Remove the definition for LDAP tls options

https://community.openproject.org/work_packages/45959

app/models/setting.rb

@@ -336,15 +336,19 @@ def self.deserialize(name, value)
     definition = Settings::Definition[name]
 
     if definition.serialized? && value.is_a?(String)
-      YAML::safe_load(value, permitted_classes: [Symbol, ActiveSupport::HashWithIndifferentAccess, Date, Time, URI::Generic])
-        .tap { |maybe_hash| normalize_hash!(maybe_hash) if maybe_hash.is_a?(Hash) }
+      deserialize_hash(value)
     elsif value != ''.freeze && !value.nil?
       read_formatted_setting(value, definition.format)
     else
       definition.format == :string ? value : nil
     end
   end
 
+  def self.deserialize_hash(value)
+    YAML::safe_load(value, permitted_classes: [Symbol, ActiveSupport::HashWithIndifferentAccess, Date, Time, URI::Generic])
+      .tap { |maybe_hash| normalize_hash!(maybe_hash) if maybe_hash.is_a?(Hash) }
+  end
+
   def self.normalize_hash!(hash)
     hash.deep_stringify_keys!
     hash.deep_transform_values! { |v| v.is_a?(URI::Generic) ? v.to_s : v }

config/configuration.yml.example

@@ -383,16 +383,6 @@ default:
   #     user: admin
   #     password: admin
 
-  # Overriding LDAP TLS configuration
-  # You can set other TLS options for the LDAP auth source connection
-  # They are passed as the `tls_options` to the Net::LDAP gem
-  # see the following resources for more information
-  # https://github.com/ruby-ldap/ruby-net-ldap/blob/master/lib/net/ldap.rb
-  # https://ruby.github.io/openssl/OpenSSL/SSL/SSLContext.html
-  # For example, to specify a CA file
-  # ldap_tls_options:
-  #   ca_file: "/path/to/the/root-ca.crt"
-
   # By default, the APIv3 allows authentication through basic auth.
   # Uncomment the following line to restrict APIv3 access to session.
   # apiv3_enable_basic_auth: false

config/constants/settings/definition.rb

@@ -592,11 +592,6 @@ class Definition
         format: :boolean,
         default: false
       },
-      ldap_tls_options: {
-        format: :hash,
-        default: {},
-        writable: true
-      },
       log_level: {
         description: "Set the OpenProject logger level",
         default: Rails.env.development? ? "debug" : "info",

db/migrate/20221115082403_add_ldap_tls_options.rb

@@ -41,10 +41,25 @@ def change
       dir.up do
         # Current LDAP library default is to not verify the certificate
         MigratingAuthSource.reset_column_information
-        ldap_settings = (Setting.ldap_tls_options || {}).with_indifferent_access
-        verify_peer = ldap_settings[:verify_mode] == OpenSSL::SSL::VERIFY_PEER
-        MigratingAuthSource.update_all(verify_peer:)
+
+        ldap_settings = Setting.find_by(name: 'ldap_tls_options')&.value
+        migrate_ldap_settings(ldap_settings)
       end
     end
   end
+
+  private
+
+  def migrate_ldap_settings(ldap_settings)
+    return if ldap_settings.blank?
+
+    parsed = Setting.deserialize_hash(ldap_settings)
+    verify_peer = parsed['verify_mode'] == OpenSSL::SSL::VERIFY_PEER
+
+    MigratingAuthSource.update_all(verify_peer:)
+  rescue StandardError => e
+    Rails.logger.error do
+      "Failed to set LDAP verify_mode from settings: #{e.message}. Please double check your LDAP configuration."
+    end
+  end
 end

db/migrate/20240402065214_remove_ldap_tls_setting.rb

@@ -0,0 +1,9 @@
+class RemoveLdapTlsSetting < ActiveRecord::Migration[7.1]
+  def up
+    execute "DELETE FROM settings WHERE name = 'ldap_tls_options'"
+  end
+
+  def down
+    # Nothing to do
+  end
+end

spec/migrations/restore_defaults_on_empty_settings_spec.rb

@@ -61,13 +61,6 @@
     end
   end
 
-  context "with an empty setting which must be a hash" do
-    it_behaves_like "a successful migration of an empty setting" do
-      let(:setting_name) { "ldap_tls_options" }
-      let(:expected_value) { {} }
-    end
-  end
-
   context "with an empty setting which must be a string" do
     it_behaves_like "a successful migration of an empty setting" do
       let(:setting_name) { "default_language" }