feat: add ldap_only config option

conduwuit-example.toml

@@ -1787,11 +1787,17 @@
 #
 #enable = false
 
+# Whether to force LDAP authentication or authorize classical password login.
+#
+# example: "true"
+#
+#ldap_only = false
+
 # URI of the LDAP server.
 #
 # example: "ldap://ldap.example.com:389"
 #
-#uri =
+#uri = ""
 
 # Root of the searches.
 #
@@ -1810,14 +1816,14 @@
 # example: "cn=ldap-reader,dc=example,dc=org" or
 # "cn={username},ou=users,dc=example,dc=org"
 #
-#bind_dn =
+#bind_dn = ""
 
 # Path to a file on the system that contains the password for the
 # `bind_dn`.
 #
 # The server must be able to access the file, and it must not be empty.
 #
-#bind_password_file = false
+#bind_password_file = ""
 
 # Search filter to limit user searches.
 #
@@ -1858,4 +1864,4 @@
 #
 # example: "(objectClass=conduwuitAdmin)" or "(uid={username})"
 #
-#admin_filter =
+#admin_filter = ""

src/api/client/session.rs

@@ -3,10 +3,10 @@ use std::time::Duration;
 use axum::extract::State;
 use axum_client_ip::InsecureClientIp;
 use conduwuit::{
-	Err, Error, Result, debug, err, info, utils,
+	Err, Error, Result, debug, err, info,
-	utils::{ReadyExt, hash},
+	utils::{self, ReadyExt, hash},
 };
-use conduwuit_core::debug_error;
+use conduwuit_core::{debug_error, debug_warn};
 use conduwuit_service::{Services, uiaa::SESSION_ID_LENGTH};
 use futures::StreamExt;
 use ruma::{
@@ -185,7 +185,14 @@ pub(crate) async fn handle_login(
 	}
 
 	if cfg!(feature = "ldap") && services.config.ldap.enable {
-		Box::pin(ldap_login(services, &user_id, &lowercased_user_id, password)).await
+		match Box::pin(ldap_login(services, &user_id, &lowercased_user_id, password)).await {
+			| Ok(user_id) => Ok(user_id),
+			| Err(err) if services.config.ldap.ldap_only => Err(err),
+			| Err(err) => {
+				debug_warn!("{err}");
+				password_login(services, &user_id, &lowercased_user_id, password).await
+			},
+		}
 	} else {
 		password_login(services, &user_id, &lowercased_user_id, password).await
 	}

src/core/config/mod.rs

@@ -2055,9 +2055,19 @@ pub struct LdapConfig {
 	#[serde(default)]
 	pub enable: bool,
 
+	/// Whether to force LDAP authentication or authorize classical password
+	/// login.
+	///
+	/// example: "true"
+	#[serde(default)]
+	pub ldap_only: bool,
+
 	/// URI of the LDAP server.
 	///
 	/// example: "ldap://ldap.example.com:389"
+	///
+	/// default: ""
+	#[serde(default)]
 	pub uri: Option<Url>,
 
 	/// Root of the searches.
@@ -2079,7 +2089,7 @@ pub struct LdapConfig {
 	/// example: "cn=ldap-reader,dc=example,dc=org" or
 	/// "cn={username},ou=users,dc=example,dc=org"
 	///
-	/// default:
+	/// default: ""
 	#[serde(default)]
 	pub bind_dn: Option<String>,
 
@@ -2087,6 +2097,8 @@ pub struct LdapConfig {
 	/// `bind_dn`.
 	///
 	/// The server must be able to access the file, and it must not be empty.
+	///
+	/// default: ""
 	#[serde(default)]
 	pub bind_password_file: Option<PathBuf>,
 
@@ -2137,7 +2149,7 @@ pub struct LdapConfig {
 	///
 	/// example: "(objectClass=conduwuitAdmin)" or "(uid={username})"
 	///
-	/// default:
+	/// default: ""
 	#[serde(default)]
 	pub admin_filter: String,
 }