,7 +321,7 @@ pub(crate) fn event_filter(item: PdusIterItem, filter: &RoomEventFilter) -> Opti
 	filter.matches(pdu).then_some(item)
 }
 
-#[cfg_attr(debug_assertions, conduwuit::ctor)]
+#[cfg_attr(debug_assertions, ctor::ctor)]
 fn _is_sorted() {
 	debug_assert!(
 		IGNORED_MESSAGE_TYPES.is_sorted(),

src/api/client/mod.rs

@@ -1,5 +1,6 @@
 pub(super) mod account;
 pub(super) mod account_data;
+pub(super) mod admin;
 pub(super) mod alias;
 pub(super) mod appservice;
 pub(super) mod backup;
@@ -43,6 +44,7 @@ pub(super) mod well_known;
 pub use account::full_user_deactivate;
 pub(super) use account::*;
 pub(super) use account_data::*;
+pub(super) use admin::*;
 pub(super) use alias::*;
 pub(super) use appservice::*;
 pub(super) use backup::*;
@@ -55,7 +57,7 @@ pub(super) use keys::*;
 pub(super) use media::*;
 pub(super) use media_legacy::*;
 pub(super) use membership::*;
-pub use membership::{join_room_by_id_helper, leave_all_rooms, leave_room};
+pub use membership::{join_room_by_id_helper, leave_all_rooms, leave_room, remote_leave_room};
 pub(super) use message::*;
 pub(super) use openid::*;
 pub(super) use presence::*;

src/api/client/profile.rs

@@ -90,7 +90,7 @@ pub(crate) async fn get_displayname_route(
 			.await
 		{
 			if !services.users.exists(&body.user_id).await {
-				services.users.create(&body.user_id, None)?;
+				services.users.create(&body.user_id, None, None).await?;
 			}
 
 			services
@@ -189,7 +189,7 @@ pub(crate) async fn get_avatar_url_route(
 			.await
 		{
 			if !services.users.exists(&body.user_id).await {
-				services.users.create(&body.user_id, None)?;
+				services.users.create(&body.user_id, None, None).await?;
 			}
 
 			services
@@ -248,7 +248,7 @@ pub(crate) async fn get_profile_route(
 			.await
 		{
 			if !services.users.exists(&body.user_id).await {
-				services.users.create(&body.user_id, None)?;
+				services.users.create(&body.user_id, None, None).await?;
 			}
 
 			services

src/api/client/session.rs

@@ -3,13 +3,14 @@ use std::time::Duration;
 use axum::extract::State;
 use axum_client_ip::InsecureClientIp;
 use conduwuit::{
-	Err, Error, Result, debug, err, info, utils,
-	utils::{ReadyExt, hash},
+	Err, Error, Result, debug, err, info,
+	utils::{self, ReadyExt, hash},
 };
-use conduwuit_service::uiaa::SESSION_ID_LENGTH;
+use conduwuit_core::{debug_error, debug_warn};
+use conduwuit_service::{Services, uiaa::SESSION_ID_LENGTH};
 use futures::StreamExt;
 use ruma::{
-	UserId,
+	OwnedUserId, UserId,
 	api::client::{
 		session::{
 			get_login_token,
@@ -49,6 +50,154 @@ pub(crate) async fn get_login_types_route(
 	]))
 }
 
+/// Authenticates the given user by its ID and its password.
+///
+/// Returns the user ID if successful, and an error otherwise.
+#[tracing::instrument(skip_all, fields(%user_id), name = "password")]
+pub(crate) async fn password_login(
+	services: &Services,
+	user_id: &UserId,
+	lowercased_user_id: &UserId,
+	password: &str,
+) -> Result<OwnedUserId> {
+	// Restrict login to accounts only of type 'password', including untyped
+	// legacy accounts which are equivalent to 'password'.
+	if services
+		.users
+		.origin(user_id)
+		.await
+		.is_ok_and(|origin| origin != "password")
+	{
+		return Err!(Request(Forbidden("Account does not permit password login.")));
+	}
+
+	let (hash, user_id) = match services.users.password_hash(user_id).await {
+		| Ok(hash) => (hash, user_id),
+		| Err(_) => services
+			.users
+			.password_hash(lowercased_user_id)
+			.await
+			.map(|hash| (hash, lowercased_user_id))
+			.map_err(|_| err!(Request(Forbidden("Wrong username or password."))))?,
+	};
+
+	if hash.is_empty() {
+		return Err!(Request(UserDeactivated("The user has been deactivated")));
+	}
+
+	hash::verify_password(password, &hash)
+		.inspect_err(|e| debug_error!("{e}"))
+		.map_err(|_| err!(Request(Forbidden("Wrong username or password."))))?;
+
+	Ok(user_id.to_owned())
+}
+
+/// Authenticates the given user through the configured LDAP server.
+///
+/// Creates the user if the user is found in the LDAP and do not already have an
+/// account.
+#[tracing::instrument(skip_all, fields(%user_id), name = "ldap")]
+pub(super) async fn ldap_login(
+	services: &Services,
+	user_id: &UserId,
+	lowercased_user_id: &UserId,
+	password: &str,
+) -> Result<OwnedUserId> {
+	let (user_dn, is_ldap_admin) = match services.config.ldap.bind_dn.as_ref() {
+		| Some(bind_dn) if bind_dn.contains("{username}") =>
+			(bind_dn.replace("{username}", lowercased_user_id.localpart()), false),
+		| _ => {
+			debug!("Searching user in LDAP");
+
+			let dns = services.users.search_ldap(user_id).await?;
+			if dns.len() >= 2 {
+				return Err!(Ldap("LDAP search returned two or more results"));
+			}
+
+			let Some((user_dn, is_admin)) = dns.first() else {
+				return password_login(services, user_id, lowercased_user_id, password).await;
+			};
+
+			(user_dn.clone(), *is_admin)
+		},
+	};
+
+	let user_id = services
+		.users
+		.auth_ldap(&user_dn, password)
+		.await
+		.map(|()| lowercased_user_id.to_owned())?;
+
+	// LDAP users are automatically created on first login attempt. This is a very
+	// common feature that can be seen on many services using a LDAP provider for
+	// their users (synapse, Nextcloud, Jellyfin, ...).
+	//
+	// LDAP users are crated with a dummy password but non empty because an empty
+	// password is reserved for deactivated accounts. The conduwuit password field
+	// will never be read to login a LDAP user so it's not an issue.
+	if !services.users.exists(lowercased_user_id).await {
+		services
+			.users
+			.create(lowercased_user_id, Some("*"), Some("ldap"))
+			.await?;
+	}
+
+	let is_conduwuit_admin = services.admin.user_is_admin(lowercased_user_id).await;
+
+	if is_ldap_admin && !is_conduwuit_admin {
+		services.admin.make_user_admin(lowercased_user_id).await?;
+	} else if !is_ldap_admin && is_conduwuit_admin {
+		services.admin.revoke_admin(lowercased_user_id).await?;
+	}
+
+	Ok(user_id)
+}
+
+pub(crate) async fn handle_login(
+	services: &Services,
+	body: &Ruma<login::v3::Request>,
+	identifier: Option<&uiaa::UserIdentifier>,
+	password: &str,
+	user: Option<&String>,
+) -> Result<OwnedUserId> {
+	debug!("Got password login type");
+	let user_id =
+				if let Some(uiaa::UserIdentifier::UserIdOrLocalpart(user_id)) = identifier {
+					UserId::parse_with_server_name(user_id, &services.config.server_name)
+				} else if let Some(user) = user {
+					UserId::parse_with_server_name(user, &services.config.server_name)
+				} else {
+					return Err!(Request(Unknown(
+						debug_warn!(?body.login_info, "Valid identifier or username was not provided (invalid or unsupported login type?)")
+					)));
+				}
+				.map_err(|e| err!(Request(InvalidUsername(warn!("Username is invalid: {e}")))))?;
+
+	let lowercased_user_id = UserId::parse_with_server_name(
+		user_id.localpart().to_lowercase(),
+		&services.config.server_name,
+	)?;
+
+	if !services.globals.user_is_local(&user_id)
+		|| !services.globals.user_is_local(&lowercased_user_id)
+	{
+		return Err!(Request(Unknown("User ID does not belong to this homeserver")));
+	}
+
+	if cfg!(feature = "ldap") && services.config.ldap.enable {
+		match Box::pin(ldap_login(services, &user_id, &lowercased_user_id, password)).await {
+			| Ok(user_id) => Ok(user_id),
+			| Err(err) if services.config.ldap.ldap_only => Err(err),
+			| Err(err) => {
+				debug_warn!("{err}");
+				password_login(services, &user_id, &lowercased_user_id, password).await
+			},
+		}
+	} else {
+		password_login(services, &user_id, &lowercased_user_id, password).await
+	}
+}
+
 /// # `POST /_matrix/client/v3/login`
 ///
 /// Authenticates the user and returns an access token it can use in subsequent
@@ -80,70 +229,7 @@ pub(crate) async fn login_route(
 			password,
 			user,
 			..
-		}) => {
-			debug!("Got password login type");
-			let user_id =
-				if let Some(uiaa::UserIdentifier::UserIdOrLocalpart(user_id)) = identifier {
-					UserId::parse_with_server_name(user_id, &services.config.server_name)
-				} else if let Some(user) = user {
-					UserId::parse_with_server_name(user, &services.config.server_name)
-				} else {
-					return Err!(Request(Unknown(
-						debug_warn!(?body.login_info, "Valid identifier or username was not provided (invalid or unsupported login type?)")
-					)));
-				}
-				.map_err(|e| err!(Request(InvalidUsername(warn!("Username is invalid: {e}")))))?;
-
-			let lowercased_user_id = UserId::parse_with_server_name(
-				user_id.localpart().to_lowercase(),
-				&services.config.server_name,
-			)?;
-
-			if !services.globals.user_is_local(&user_id)
-				|| !services.globals.user_is_local(&lowercased_user_id)
-			{
-				return Err!(Request(Unknown("User ID does not belong to this homeserver")));
-			}
-
-			// first try the username as-is
-			let hash = services
-				.users
-				.password_hash(&user_id)
-				.await
-				.inspect_err(|e| debug!("{e}"));
-
-			match hash {
-				| Ok(hash) => {
-					if hash.is_empty() {
-						return Err!(Request(UserDeactivated("The user has been deactivated")));
-					}
-
-					hash::verify_password(password, &hash)
-						.inspect_err(|e| debug!("{e}"))
-						.map_err(|_| err!(Request(Forbidden("Wrong username or password."))))?;
-
-					user_id
-				},
-				| Err(_e) => {
-					let hash_lowercased_user_id = services
-						.users
-						.password_hash(&lowercased_user_id)
-						.await
-						.inspect_err(|e| debug!("{e}"))
-						.map_err(|_| err!(Request(Forbidden("Wrong username or password."))))?;
-
-					if hash_lowercased_user_id.is_empty() {
-						return Err!(Request(UserDeactivated("The user has been deactivated")));
-					}
-
-					hash::verify_password(password, &hash_lowercased_user_id)
-						.inspect_err(|e| debug!("{e}"))
-						.map_err(|_| err!(Request(Forbidden("Wrong username or password."))))?;
-
-					lowercased_user_id
-				},
-			}
-		},
+		}) => handle_login(&services, &body, identifier.as_ref(), password, user.as_ref()).await?,
 		| login::v3::LoginInfo::Token(login::v3::Token { token }) => {
 			debug!("Got token login type");
 			if !services.server.config.login_via_existing_session {

src/api/client/sync/v4.rs

@@ -45,6 +45,7 @@ use crate::{
 type TodoRooms = BTreeMap<OwnedRoomId, (BTreeSet<TypeStateKey>, usize, u64)>;
 const SINGLE_CONNECTION_SYNC: &str = "single_connection_sync";
 
+#[allow(clippy::cognitive_complexity)]
 /// POST `/_matrix/client/unstable/org.matrix.msc3575/sync`
 ///
 /// Sliding Sync endpoint (future endpoint: `/_matrix/client/v4/sync`)

src/api/client/unstable.rs

@@ -292,7 +292,7 @@ pub(crate) async fn get_timezone_key_route(
 			.await
 		{
 			if !services.users.exists(&body.user_id).await {
-				services.users.create(&body.user_id, None)?;
+				services.users.create(&body.user_id, None, None).await?;
 			}
 
 			services
@@ -352,7 +352,7 @@ pub(crate) async fn get_profile_key_route(
 			.await
 		{
 			if !services.users.exists(&body.user_id).await {
-				services.users.create(&body.user_id, None)?;
+				services.users.create(&body.user_id, None, None).await?;
 			}
 
 			services

src/api/client/unversioned.rs

@@ -58,6 +58,7 @@ pub(crate) async fn get_supported_versions_route(
 			("uk.tcpip.msc4133".to_owned(), true), /* Extending User Profile API with Key:Value Pairs (https://github.com/matrix-org/matrix-spec-proposals/pull/4133) */
 			("us.cloke.msc4175".to_owned(), true), /* Profile field for user time zone (https://github.com/matrix-org/matrix-spec-proposals/pull/4175) */
 			("org.matrix.simplified_msc3575".to_owned(), true), /* Simplified Sliding sync (https://github.com/matrix-org/matrix-spec-proposals/pull/4186) */
+			("uk.timedout.msc4323".to_owned(), true), /* agnostic suspend (https://github.com/matrix-org/matrix-spec-proposals/pull/4323) */
 		]),
 	};
 

src/api/router.rs

@@ -184,6 +184,8 @@ pub fn build(router: Router<State>, server: &Server) -> Router<State> {
 			"/_matrix/client/unstable/im.nheko.summary/rooms/:room_id_or_alias/summary",
 			get(client::get_room_summary_legacy)
 		)
+		.ruma_route(&client::get_suspended_status)
+		.ruma_route(&client::put_suspended_status)
 		.ruma_route(&client::well_known_support)
 		.ruma_route(&client::well_known_client)
 		.route("/_conduwuit/server_version", get(client::conduwuit_server_version))

src/core/config/mod.rs

@@ -1,3 +1,4 @@
+#![allow(clippy::doc_link_with_quotes)]
 pub mod check;
 pub mod manager;
 pub mod proxy;
@@ -125,9 +126,11 @@ pub struct Config {
 	/// This is the only directory where continuwuity will save its data,
 	/// including media. Note: this was previously "/var/lib/matrix-conduit".
 	///
-	/// YOU NEED TO EDIT THIS.
+	/// YOU NEED TO EDIT THIS, UNLESS you are running continuwuity as a
+	/// `systemd` service. The service file sets it to `/var/lib/conduwuit`
+	/// using an environment variable and also grants write access.
 	///
-	/// example: "/var/lib/continuwuity"
+	/// example: "/var/lib/conduwuit"
 	pub database_path: PathBuf,
 
 	/// continuwuity supports online database backups using RocksDB's Backup
@@ -711,12 +714,21 @@ pub struct Config {
 	#[serde(default)]
 	pub well_known: WellKnownConfig,
 
-	#[serde(default)]
-	pub allow_jaeger: bool,
+	/// Enable OpenTelemetry OTLP tracing export. This replaces the deprecated
+	/// Jaeger exporter. Traces will be sent via OTLP to a collector (such as
+	/// Jaeger) that supports the OpenTelemetry Protocol.
+	///
+	/// Configure your OTLP endpoint using the OTEL_EXPORTER_OTLP_ENDPOINT
+	/// environment variable (defaults to http://localhost:4318).
+	#[serde(default, alias = "allow_jaeger")]
+	pub allow_otlp: bool,
 
+	/// Filter for OTLP tracing spans. This controls which spans are exported
+	/// to the OTLP collector.
+	///
 	/// default: "info"
-	#[serde(default = "default_jaeger_filter")]
-	pub jaeger_filter: String,
+	#[serde(default = "default_otlp_filter", alias = "jaeger_filter")]
+	pub otlp_filter: String,
 
 	/// If the 'perf_measurements' compile-time feature is enabled, enables
 	/// collecting folded stack trace profile of tracing spans using
@@ -1945,6 +1957,10 @@ pub struct Config {
 	pub allow_invalid_tls_certificates_yes_i_know_what_the_fuck_i_am_doing_with_this_and_i_know_this_is_insecure:
 		bool,
 
+	// external structure; separate section
+	#[serde(default)]
+	pub ldap: LdapConfig,
+
 	// external structure; separate section
 	#[serde(default)]
 	pub blurhashing: BlurhashConfig,
@@ -2039,6 +2055,114 @@ pub struct BlurhashConfig {
 	pub blurhash_max_raw_size: u64,
 }
 
+#[derive(Clone, Debug, Default, Deserialize)]
+#[config_example_generator(filename = "conduwuit-example.toml", section = "global.ldap")]
+pub struct LdapConfig {
+	/// Whether to enable LDAP login.
+	///
+	/// example: "true"
+	#[serde(default)]
+	pub enable: bool,
+
+	/// Whether to force LDAP authentication or authorize classical password
+	/// login.
+	///
+	/// example: "true"
+	#[serde(default)]
+	pub ldap_only: bool,
+
+	/// URI of the LDAP server.
+	///
+	/// example: "ldap://ldap.example.com:389"
+	///
+	/// default: ""
+	#[serde(default)]
+	pub uri: Option<Url>,
+
+	/// Root of the searches.
+	///
+	/// example: "ou=users,dc=example,dc=org"
+	///
+	/// default: ""
+	#[serde(default)]
+	pub base_dn: String,
+
+	/// Bind DN if anonymous search is not enabled.
+	///
+	/// You can use the variable `{username}` that will be replaced by the
+	/// entered username. In such case, the password used to bind will be the
+	/// one provided for the login and not the one given by
+	/// `bind_password_file`. Beware: automatically granting admin rights will
+	/// not work if you use this direct bind instead of a LDAP search.
+	///
+	/// example: "cn=ldap-reader,dc=example,dc=org" or
+	/// "cn={username},ou=users,dc=example,dc=org"
+	///
+	/// default: ""
+	#[serde(default)]
+	pub bind_dn: Option<String>,
+
+	/// Path to a file on the system that contains the password for the
+	/// `bind_dn`.
+	///
+	/// The server must be able to access the file, and it must not be empty.
+	///
+	/// default: ""
+	#[serde(default)]
+	pub bind_password_file: Option<PathBuf>,
+
+	/// Search filter to limit user searches.
+	///
+	/// You can use the variable `{username}` that will be replaced by the
+	/// entered username for more complex filters.
+	///
+	/// example: "(&(objectClass=person)(memberOf=matrix))"
+	///
+	/// default: "(objectClass=*)"
+	#[serde(default = "default_ldap_search_filter")]
+	pub filter: String,
+
+	/// Attribute to use to uniquely identify the user.
+	///
+	/// example: "uid" or "cn"
+	///
+	/// default: "uid"
+	#[serde(default = "default_ldap_uid_attribute")]
+	pub uid_attribute: String,
+
+	/// Attribute containing the display name of the user.
+	///
+	/// example: "givenName" or "sn"
+	///
+	/// default: "givenName"
+	#[serde(default = "default_ldap_name_attribute")]
+	pub name_attribute: String,
+
+	/// Root of the searches for admin users.
+	///
+	/// Defaults to `base_dn` if empty.
+	///
+	/// example: "ou=admins,dc=example,dc=org"
+	///
+	/// default: ""
+	#[serde(default)]
+	pub admin_base_dn: String,
+
+	/// The LDAP search filter to find administrative users for continuwuity.
+	///
+	/// If left blank, administrative state must be configured manually for each
+	/// user.
+	///
+	/// You can use the variable `{username}` that will be replaced by the
+	/// entered username for more complex filters.
+	///
+	/// example: "(objectClass=conduwuitAdmin)" or "(uid={username})"
+	///
+	/// default: ""
+	#[serde(default)]
+	pub admin_filter: String,
+}
+
 #[derive(Deserialize, Clone, Debug)]
 #[serde(transparent)]
 struct ListeningPort {
@@ -2253,7 +2377,7 @@ fn default_tracing_flame_filter() -> String {
 		.to_owned()
 }
 
-fn default_jaeger_filter() -> String {
+fn default_otlp_filter() -> String {
 	cfg!(debug_assertions)
 		.then_some("trace,h2=off")
 		.unwrap_or("info")
@@ -2432,3 +2556,9 @@ pub(super) fn default_blurhash_x_component() -> u32 { 4 }
 pub(super) fn default_blurhash_y_component() -> u32 { 3 }
 
 // end recommended & blurhashing defaults
+
+fn default_ldap_search_filter() -> String { "(objectClass=*)".to_owned() }
+
+fn default_ldap_uid_attribute() -> String { String::from("uid") }
+
+fn default_ldap_name_attribute() -> String { String::from("givenName") }

src/core/debug.rs

@@ -100,7 +100,7 @@ pub fn trap() {
 
 #[must_use]
 pub fn panic_str(p: &Box<dyn Any + Send>) -> &'static str {
-	p.downcast_ref::<&str>().copied().unwrap_or_default()
+	(**p).downcast_ref::<&str>().copied().unwrap_or_default()
 }
 
 #[inline(always)]

src/core/error/mod.rs

@@ -110,6 +110,8 @@ pub enum Error {
 	InconsistentRoomState(&'static str, ruma::OwnedRoomId),
 	#[error(transparent)]
 	IntoHttp(#[from] ruma::api::error::IntoHttpError),
+	#[error("{0}")]
+	Ldap(Cow<'static, str>),
 	#[error(transparent)]
 	Mxc(#[from] ruma::MxcUriError),
 	#[error(transparent)]

src/core/info/room_version.rs

@@ -18,7 +18,7 @@ pub const STABLE_ROOM_VERSIONS: &[RoomVersionId] = &[
 
 /// Experimental, partially supported room versions
 pub const UNSTABLE_ROOM_VERSIONS: &[RoomVersionId] =
-	&[RoomVersionId::V2, RoomVersionId::V3, RoomVersionId::V4, RoomVersionId::V5];
+	&[RoomVersionId::V3, RoomVersionId::V4, RoomVersionId::V5];
 
 type RoomVersion = (RoomVersionId, RoomVersionStability);
 

src/database/Cargo.toml

@@ -66,6 +66,7 @@ serde.workspace = true
 serde_json.workspace = true
 tokio.workspace = true
 tracing.workspace = true
+ctor.workspace = true
 
 [lints]
 workspace = true

src/database/map/get_batch.rs

@@ -19,7 +19,7 @@ where
 	S: Stream<Item = K> + Send + 'a,
 	K: AsRef<[u8]> + Send + Sync + 'a,
 {
-	fn get(self, map: &'a Arc<super::Map>) -> impl Stream<Item = Result<Handle<'_>>> + Send + 'a;
+	fn get(self, map: &'a Arc<super::Map>) -> impl Stream<Item = Result<Handle<'a>>> + Send + 'a;
 }
 
 impl<'a, K, S> Get<'a, K, S> for S
@@ -29,7 +29,7 @@ where
 	K: AsRef<[u8]> + Send + Sync + 'a,
 {
 	#[inline]
-	fn get(self, map: &'a Arc<super::Map>) -> impl Stream<Item = Result<Handle<'_>>> + Send + 'a {
+	fn get(self, map: &'a Arc<super::Map>) -> impl Stream<Item = Result<Handle<'a>>> + Send + 'a {
 		map.get_batch(self)
 	}
 }
@@ -39,7 +39,7 @@ where
 pub(crate) fn get_batch<'a, S, K>(
 	self: &'a Arc<Self>,
 	keys: S,
-) -> impl Stream<Item = Result<Handle<'_>>> + Send + 'a
+) -> impl Stream<Item = Result<Handle<'a>>> + Send + 'a
 where
 	S: Stream<Item = K> + Send + 'a,
 	K: AsRef<[u8]> + Send + Sync + 'a,

src/database/map/keys.rs

@@ -10,7 +10,7 @@ use super::stream::is_cached;
 use crate::{keyval, keyval::Key, stream};
 
 #[implement(super::Map)]
-pub fn keys<'a, K>(self: &'a Arc<Self>) -> impl Stream<Item = Result<Key<'_, K>>> + Send
+pub fn keys<'a, K>(self: &'a Arc<Self>) -> impl Stream<Item = Result<Key<'a, K>>> + Send
 where
 	K: Deserialize<'a> + Send,
 {

src/database/map/keys_from.rs

@@ -15,7 +15,7 @@ use crate::{
 pub fn keys_from<'a, K, P>(
 	self: &'a Arc<Self>,
 	from: &P,
-) -> impl Stream<Item = Result<Key<'_, K>>> + Send + use<'a, K, P>
+) -> impl Stream<Item = Result<Key<'a, K>>> + Send + use<'a, K, P>
 where
 	P: Serialize + ?Sized + Debug,
 	K: Deserialize<'a> + Send,
@@ -40,7 +40,7 @@ where
 pub fn keys_raw_from<'a, K, P>(
 	self: &'a Arc<Self>,
 	from: &P,
-) -> impl Stream<Item = Result<Key<'_, K>>> + Send + use<'a, K, P>
+) -> impl Stream<Item = Result<Key<'a, K>>> + Send + use<'a, K, P>
 where
 	P: AsRef<[u8]> + ?Sized + Debug + Sync,
 	K: Deserialize<'a> + Send,

src/database/map/keys_prefix.rs

@@ -10,7 +10,7 @@ use crate::keyval::{Key, result_deserialize_key, serialize_key};
 pub fn keys_prefix<'a, K, P>(
 	self: &'a Arc<Self>,
 	prefix: &P,
-) -> impl Stream<Item = Result<Key<'_, K>>> + Send + use<'a, K, P>
+) -> impl Stream<Item = Result<Key<'a, K>>> + Send + use<'a, K, P>
 where
 	P: Serialize + ?Sized + Debug,
 	K: Deserialize<'a> + Send,
@@ -37,7 +37,7 @@ where
 pub fn keys_raw_prefix<'a, K, P>(
 	self: &'a Arc<Self>,
 	prefix: &'a P,
-) -> impl Stream<Item = Result<Key<'_, K>>> + Send + 'a
+) -> impl Stream<Item = Result<Key<'a, K>>> + Send + 'a
 where
 	P: AsRef<[u8]> + ?Sized + Debug + Sync + 'a,
 	K: Deserialize<'a> + Send + 'a,
@@ -50,7 +50,7 @@ where
 pub fn raw_keys_prefix<'a, P>(
 	self: &'a Arc<Self>,
 	prefix: &'a P,
-) -> impl Stream<Item = Result<Key<'_>>> + Send + 'a
+) -> impl Stream<Item = Result<Key<'a>>> + Send + 'a
 where
 	P: AsRef<[u8]> + ?Sized + Debug + Sync + 'a,
 {

src/database/map/qry_batch.rs

@@ -17,7 +17,7 @@ where
 	S: Stream<Item = K> + Send + 'a,
 	K: Serialize + Debug,
 {
-	fn qry(self, map: &'a Arc<super::Map>) -> impl Stream<Item = Result<Handle<'_>>> + Send + 'a;
+	fn qry(self, map: &'a Arc<super::Map>) -> impl Stream<Item = Result<Handle<'a>>> + Send + 'a;
 }
 
 impl<'a, K, S> Qry<'a, K, S> for S
@@ -27,7 +27,7 @@ where
 	K: Serialize + Debug + 'a,
 {
 	#[inline]
-	fn qry(self, map: &'a Arc<super::Map>) -> impl Stream<Item = Result<Handle<'_>>> + Send + 'a {
+	fn qry(self, map: &'a Arc<super::Map>) -> impl Stream<Item = Result<Handle<'a>>> + Send + 'a {
 		map.qry_batch(self)
 	}
 }
@@ -37,7 +37,7 @@ where
 pub(crate) fn qry_batch<'a, S, K>(
 	self: &'a Arc<Self>,
 	keys: S,
-) -> impl Stream<Item = Result<Handle<'_>>> + Send + 'a
+) -> impl Stream<Item = Result<Handle<'a>>> + Send + 'a
 where
 	S: Stream<Item = K> + Send + 'a,
 	K: Serialize + Debug + 'a,

src/database/map/rev_keys.rs

@@ -10,7 +10,7 @@ use super::rev_stream::is_cached;
 use crate::{keyval, keyval::Key, stream};
 
 #[implement(super::Map)]
-pub fn rev_keys<'a, K>(self: &'a Arc<Self>) -> impl Stream<Item = Result<Key<'_, K>>> + Send
+pub fn rev_keys<'a, K>(self: &'a Arc<Self>) -> impl Stream<Item = Result<Key<'a, K>>> + Send
 where
 	K: Deserialize<'a> + Send,
 {

src/database/map/rev_keys_from.rs

@@ -15,7 +15,7 @@ use crate::{
 pub fn rev_keys_from<'a, K, P>(
 	self: &'a Arc<Self>,
 	from: &P,
-) -> impl Stream<Item = Result<Key<'_, K>>> + Send + use<'a, K, P>
+) -> impl Stream<Item = Result<Key<'a, K>>> + Send + use<'a, K, P>
 where
 	P: Serialize + ?Sized + Debug,
 	K: Deserialize<'a> + Send,
@@ -41,7 +41,7 @@ where
 pub fn rev_keys_raw_from<'a, K, P>(
 	self: &'a Arc<Self>,
 	from: &P,
-) -> impl Stream<Item = Result<Key<'_, K>>> + Send + use<'a, K, P>
+) -> impl Stream<Item = Result<Key<'a, K>>> + Send + use<'a, K, P>
 where
 	P: AsRef<[u8]> + ?Sized + Debug + Sync,
 	K: Deserialize<'a> + Send,

src/database/map/rev_keys_prefix.rs

@@ -10,7 +10,7 @@ use crate::keyval::{Key, result_deserialize_key, serialize_key};
 pub fn rev_keys_prefix<'a, K, P>(
 	self: &'a Arc<Self>,
 	prefix: &P,
-) -> impl Stream<Item = Result<Key<'_, K>>> + Send + use<'a, K, P>
+) -> impl Stream<Item = Result<Key<'a, K>>> + Send + use<'a, K, P>
 where
 	P: Serialize + ?Sized + Debug,
 	K: Deserialize<'a> + Send,
@@ -37,7 +37,7 @@ where
 pub fn rev_keys_raw_prefix<'a, K, P>(
 	self: &'a Arc<Self>,
 	prefix: &'a P,
-) -> impl Stream<Item = Result<Key<'_, K>>> + Send + 'a
+) -> impl Stream<Item = Result<Key<'a, K>>> + Send + 'a
 where
 	P: AsRef<[u8]> + ?Sized + Debug + Sync + 'a,
 	K: Deserialize<'a> + Send + 'a,
@@ -50,7 +50,7 @@ where
 pub fn rev_raw_keys_prefix<'a, P>(
 	self: &'a Arc<Self>,
 	prefix: &'a P,
-) -> impl Stream<Item = Result<Key<'_>>> + Send + 'a
+) -> impl Stream<Item = Result<Key<'a>>> + Send + 'a
 where
 	P: AsRef<[u8]> + ?Sized + Debug + Sync + 'a,
 {

src/database/map/rev_stream.rs

@@ -14,7 +14,7 @@ use crate::{keyval, keyval::KeyVal, stream};
 #[implement(super::Map)]
 pub fn rev_stream<'a, K, V>(
 	self: &'a Arc<Self>,
-) -> impl Stream<Item = Result<KeyVal<'_, K, V>>> + Send
+) -> impl Stream<Item = Result<KeyVal<'a, K, V>>> + Send
 where
 	K: Deserialize<'a> + Send,
 	V: Deserialize<'a> + Send,

src/database/map/rev_stream_from.rs

@@ -20,7 +20,7 @@ use crate::{
 pub fn rev_stream_from<'a, K, V, P>(
 	self: &'a Arc<Self>,
 	from: &P,
-) -> impl Stream<Item = Result<KeyVal<'_, K, V>>> + Send + use<'a, K, V, P>
+) -> impl Stream<Item = Result<KeyVal<'a, K, V>>> + Send + use<'a, K, V, P>
 where
 	P: Serialize + ?Sized + Debug,
 	K: Deserialize<'a> + Send,
@@ -55,7 +55,7 @@ where
 pub fn rev_stream_raw_from<'a, K, V, P>(
 	self: &'a Arc<Self>,
 	from: &P,
-) -> impl Stream<Item = Result<KeyVal<'_, K, V>>> + Send + use<'a, K, V, P>
+) -> impl Stream<Item = Result<KeyVal<'a, K, V>>> + Send + use<'a, K, V, P>
 where
 	P: AsRef<[u8]> + ?Sized + Debug + Sync,
 	K: Deserialize<'a> + Send,

src/database/map/rev_stream_prefix.rs

@@ -14,7 +14,7 @@ use crate::keyval::{KeyVal, result_deserialize, serialize_key};
 pub fn rev_stream_prefix<'a, K, V, P>(
 	self: &'a Arc<Self>,
 	prefix: &P,
-) -> impl Stream<Item = Result<KeyVal<'_, K, V>>> + Send + use<'a, K, V, P>
+) -> impl Stream<Item = Result<KeyVal<'a, K, V>>> + Send + use<'a, K, V, P>
 where
 	P: Serialize + ?Sized + Debug,
 	K: Deserialize<'a> + Send,
@@ -50,7 +50,7 @@ where
 pub fn rev_stream_raw_prefix<'a, K, V, P>(
 	self: &'a Arc<Self>,
 	prefix: &'a P,
-) -> impl Stream<Item = Result<KeyVal<'_, K, V>>> + Send + 'a
+) -> impl Stream<Item = Result<KeyVal<'a, K, V>>> + Send + 'a
 where
 	P: AsRef<[u8]> + ?Sized + Debug + Sync + 'a,
 	K: Deserialize<'a> + Send + 'a,
@@ -68,7 +68,7 @@ where
 pub fn rev_raw_stream_prefix<'a, P>(
 	self: &'a Arc<Self>,
 	prefix: &'a P,
-) -> impl Stream<Item = Result<KeyVal<'_>>> + Send + 'a
+) -> impl Stream<Item = Result<KeyVal<'a>>> + Send + 'a
 where
 	P: AsRef<[u8]> + ?Sized + Debug + Sync + 'a,
 {

src/database/map/stream.rs

@@ -14,7 +14,7 @@ use crate::{keyval, keyval::KeyVal, stream};
 #[implement(super::Map)]
 pub fn stream<'a, K, V>(
 	self: &'a Arc<Self>,
-) -> impl Stream<Item = Result<KeyVal<'_, K, V>>> + Send
+) -> impl Stream<Item = Result<KeyVal<'a, K, V>>> + Send
 where
 	K: Deserialize<'a> + Send,
 	V: Deserialize<'a> + Send,

src/database/map/stream_from.rs

@@ -19,7 +19,7 @@ use crate::{
 pub fn stream_from<'a, K, V, P>(
 	self: &'a Arc<Self>,
 	from: &P,
-) -> impl Stream<Item = Result<KeyVal<'_, K, V>>> + Send + use<'a, K, V, P>
+) -> impl Stream<Item = Result<KeyVal<'a, K, V>>> + Send + use<'a, K, V, P>
 where
 	P: Serialize + ?Sized + Debug,
 	K: Deserialize<'a> + Send,
@@ -53,7 +53,7 @@ where
 pub fn stream_raw_from<'a, K, V, P>(
 	self: &'a Arc<Self>,
 	from: &P,
-) -> impl Stream<Item = Result<KeyVal<'_, K, V>>> + Send + use<'a, K, V, P>
+) -> impl Stream<Item = Result<KeyVal<'a, K, V>>> + Send + use<'a, K, V, P>
 where
 	P: AsRef<[u8]> + ?Sized + Debug + Sync,
 	K: Deserialize<'a> + Send,

src/database/map/stream_prefix.rs

@@ -14,7 +14,7 @@ use crate::keyval::{KeyVal, result_deserialize, serialize_key};
 pub fn stream_prefix<'a, K, V, P>(
 	self: &'a Arc<Self>,
 	prefix: &P,
-) -> impl Stream<Item = Result<KeyVal<'_, K, V>>> + Send + use<'a, K, V, P>
+) -> impl Stream<Item = Result<KeyVal<'a, K, V>>> + Send + use<'a, K, V, P>
 where
 	P: Serialize + ?Sized + Debug,
 	K: Deserialize<'a> + Send,
@@ -50,7 +50,7 @@ where
 pub fn stream_raw_prefix<'a, K, V, P>(
 	self: &'a Arc<Self>,
 	prefix: &'a P,
-) -> impl Stream<Item = Result<KeyVal<'_, K, V>>> + Send + 'a
+) -> impl Stream<Item = Result<KeyVal<'a, K, V>>> + Send + 'a
 where
 	P: AsRef<[u8]> + ?Sized + Debug + Sync + 'a,
 	K: Deserialize<'a> + Send + 'a,
@@ -68,7 +68,7 @@ where
 pub fn raw_stream_prefix<'a, P>(
 	self: &'a Arc<Self>,
 	prefix: &'a P,
-) -> impl Stream<Item = Result<KeyVal<'_>>> + Send + 'a
+) -> impl Stream<Item = Result<KeyVal<'a>>> + Send + 'a
 where
 	P: AsRef<[u8]> + ?Sized + Debug + Sync + 'a,
 {

src/database/maps.rs

@@ -374,6 +374,10 @@ pub(super) static MAPS: &[Descriptor] = &[
 		name: "userid_masterkeyid",
 		..descriptor::RANDOM_SMALL
 	},
+	Descriptor {
+		name: "userid_origin",
+		..descriptor::RANDOM
+	},
 	Descriptor {
 		name: "userid_password",
 		..descriptor::RANDOM

src/database/mod.rs

@@ -3,6 +3,8 @@
 extern crate conduwuit_core as conduwuit;
 extern crate rust_rocksdb as rocksdb;
 
+use ctor::{ctor, dtor};
+
 conduwuit::mod_ctor! {}
 conduwuit::mod_dtor! {}
 conduwuit::rustc_flags_capture! {}

src/database/pool.rs

@@ -443,7 +443,7 @@ pub(crate) fn into_send_seek(result: stream::State<'_>) -> stream::State<'static
 	unsafe { std::mem::transmute(result) }
 }
 
-fn into_recv_seek(result: stream::State<'static>) -> stream::State<'_> {
+fn into_recv_seek(result: stream::State<'static>) -> stream::State<'static> {
 	// SAFETY: This is to receive the State from the channel; see above.
 	unsafe { std::mem::transmute(result) }
 }

src/database/tests.rs

@@ -326,7 +326,7 @@ fn ser_array() {
 }
 
 #[test]
-#[ignore]
+#[ignore = "arrayvec deserialization is not implemented (separators)"]
 fn de_array() {
 	let a: u64 = 123_456;
 	let b: u64 = 987_654;
@@ -358,7 +358,7 @@ fn de_array() {
 }
 
 #[test]
-#[ignore]
+#[ignore = "Nested sequences are not supported"]
 fn de_complex() {
 	type Key<'a> = (&'a UserId, ArrayVec<u64, 2>, &'a RoomId);
 

src/macros/rustc.rs

@@ -13,13 +13,13 @@ pub(super) fn flags_capture(args: TokenStream) -> TokenStream {
 	let ret = quote! {
 		pub static RUSTC_FLAGS: [&str; #flag_len] = [#( #flag ),*];
 
-		#[conduwuit_core::ctor]
+		#[ctor]
 		fn _set_rustc_flags() {
 			conduwuit_core::info::rustc::FLAGS.lock().insert(#crate_name, &RUSTC_FLAGS);
 		}
 
 		// static strings have to be yanked on module unload
-		#[conduwuit_core::dtor]
+		#[dtor]
 		fn _unset_rustc_flags() {
 			conduwuit_core::info::rustc::FLAGS.lock().remove(#crate_name);
 		}

src/main/Cargo.toml

@@ -32,12 +32,12 @@ a cool hard fork of Conduit, a Matrix homeserver written in Rust"""
 section = "net"
 priority = "optional"
 conf-files = ["/etc/conduwuit/conduwuit.toml"]
-maintainer-scripts = "../../debian/"
-systemd-units = { unit-name = "conduwuit", start = false }
+maintainer-scripts = "../../pkg/debian/"
+systemd-units = { unit-name = "conduwuit", start = false, unit-scripts = "../../pkg/" }
 assets = [
-	["../../debian/README.md", "usr/share/doc/conduwuit/README.Debian", "644"],
+	["../../pkg/debian/README.md", "usr/share/doc/conduwuit/README.Debian", "644"],
 	["../../README.md", "usr/share/doc/conduwuit/", "644"],
-	["../../target/release/conduwuit", "usr/sbin/conduwuit", "755"],
+	["../../target/release/conduwuit", "usr/bin/conduwuit", "755"],
 	["../../conduwuit-example.toml", "etc/conduwuit/conduwuit.toml", "640"],
 ]
 
@@ -56,6 +56,7 @@ standard = [
 	"jemalloc",
 	"jemalloc_conf",
 	"journald",
+	"ldap",
 	"media_thumbnail",
 	"systemd",
 	"url_preview",
@@ -63,7 +64,7 @@ standard = [
 ]
 full = [
     "standard",
-    "hardened_malloc",
+    # "hardened_malloc", # Conflicts with jemalloc
     "jemalloc_prof",
     "perf_measurements",
     "tokio_console"
@@ -114,6 +115,9 @@ jemalloc_stats = [
 jemalloc_conf = [
 	"conduwuit-core/jemalloc_conf",
 ]
+ldap = [
+	"conduwuit-api/ldap",
+]
 media_thumbnail = [
 	"conduwuit-service/media_thumbnail",
 ]
@@ -122,7 +126,8 @@ perf_measurements = [
 	"dep:tracing-flame",
 	"dep:tracing-opentelemetry",
 	"dep:opentelemetry_sdk",
-	"dep:opentelemetry-jaeger",
+	"dep:opentelemetry-otlp",
+	"dep:opentelemetry-jaeger-propagator",
 	"conduwuit-core/perf_measurements",
 	"conduwuit-core/sentry_telemetry",
 ]
@@ -198,11 +203,14 @@ clap.workspace = true
 console-subscriber.optional = true
 console-subscriber.workspace = true
 const-str.workspace = true
+ctor.workspace = true
 log.workspace = true
-opentelemetry-jaeger.optional = true
-opentelemetry-jaeger.workspace = true
 opentelemetry.optional = true
 opentelemetry.workspace = true
+opentelemetry-otlp.optional = true
+opentelemetry-otlp.workspace = true
+opentelemetry-jaeger-propagator.optional = true
+opentelemetry-jaeger-propagator.workspace = true
 opentelemetry_sdk.optional = true
 opentelemetry_sdk.workspace = true
 sentry-tower.optional = true
@@ -222,6 +230,7 @@ tracing-subscriber.workspace = true
 tracing.workspace = true
 tracing-journald = { workspace = true, optional = true }
 
+
 [target.'cfg(all(not(target_env = "msvc"), target_os = "linux"))'.dependencies]
 hardened_malloc-rs.workspace = true
 hardened_malloc-rs.optional = true

src/main/logging.rs

@@ -7,6 +7,8 @@ use conduwuit_core::{
 	log::{ConsoleFormat, ConsoleWriter, LogLevelReloadHandles, capture, fmt_span},
 	result::UnwrapOrErr,
 };
+#[cfg(feature = "perf_measurements")]
+use opentelemetry::trace::TracerProvider;
 use tracing_subscriber::{EnvFilter, Layer, Registry, fmt, layer::SubscriberExt, reload};
 
 #[cfg(feature = "perf_measurements")]
@@ -87,30 +89,35 @@ pub(crate) fn init(
 			(None, None)
 		};
 
-		let jaeger_filter = EnvFilter::try_new(&config.jaeger_filter)
-			.map_err(|e| err!(Config("jaeger_filter", "{e}.")))?;
+		let otlp_filter = EnvFilter::try_new(&config.otlp_filter)
+			.map_err(|e| err!(Config("otlp_filter", "{e}.")))?;
 
-		let jaeger_layer = config.allow_jaeger.then(|| {
+		let otlp_layer = config.allow_otlp.then(|| {
 			opentelemetry::global::set_text_map_propagator(
-				opentelemetry_jaeger::Propagator::new(),
+				opentelemetry_jaeger_propagator::Propagator::new(),
 			);
 
-			let tracer = opentelemetry_jaeger::new_agent_pipeline()
-				.with_auto_split_batch(true)
-				.with_service_name(conduwuit_core::name())
-				.install_batch(opentelemetry_sdk::runtime::Tokio)
-				.expect("jaeger agent pipeline");
+			let exporter = opentelemetry_otlp::SpanExporter::builder()
+				.with_http()
+				.build()
+				.expect("Failed to create OTLP exporter");
+
+			let provider = opentelemetry_sdk::trace::SdkTracerProvider::builder()
+				.with_batch_exporter(exporter)
+				.build();
+
+			let tracer = provider.tracer(conduwuit_core::name());
 
 			let telemetry = tracing_opentelemetry::layer().with_tracer(tracer);
 
-			let (jaeger_reload_filter, jaeger_reload_handle) =
-				reload::Layer::new(jaeger_filter.clone());
-			reload_handles.add("jaeger", Box::new(jaeger_reload_handle));
+			let (otlp_reload_filter, otlp_reload_handle) =
+				reload::Layer::new(otlp_filter.clone());
+			reload_handles.add("otlp", Box::new(otlp_reload_handle));
 
-			Some(telemetry.with_filter(jaeger_reload_filter))
+			Some(telemetry.with_filter(otlp_reload_filter))
 		});
 
-		let subscriber = subscriber.with(flame_layer).with(jaeger_layer);
+		let subscriber = subscriber.with(flame_layer).with(otlp_layer);
 		(subscriber, flame_guard)
 	};
 

src/main/mod.rs

@@ -13,6 +13,7 @@ mod sentry;
 mod server;
 mod signal;
 
+use ctor::{ctor, dtor};
 use server::Server;
 
 rustc_flags_capture! {}

src/router/Cargo.toml

@@ -125,6 +125,7 @@ tokio.workspace = true
 tower.workspace = true
 tower-http.workspace = true
 tracing.workspace = true
+ctor.workspace = true
 
 [target.'cfg(all(unix, target_os = "linux"))'.dependencies]
 sd-notify.workspace = true

src/router/mod.rs

@@ -12,6 +12,7 @@ use std::{panic::AssertUnwindSafe, pin::Pin, sync::Arc};
 
 use conduwuit::{Error, Result, Server};
 use conduwuit_service::Services;
+use ctor::{ctor, dtor};
 use futures::{Future, FutureExt, TryFutureExt};
 
 conduwuit::mod_ctor! {}

src/router/serve/unix.rs

@@ -30,7 +30,7 @@ use tower::{Service, ServiceExt};
 
 type MakeService = IntoMakeServiceWithConnectInfo<Router, net::SocketAddr>;
 
-const NULL_ADDR: net::SocketAddr = net::SocketAddr::new(IpAddr::V4(Ipv4Addr::new(0, 0, 0, 0)), 0);
+const NULL_ADDR: net::SocketAddr = net::SocketAddr::new(IpAddr::V4(Ipv4Addr::UNSPECIFIED), 0);
 const FINI_POLL_INTERVAL: Duration = Duration::from_millis(750);
 
 #[tracing::instrument(skip_all, level = "debug")]

src/service/Cargo.toml

@@ -53,6 +53,9 @@ jemalloc_stats = [
 	"conduwuit-core/jemalloc_stats",
 	"conduwuit-database/jemalloc_stats",
 ]
+ldap = [
+    "dep:ldap3"
+]
 media_thumbnail = [
 	"dep:image",
 ]
@@ -89,6 +92,8 @@ image.workspace = true
 image.optional = true
 ipaddress.workspace = true
 itertools.workspace = true
+ldap3.workspace = true
+ldap3.optional = true
 log.workspace = true
 loole.workspace = true
 lru-cache.workspace = true
@@ -112,6 +117,7 @@ webpage.optional = true
 blurhash.workspace = true
 blurhash.optional = true
 recaptcha-verify = { version = "0.1.5", default-features = false }
+ctor.workspace = true
 
 [lints]
 workspace = true

src/service/admin/create.rs

@@ -38,7 +38,7 @@ pub async fn create_admin_room(services: &Services) -> Result {
 
 	// Create a user for the server
 	let server_user = services.globals.server_user.as_ref();
-	services.users.create(server_user, None)?;
+	services.users.create(server_user, None, None).await?;
 
 	let create_content = {
 		use RoomVersionId::*;

src/service/appservice/mod.rs

@@ -109,7 +109,10 @@ impl Service {
 		)?;
 
 		if !self.services.users.exists(&appservice_user_id).await {
-			self.services.users.create(&appservice_user_id, None)?;
+			self.services
+				.users
+				.create(&appservice_user_id, None, None)
+				.await?;
 		} else if self
 			.services
 			.users
@@ -120,7 +123,8 @@ impl Service {
 			// Reactivate the appservice user if it was accidentally deactivated
 			self.services
 				.users
-				.set_password(&appservice_user_id, None)?;
+				.set_password(&appservice_user_id, None)
+				.await?;
 		}
 
 		self.registration_info

src/service/emergency/mod.rs

@@ -41,6 +41,11 @@ impl crate::Service for Service {
 			return Ok(());
 		}
 
+		if self.services.config.ldap.enable {
+			warn!("emergency password feature not available with LDAP enabled.");
+			return Ok(());
+		}
+
 		self.set_emergency_access().await.inspect_err(|e| {
 			error!("Could not set the configured emergency password for the server user: {e}");
 		})
@@ -57,7 +62,8 @@ impl Service {
 
 		self.services
 			.users
-			.set_password(server_user, self.services.config.emergency_password.as_deref())?;
+			.set_password(server_user, self.services.config.emergency_password.as_deref())
+			.await?;
 
 		let (ruleset, pwd_set) = match self.services.config.emergency_password {
 			| Some(_) => (Ruleset::server_default(server_user), true),

src/service/migrations.rs

@@ -215,8 +215,8 @@ async fn db_lt_12(services: &Services) -> Result<()> {
 	for username in &services
 		.users
 		.list_local_users()
-		.map(UserId::to_owned)
-		.collect::<Vec<_>>()
+		.map(ToOwned::to_owned)
+		.collect::<Vec<OwnedUserId>>()
 		.await
 	{
 		let user = match UserId::parse_with_server_name(username.as_str(), &services.server.name)
@@ -295,8 +295,8 @@ async fn db_lt_13(services: &Services) -> Result<()> {
 	for username in &services
 		.users
 		.list_local_users()
-		.map(UserId::to_owned)
-		.collect::<Vec<_>>()
+		.map(ToOwned::to_owned)
+		.collect::<Vec<OwnedUserId>>()
 		.await
 	{
 		let user = match UserId::parse_with_server_name(username.as_str(), &services.server.name)

src/service/mod.rs

@@ -33,6 +33,7 @@ pub mod users;
 extern crate conduwuit_core as conduwuit;
 extern crate conduwuit_database as database;
 
+use ctor::{ctor, dtor};
 pub(crate) use service::{Args, Dep, Service};
 
 pub use crate::services::Services;

src/service/presence/mod.rs

@@ -183,8 +183,8 @@ impl Service {
 			.services
 			.users
 			.list_local_users()
-			.map(UserId::to_owned)
-			.collect::<Vec<_>>()
+			.map(ToOwned::to_owned)
+			.collect::<Vec<OwnedUserId>>()
 			.await
 		{
 			let presence = self.db.get_presence(user_id).await;

src/service/pusher/mod.rs

@@ -178,7 +178,7 @@ impl Service {
 	pub fn get_pushkeys<'a>(
 		&'a self,
 		sender: &'a UserId,
-	) -> impl Stream<Item = &str> + Send + 'a {
+	) -> impl Stream<Item = &'a str> + Send + 'a {
 		let prefix = (sender, Interfix);
 		self.db
 			.senderkey_pusher

src/service/rooms/alias/mod.rs

@@ -178,7 +178,7 @@ impl Service {
 	pub fn local_aliases_for_room<'a>(
 		&'a self,
 		room_id: &'a RoomId,
-	) -> impl Stream<Item = &RoomAliasId> + Send + 'a {
+	) -> impl Stream<Item = &'a RoomAliasId> + Send + 'a {
 		let prefix = (room_id, Interfix);
 		self.db
 			.aliasid_alias
@@ -188,7 +188,9 @@ impl Service {
 	}
 
 	#[tracing::instrument(skip(self), level = "debug")]
-	pub fn all_local_aliases<'a>(&'a self) -> impl Stream<Item = (&RoomId, &str)> + Send + 'a {
+	pub fn all_local_aliases<'a>(
+		&'a self,
+	) -> impl Stream<Item = (&'a RoomId, &'a str)> + Send + 'a {
 		self.db
 			.alias_roomid
 			.stream()

src/service/rooms/pdu_metadata/data.rs

@@ -60,7 +60,7 @@ impl Data {
 		target: ShortEventId,
 		from: PduCount,
 		dir: Direction,
-	) -> impl Stream<Item = (PduCount, impl Event)> + Send + '_ {
+	) -> impl Stream<Item = (PduCount, impl Event)> + Send + 'a {
 		// Query from exact position then filter excludes it (saturating_inc could skip
 		// events at min/max boundaries)
 		let from_unsigned = from.into_unsigned();

src/service/rooms/read_receipt/data.rs

@@ -65,7 +65,7 @@ impl Data {
 		&'a self,
 		room_id: &'a RoomId,
 		since: u64,
-	) -> impl Stream<Item = ReceiptItem<'_>> + Send + 'a {
+	) -> impl Stream<Item = ReceiptItem<'a>> + Send + 'a {
 		type Key<'a> = (&'a RoomId, u64, &'a UserId);
 		type KeyVal<'a> = (Key<'a>, CanonicalJsonObject);
 

src/service/rooms/read_receipt/mod.rs

@@ -112,7 +112,7 @@ impl Service {
 		&'a self,
 		room_id: &'a RoomId,
 		since: u64,
-	) -> impl Stream<Item = ReceiptItem<'_>> + Send + 'a {
+	) -> impl Stream<Item = ReceiptItem<'a>> + Send + 'a {
 		self.db.readreceipts_since(room_id, since)
 	}
 

src/service/rooms/search/mod.rs

@@ -104,7 +104,7 @@ pub fn deindex_pdu(&self, shortroomid: ShortRoomId, pdu_id: &RawPduId, message_b
 pub async fn search_pdus<'a>(
 	&'a self,
 	query: &'a RoomQuery<'a>,
-) -> Result<(usize, impl Stream<Item = impl Event + use<>> + Send + '_)> {
+) -> Result<(usize, impl Stream<Item = impl Event + use<>> + Send + 'a)> {
 	let pdu_ids: Vec<_> = self.search_pdu_ids(query).await?.collect().await;
 
 	let filter = &query.criteria.filter;
@@ -137,10 +137,10 @@ pub async fn search_pdus<'a>(
 // result is modeled as a stream such that callers don't have to be refactored
 // though an additional async/wrap still exists for now
 #[implement(Service)]
-pub async fn search_pdu_ids(
-	&self,
-	query: &RoomQuery<'_>,
-) -> Result<impl Stream<Item = RawPduId> + Send + '_ + use<'_>> {
+pub async fn search_pdu_ids<'a>(
+	&'a self,
+	query: &'a RoomQuery<'_>,
+) -> Result<impl Stream<Item = RawPduId> + Send + 'a + use<'a>> {
 	let shortroomid = self.services.short.get_shortroomid(query.room_id).await?;
 
 	let pdu_ids = self.search_pdu_ids_query_room(query, shortroomid).await;
@@ -173,7 +173,7 @@ fn search_pdu_ids_query_words<'a>(
 	&'a self,
 	shortroomid: ShortRoomId,
 	word: &'a str,
-) -> impl Stream<Item = RawPduId> + Send + '_ {
+) -> impl Stream<Item = RawPduId> + Send + 'a {
 	self.search_pdu_ids_query_word(shortroomid, word)
 		.map(move |key| -> RawPduId {
 			let key = &key[prefix_len(word)..];
@@ -183,11 +183,11 @@ fn search_pdu_ids_query_words<'a>(
 
 /// Iterate over raw database results for a word
 #[implement(Service)]
-fn search_pdu_ids_query_word(
-	&self,
+fn search_pdu_ids_query_word<'a>(
+	&'a self,
 	shortroomid: ShortRoomId,
-	word: &str,
-) -> impl Stream<Item = Val<'_>> + Send + '_ + use<'_> {
+	word: &'a str,
+) -> impl Stream<Item = Val<'a>> + Send + 'a + use<'a> {
 	// rustc says const'ing this not yet stable
 	let end_id: RawPduId = PduId {
 		shortroomid,

src/service/rooms/short/mod.rs

@@ -62,7 +62,7 @@ pub async fn get_or_create_shorteventid(&self, event_id: &EventId) -> ShortEvent
 pub fn multi_get_or_create_shorteventid<'a, I>(
 	&'a self,
 	event_ids: I,
-) -> impl Stream<Item = ShortEventId> + Send + '_
+) -> impl Stream<Item = ShortEventId> + Send + 'a
 where
 	I: Iterator<Item = &'a EventId> + Clone + Debug + Send + 'a,
 {

src/service/rooms/state/mod.rs

@@ -388,8 +388,7 @@ impl Service {
 	pub fn get_forward_extremities<'a>(
 		&'a self,
 		room_id: &'a RoomId,
-		_state_lock: &'a RoomMutexGuard,
-	) -> impl Stream<Item = &EventId> + Send + '_ {
+	) -> impl Stream<Item = &'a EventId> + Send + 'a {
 		let prefix = (room_id, Interfix);
 
 		self.db

src/service/rooms/state_cache/mod.rs

@@ -144,7 +144,7 @@ pub fn clear_appservice_in_room_cache(&self) { self.appservice_in_room_cache.wri
 pub fn room_servers<'a>(
 	&'a self,
 	room_id: &'a RoomId,
-) -> impl Stream<Item = &ServerName> + Send + 'a {
+) -> impl Stream<Item = &'a ServerName> + Send + 'a {
 	let prefix = (room_id, Interfix);
 	self.db
 		.roomserverids
@@ -167,7 +167,7 @@ pub async fn server_in_room<'a>(&'a self, server: &'a ServerName, room_id: &'a R
 pub fn server_rooms<'a>(
 	&'a self,
 	server: &'a ServerName,
-) -> impl Stream<Item = &RoomId> + Send + 'a {
+) -> impl Stream<Item = &'a RoomId> + Send + 'a {
 	let prefix = (server, Interfix);
 	self.db
 		.serverroomids
@@ -202,7 +202,7 @@ pub fn get_shared_rooms<'a>(
 	&'a self,
 	user_a: &'a UserId,
 	user_b: &'a UserId,
-) -> impl Stream<Item = &RoomId> + Send + 'a {
+) -> impl Stream<Item = &'a RoomId> + Send + 'a {
 	use conduwuit::utils::set;
 
 	let a = self.rooms_joined(user_a);
@@ -216,7 +216,7 @@ pub fn get_shared_rooms<'a>(
 pub fn room_members<'a>(
 	&'a self,
 	room_id: &'a RoomId,
-) -> impl Stream<Item = &UserId> + Send + 'a {
+) -> impl Stream<Item = &'a UserId> + Send + 'a {
 	let prefix = (room_id, Interfix);
 	self.db
 		.roomuserid_joined
@@ -239,7 +239,7 @@ pub async fn room_joined_count(&self, room_id: &RoomId) -> Result<u64> {
 pub fn local_users_in_room<'a>(
 	&'a self,
 	room_id: &'a RoomId,
-) -> impl Stream<Item = &UserId> + Send + 'a {
+) -> impl Stream<Item = &'a UserId> + Send + 'a {
 	self.room_members(room_id)
 		.ready_filter(|user| self.services.globals.user_is_local(user))
 }
@@ -251,7 +251,7 @@ pub fn local_users_in_room<'a>(
 pub fn active_local_users_in_room<'a>(
 	&'a self,
 	room_id: &'a RoomId,
-) -> impl Stream<Item = &UserId> + Send + 'a {
+) -> impl Stream<Item = &'a UserId> + Send + 'a {
 	self.local_users_in_room(room_id)
 		.filter(|user| self.services.users.is_active(user))
 }
@@ -273,7 +273,7 @@ pub async fn room_invited_count(&self, room_id: &RoomId) -> Result<u64> {
 pub fn room_useroncejoined<'a>(
 	&'a self,
 	room_id: &'a RoomId,
-) -> impl Stream<Item = &UserId> + Send + 'a {
+) -> impl Stream<Item = &'a UserId> + Send + 'a {
 	let prefix = (room_id, Interfix);
 	self.db
 		.roomuseroncejoinedids
@@ -288,7 +288,7 @@ pub fn room_useroncejoined<'a>(
 pub fn room_members_invited<'a>(
 	&'a self,
 	room_id: &'a RoomId,
-) -> impl Stream<Item = &UserId> + Send + 'a {
+) -> impl Stream<Item = &'a UserId> + Send + 'a {
 	let prefix = (room_id, Interfix);
 	self.db
 		.roomuserid_invitecount
@@ -303,7 +303,7 @@ pub fn room_members_invited<'a>(
 pub fn room_members_knocked<'a>(
 	&'a self,
 	room_id: &'a RoomId,
-) -> impl Stream<Item = &UserId> + Send + 'a {
+) -> impl Stream<Item = &'a UserId> + Send + 'a {
 	let prefix = (room_id, Interfix);
 	self.db
 		.roomuserid_knockedcount
@@ -347,7 +347,7 @@ pub async fn get_left_count(&self, room_id: &RoomId, user_id: &UserId) -> Result
 pub fn rooms_joined<'a>(
 	&'a self,
 	user_id: &'a UserId,
-) -> impl Stream<Item = &RoomId> + Send + 'a {
+) -> impl Stream<Item = &'a RoomId> + Send + 'a {
 	self.db
 		.userroomid_joined
 		.keys_raw_prefix(user_id)

src/service/rooms/state_cache/update.rs

@@ -49,7 +49,7 @@ pub async fn update_membership(
 	#[allow(clippy::collapsible_if)]
 	if !self.services.globals.user_is_local(user_id) {
 		if !self.services.users.exists(user_id).await {
-			self.services.users.create(user_id, None)?;
+			self.services.users.create(user_id, None, None).await?;
 		}
 	}
 

src/service/rooms/state_cache/via.rs

@@ -81,7 +81,7 @@ pub async fn servers_route_via(&self, room_id: &RoomId) -> Result<Vec<OwnedServe
 pub fn servers_invite_via<'a>(
 	&'a self,
 	room_id: &'a RoomId,
-) -> impl Stream<Item = &ServerName> + Send + 'a {
+) -> impl Stream<Item = &'a ServerName> + Send + 'a {
 	type KeyVal<'a> = (Ignore, Vec<&'a ServerName>);
 
 	self.db

src/service/users/mod.rs

@@ -1,11 +1,19 @@
+#[cfg(feature = "ldap")]
+use std::collections::HashMap;
 use std::{collections::BTreeMap, mem, sync::Arc};
 
+#[cfg(feature = "ldap")]
+use conduwuit::result::LogErr;
 use conduwuit::{
-	Err, Error, Result, Server, at, debug_warn, err, trace,
+	Err, Error, Result, Server, at, debug_warn, err, is_equal_to, trace,
 	utils::{self, ReadyExt, stream::TryIgnore, string::Unquoted},
 };
+#[cfg(feature = "ldap")]
+use conduwuit_core::{debug, error};
 use database::{Deserialized, Ignore, Interfix, Json, Map};
 use futures::{Stream, StreamExt, TryFutureExt};
+#[cfg(feature = "ldap")]
+use ldap3::{LdapConnAsync, Scope, SearchEntry};
 use ruma::{
 	DeviceId, KeyId, MilliSecondsSinceUnixEpoch, OneTimeKeyAlgorithm, OneTimeKeyId,
 	OneTimeKeyName, OwnedDeviceId, OwnedKeyId, OwnedMxcUri, OwnedUserId, RoomId, UInt, UserId,
@@ -63,6 +71,7 @@ struct Data {
 	userid_displayname: Arc<Map>,
 	userid_lastonetimekeyupdate: Arc<Map>,
 	userid_masterkeyid: Arc<Map>,
+	userid_origin: Arc<Map>,
 	userid_password: Arc<Map>,
 	userid_suspension: Arc<Map>,
 	userid_selfsigningkeyid: Arc<Map>,
@@ -100,6 +109,7 @@ impl crate::Service for Service {
 				userid_displayname: args.db["userid_displayname"].clone(),
 				userid_lastonetimekeyupdate: args.db["userid_lastonetimekeyupdate"].clone(),
 				userid_masterkeyid: args.db["userid_masterkeyid"].clone(),
+				userid_origin: args.db["userid_origin"].clone(),
 				userid_password: args.db["userid_password"].clone(),
 				userid_suspension: args.db["userid_suspension"].clone(),
 				userid_selfsigningkeyid: args.db["userid_selfsigningkeyid"].clone(),
@@ -136,9 +146,21 @@ impl Service {
 	}
 
 	/// Create a new user account on this homeserver.
+	///
+	/// User origin is by default "password" (meaning that it will login using
+	/// its user_id/password). Users with other origins (currently only "ldap"
+	/// is available) have special login processes.
 	#[inline]
-	pub fn create(&self, user_id: &UserId, password: Option<&str>) -> Result<()> {
-		self.set_password(user_id, password)
+	pub async fn create(
+		&self,
+		user_id: &UserId,
+		password: Option<&str>,
+		origin: Option<&str>,
+	) -> Result<()> {
+		self.db
+			.userid_origin
+			.insert(user_id, origin.unwrap_or("password"));
+		self.set_password(user_id, password).await
 	}
 
 	/// Deactivate account
@@ -152,7 +174,7 @@ impl Service {
 		// result in an empty string, so the user will not be able to log in again.
 		// Systems like changing the password without logging in should check if the
 		// account is deactivated.
-		self.set_password(user_id, None)?;
+		self.set_password(user_id, None).await?;
 
 		// TODO: Unhook 3PID
 		Ok(())
@@ -253,13 +275,34 @@ impl Service {
 			.ready_filter_map(|(u, p): (&UserId, &[u8])| (!p.is_empty()).then_some(u))
 	}
 
+	/// Returns the origin of the user (password/LDAP/...).
+	pub async fn origin(&self, user_id: &UserId) -> Result<String> {
+		self.db.userid_origin.get(user_id).await.deserialized()
+	}
+
 	/// Returns the password hash for the given user.
 	pub async fn password_hash(&self, user_id: &UserId) -> Result<String> {
 		self.db.userid_password.get(user_id).await.deserialized()
 	}
 
 	/// Hash and set the user's password to the Argon2 hash
-	pub fn set_password(&self, user_id: &UserId, password: Option<&str>) -> Result<()> {
+	pub async fn set_password(&self, user_id: &UserId, password: Option<&str>) -> Result<()> {
+		// Cannot change the password of a LDAP user. There are two special cases :
+		// - a `None` password can be used to deactivate a LDAP user
+		// - a "*" password is used as the default password of an active LDAP user
+		if cfg!(feature = "ldap")
+			&& password.is_some_and(|pwd| pwd != "*")
+			&& self
+				.db
+				.userid_origin
+				.get(user_id)
+				.await
+				.deserialized::<String>()
+				.is_ok_and(is_equal_to!("ldap"))
+		{
+			return Err!(Request(InvalidParam("Cannot change password of a LDAP user")));
+		}
+
 		password
 			.map(utils::hash::password)
 			.transpose()
@@ -379,7 +422,7 @@ impl Service {
 	pub fn all_device_ids<'a>(
 		&'a self,
 		user_id: &'a UserId,
-	) -> impl Stream<Item = &DeviceId> + Send + 'a {
+	) -> impl Stream<Item = &'a DeviceId> + Send + 'a {
 		let prefix = (user_id, Interfix);
 		self.db
 			.userdeviceid_metadata
@@ -727,7 +770,7 @@ impl Service {
 		user_id: &'a UserId,
 		from: u64,
 		to: Option<u64>,
-	) -> impl Stream<Item = &UserId> + Send + 'a {
+	) -> impl Stream<Item = &'a UserId> + Send + 'a {
 		self.keys_changed_user_or_room(user_id.as_str(), from, to)
 			.map(|(user_id, ..)| user_id)
 	}
@@ -738,7 +781,7 @@ impl Service {
 		room_id: &'a RoomId,
 		from: u64,
 		to: Option<u64>,
-	) -> impl Stream<Item = (&UserId, u64)> + Send + 'a {
+	) -> impl Stream<Item = (&'a UserId, u64)> + Send + 'a {
 		self.keys_changed_user_or_room(room_id.as_str(), from, to)
 	}
 
@@ -747,7 +790,7 @@ impl Service {
 		user_or_room_id: &'a str,
 		from: u64,
 		to: Option<u64>,
-	) -> impl Stream<Item = (&UserId, u64)> + Send + 'a {
+	) -> impl Stream<Item = (&'a UserId, u64)> + Send + 'a {
 		type KeyVal<'a> = ((&'a str, u64), &'a UserId);
 
 		let to = to.unwrap_or(u64::MAX);
@@ -1132,6 +1175,154 @@ impl Service {
 			self.db.useridprofilekey_value.del(key);
 		}
 	}
+
+	#[cfg(not(feature = "ldap"))]
+	pub async fn search_ldap(&self, _user_id: &UserId) -> Result<Vec<(String, bool)>> {
+		Err!(FeatureDisabled("ldap"))
+	}
+
+	#[cfg(feature = "ldap")]
+	pub async fn search_ldap(&self, user_id: &UserId) -> Result<Vec<(String, bool)>> {
+		let localpart = user_id.localpart().to_owned();
+		let lowercased_localpart = localpart.to_lowercase();
+
+		let config = &self.services.server.config.ldap;
+		let uri = config
+			.uri
+			.as_ref()
+			.ok_or_else(|| err!(Ldap(error!("LDAP URI is not configured."))))?;
+
+		debug!(?uri, "LDAP creating connection...");
+		let (conn, mut ldap) = LdapConnAsync::new(uri.as_str())
+			.await
+			.map_err(|e| err!(Ldap(error!(?user_id, "LDAP connection setup error: {e}"))))?;
+
+		let driver = self.services.server.runtime().spawn(async move {
+			match conn.drive().await {
+				| Err(e) => error!("LDAP connection error: {e}"),
+				| Ok(()) => debug!("LDAP connection completed."),
+			}
+		});
+
+		match (&config.bind_dn, &config.bind_password_file) {
+			| (Some(bind_dn), Some(bind_password_file)) => {
+				let bind_pw = String::from_utf8(std::fs::read(bind_password_file)?)?;
+				ldap.simple_bind(bind_dn, bind_pw.trim())
+					.await
+					.and_then(ldap3::LdapResult::success)
+					.map_err(|e| err!(Ldap(error!("LDAP bind error: {e}"))))?;
+			},
+			| (..) => {},
+		}
+
+		let attr = [&config.uid_attribute, &config.name_attribute];
+
+		let user_filter = &config.filter.replace("{username}", &lowercased_localpart);
+
+		let (entries, _result) = ldap
+			.search(&config.base_dn, Scope::Subtree, user_filter, &attr)
+			.await
+			.and_then(ldap3::SearchResult::success)
+			.inspect(|(entries, result)| trace!(?entries, ?result, "LDAP Search"))
+			.map_err(|e| err!(Ldap(error!(?attr, ?user_filter, "LDAP search error: {e}"))))?;
+
+		let mut dns: HashMap<String, bool> = entries
+			.into_iter()
+			.filter_map(|entry| {
+				let search_entry = SearchEntry::construct(entry);
+				debug!(?search_entry, "LDAP search entry");
+				search_entry
+					.attrs
+					.get(&config.uid_attribute)
+					.into_iter()
+					.chain(search_entry.attrs.get(&config.name_attribute))
+					.any(|ids| ids.contains(&localpart) || ids.contains(&lowercased_localpart))
+					.then_some((search_entry.dn, false))
+			})
+			.collect();
+
+		if !config.admin_filter.is_empty() {
+			let admin_base_dn = if config.admin_base_dn.is_empty() {
+				&config.base_dn
+			} else {
+				&config.admin_base_dn
+			};
+
+			let admin_filter = &config
+				.admin_filter
+				.replace("{username}", &lowercased_localpart);
+
+			let (admin_entries, _result) = ldap
+				.search(admin_base_dn, Scope::Subtree, admin_filter, &attr)
+				.await
+				.and_then(ldap3::SearchResult::success)
+				.inspect(|(entries, result)| trace!(?entries, ?result, "LDAP Admin Search"))
+				.map_err(|e| {
+					err!(Ldap(error!(?attr, ?admin_filter, "Ldap admin search error: {e}")))
+				})?;
+
+			dns.extend(admin_entries.into_iter().filter_map(|entry| {
+				let search_entry = SearchEntry::construct(entry);
+				debug!(?search_entry, "LDAP search entry");
+				search_entry
+					.attrs
+					.get(&config.uid_attribute)
+					.into_iter()
+					.chain(search_entry.attrs.get(&config.name_attribute))
+					.any(|ids| ids.contains(&localpart) || ids.contains(&lowercased_localpart))
+					.then_some((search_entry.dn, true))
+			}));
+		}
+
+		ldap.unbind()
+			.await
+			.map_err(|e| err!(Ldap(error!("LDAP unbind error: {e}"))))?;
+
+		driver.await.log_err().ok();
+
+		Ok(dns.drain().collect())
+	}
+
+	#[cfg(not(feature = "ldap"))]
+	pub async fn auth_ldap(&self, _user_dn: &str, _password: &str) -> Result {
+		Err!(FeatureDisabled("ldap"))
+	}
+
+	#[cfg(feature = "ldap")]
+	pub async fn auth_ldap(&self, user_dn: &str, password: &str) -> Result {
+		let config = &self.services.server.config.ldap;
+		let uri = config
+			.uri
+			.as_ref()
+			.ok_or_else(|| err!(Ldap(error!("LDAP URI is not configured."))))?;
+
+		debug!(?uri, "LDAP creating connection...");
+		let (conn, mut ldap) = LdapConnAsync::new(uri.as_str())
+			.await
+			.map_err(|e| err!(Ldap(error!(?user_dn, "LDAP connection setup error: {e}"))))?;
+
+		let driver = self.services.server.runtime().spawn(async move {
+			match conn.drive().await {
+				| Err(e) => error!("LDAP connection error: {e}"),
+				| Ok(()) => debug!("LDAP connection completed."),
+			}
+		});
+
+		ldap.simple_bind(user_dn, password)
+			.await
+			.and_then(ldap3::LdapResult::success)
+			.map_err(|e| {
+				err!(Request(Forbidden(debug_error!("LDAP authentication error: {e}"))))
+			})?;
+
+		ldap.unbind()
+			.await
+			.map_err(|e| err!(Ldap(error!("LDAP unbind error: {e}"))))?;
+
+		driver.await.log_err().ok();
+
+		Ok(())
+	}
 }
 
 pub fn parse_master_key(