modules/ldap/0002-both-ldap-and-ldaps.patch

@@ -0,0 +1,13 @@
+diff --git a/cmd/orchestrator/ldap.go b/cmd/orchestrator/ldap.go
+index ed0d466..a672046 100644
+--- a/cmd/orchestrator/ldap.go
++++ b/cmd/orchestrator/ldap.go
+@@ -130,7 +130,7 @@ func runLDAPServer(environment map[string]string) {
+ 
+ 	bindURL := "ldap:///"
+ 	if environment["PORTUNUS_SLAPD_TLS_CERTIFICATE"] != "" {
+-		bindURL = "ldaps:///"
++		bindURL = "ldap:/// ldaps:///"
+ 	}
+ 
+ 	logg.Info("starting LDAP server")

modules/ldap/default.nix

@@ -56,7 +56,10 @@ in
   services.portunus = {
     enable = true;
     package = pkgs.portunus.overrideAttrs (old: {
-      patches = [ ./0001-update-user-validation-regex.patch ];
+      patches = [
+        ./0001-update-user-validation-regex.patch
+        ./0002-both-ldap-and-ldaps.patch
+      ];
     });
 
     inherit domain;
@@ -68,9 +71,9 @@ in
       suffix = "dc=ifsr,dc=de";
       searchUserName = "search";
 
-      # disables port 389, use 636 with tls
+      # normally disables port 389 (but not with our patch), use 636 with tls
       # `portunus.domain` resolves to localhost
-      #tls = true;
+      tls = true;
     };
   };