Merge pull request #274 from artefactual/dev/ldap-tls

Update LDAP docs with TLS encryption

admin-manual/customization/authentication.rst

@@ -146,8 +146,18 @@ Protocol (IP) network" (Wikipedia). When this is enabled, users attempting to
 log in will use the credentials associated with their LDAP account, instead 
 of local account credentials, when :ref:`logging in <log-in>` to AtoM. 
 
-.. IMPORTANT::
+LDAP authentication in AtoM, by default, uses StartTLS for encryption. StartTLS
+starts an unencrypted plaintext connection to the LDAP server, on port 389, then
+upgrades the connection to begin Transport Layer Security (TLS) encryption. The
+use of StartTLS is on by default, but can be disabled via settings in the
+:ref:`app.yml <config-app-yml>`.
+
+.. WARNING::
 
+   While StartTLS encryption on the LDAP server can be disabled, we strongly 
+   discourage doing so in a production environment.
+
+.. IMPORTANT::
    To enable LDAP authentication in AtoM, manually installing the ``php-ldap``
    extension is required.
 

admin-manual/customization/config-files.rst

@@ -184,6 +184,10 @@ such as:
   additional details.
 * ``directives``: The CSP `directives` setting contains the CSP policy that will
   be sent in the CSP header. See :ref:`csp-configuration` for additional details.
+* ``enable_tls_encryption``: Controls StartTLS encryption for LDAP authentication.
+  It defaults to true, even if this variable is not defined in the file, enabling
+  StartTLS, but can be set to false to disable StartTLS encryption. See
+  :ref:`ldap-enabling` for additional details.
 
 .. image:: images/app-yml-settings.*
    :align: center