From 1ee5c1f416f520af6cbaf8290049b2ebfb388fa0 Mon Sep 17 00:00:00 2001
From: "mikhail.sarnov" <mikhail.sarnov@netresearch.de>
Date: Thu, 5 Mar 2026 12:32:10 +0100
Subject: [PATCH] feat(synapse): add ca_certs_file support for LDAP TLS

Add matrix_synapse_ext_password_provider_ldap_tls_options_ca_certs_file
variable to allow specifying a custom CA certificate file for LDAP TLS
verification. Useful when Synapse is running in a container that does not
trust a private/internal CA by default.

Example usage:
matrix_synapse_ext_password_provider_ldap_tls_options_ca_certs_file: /etc/ssl/certs/my-ca.crt
---
 roles/custom/matrix-synapse/defaults/main.yml                  | 1 +
 .../custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml
index 606e84f70..bd46a2e2b 100644
--- a/roles/custom/matrix-synapse/defaults/main.yml
+++ b/roles/custom/matrix-synapse/defaults/main.yml
@@ -1410,6 +1410,7 @@ matrix_synapse_ext_password_provider_ldap_filter: ""
 matrix_synapse_ext_password_provider_ldap_active_directory: false
 matrix_synapse_ext_password_provider_ldap_default_domain: ""
 matrix_synapse_ext_password_provider_ldap_tls_options_validate: true
+matrix_synapse_ext_password_provider_ldap_tls_options_ca_certs_file: ""
 
 # Enable this to activate the Synapse Antispam spam-checker module.
 # See: https://github.com/t2bot/synapse-simple-antispam
diff --git a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2
index 65c32dac4..61c306ef3 100644
--- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2
+++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2
@@ -2540,6 +2540,9 @@ password_providers:
       filter: {{ matrix_synapse_ext_password_provider_ldap_filter | string|to_json }}
       tls_options:
         validate: {{ matrix_synapse_ext_password_provider_ldap_tls_options_validate | to_json }}
+{% if matrix_synapse_ext_password_provider_ldap_tls_options_ca_certs_file %}
+        ca_certs_file: {{ matrix_synapse_ext_password_provider_ldap_tls_options_ca_certs_file | string | to_json }}
+{% endif %}
 {% endif %}
 {% endif %}