From c715c9160459fccca5aab096bbdeffd0fdb2a89e Mon Sep 17 00:00:00 2001
From: Mikhail Loginov <lmi@t-sk.ru>
Date: Tue, 23 Jun 2026 20:48:30 +0300
Subject: [PATCH] Fix LDAP TLS client cert options must be set before
 ldap_connect() for Google Secure LDAP

---
 .../2.x/authent-ldap/datamodel.authent-ldap.xml      | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/datamodels/2.x/authent-ldap/datamodel.authent-ldap.xml b/datamodels/2.x/authent-ldap/datamodel.authent-ldap.xml
index 2d60a7030e..1fad9acd57 100644
--- a/datamodels/2.x/authent-ldap/datamodel.authent-ldap.xml
+++ b/datamodels/2.x/authent-ldap/datamodel.authent-ldap.xml
@@ -104,6 +104,18 @@
 			$this->LogInfo($bDebug, "ldap_set_option('LDAP_OPT_DEBUG_LEVEL', '{$aOptions[LDAP_OPT_DEBUG_LEVEL]}') returned ".($bRet ? 'true' : 'false'));
 		}
 
+		// Set TLS options globally BEFORE ldap_connect() - required for ldaps:// with client certificates
+		// (e.g. Google Workspace Secure LDAP). OpenLDAP requires TLS context options (LDAP_OPT_X_TLS_CACERTFILE,
+		// LDAP_OPT_X_TLS_CERTFILE, LDAP_OPT_X_TLS_KEYFILE) to be set on the global context (null) before
+		// ldap_connect() is called, otherwise the TLS handshake fails on the first attempt per PHP-FPM worker.
+		foreach ($aOptions as $name => $value)
+		{
+			ldap_set_option(null, $name, $value);
+			$this->LogInfo($bDebug, "ldap_set_option(null, '$name', '$value')");
+		}
+		// Reinitialize TLS context so the new options take effect before connecting
+		ldap_set_option(null, LDAP_OPT_X_TLS_NEWCTX, 0);
+
 		$hDS = @ldap_connect($sURI);
 		if ($hDS === false)
 		{