feat(xo-server-auth-ldap): support startTLS

Fixes #4999

CHANGELOG.unreleased.md

@@ -12,6 +12,7 @@
 - [Network selector] Display pool's name [#4885](https://github.com/vatesfr/xen-orchestra/issues/4885) (PR [#4990](https://github.com/vatesfr/xen-orchestra/pull/4990))
 - [Usage report] Include CSV raw data files to the sent email [#4970](https://github.com/vatesfr/xen-orchestra/issues/4970) (PR [#4979](https://github.com/vatesfr/xen-orchestra/pull/4979))
 - [Modal] Don't close pop-up forms when you click outside or press escape (PR [#5002](https://github.com/vatesfr/xen-orchestra/pull/5002))
+- [Plugin/auth-ldap] Support `StartTLS` [#4999](https://github.com/vatesfr/xen-orchestra/issues/4999)
 
 ### Bug fixes
 
@@ -39,6 +40,7 @@
 >
 > In case of conflict, the highest (lowest in previous list) `$version` wins.
 
+- xo-server-auth-ldap minor
 - xo-server-sdn-controller patch
 - xo-server-usage-report minor
 - @xen-orchestra/fs patch

packages/xo-server-auth-ldap/src/index.js

@@ -102,6 +102,10 @@ Or something like this if you also want to filter by group:
       type: 'string',
       default: DEFAULTS.filter,
     },
+    startTls: {
+      title: 'Use StartTLS',
+      type: 'boolean',
+    },
   },
   required: ['uri', 'base'],
 }
@@ -157,11 +161,13 @@ class AuthLdap {
       bind: credentials,
       base: searchBase,
       filter: searchFilter = DEFAULTS.filter,
+      startTls = false,
     } = conf
 
     this._credentials = credentials
     this._searchBase = searchBase
     this._searchFilter = searchFilter
+    this._startTls = startTls
   }
 
   load() {
@@ -193,6 +199,10 @@ class AuthLdap {
     const client = new Client(this._clientOpts)
 
     try {
+      if (this._startTls) {
+        await client.startTLS(this._clientOpts.tlsOptions)
+      }
+
       // Bind if necessary.
       {
         const { _credentials: credentials } = this