From 512bf4b77f86d8e3875ed958d179d38745ba00cc Mon Sep 17 00:00:00 2001
From: Reto Kupferschmid <kupferschmid@puzzle.ch>
Date: Wed, 22 Mar 2023 07:39:58 +0100
Subject: [PATCH] ldap moduls: add optional ca_cert_file option (#6185)

* add ca_cert_file option

* fix pr url

* Apply suggestions from code review

Co-authored-by: Felix Fontein <felix@fontein.de>

* update parameter name

---------

Co-authored-by: Felix Fontein <felix@fontein.de>
---
 changelogs/fragments/xxxx-ldap-ca-cert-file.yml | 2 ++
 plugins/doc_fragments/ldap.py                   | 5 +++++
 plugins/module_utils/ldap.py                    | 5 +++++
 3 files changed, 12 insertions(+)
 create mode 100644 changelogs/fragments/xxxx-ldap-ca-cert-file.yml

diff --git a/changelogs/fragments/xxxx-ldap-ca-cert-file.yml b/changelogs/fragments/xxxx-ldap-ca-cert-file.yml
new file mode 100644
index 0000000000..9730e08271
--- /dev/null
+++ b/changelogs/fragments/xxxx-ldap-ca-cert-file.yml
@@ -0,0 +1,2 @@
+minor_changes:
+  - ldap modules - add ``ca_path`` option (https://github.com/ansible-collections/community.general/pull/6185).
diff --git a/plugins/doc_fragments/ldap.py b/plugins/doc_fragments/ldap.py
index 8cbe276945..b321c75eb8 100644
--- a/plugins/doc_fragments/ldap.py
+++ b/plugins/doc_fragments/ldap.py
@@ -24,6 +24,11 @@ options:
       - The password to use with I(bind_dn).
     type: str
     default: ''
+  ca_path:
+    description:
+      - Set the path to PEM file with CA certs.
+    type: path
+    version_added: "6.5.0"
   dn:
     required: true
     description:
diff --git a/plugins/module_utils/ldap.py b/plugins/module_utils/ldap.py
index cc6a37199b..6553713210 100644
--- a/plugins/module_utils/ldap.py
+++ b/plugins/module_utils/ldap.py
@@ -34,6 +34,7 @@ def gen_specs(**specs):
     specs.update({
         'bind_dn': dict(),
         'bind_pw': dict(default='', no_log=True),
+        'ca_path': dict(type='path'),
         'dn': dict(required=True),
         'referrals_chasing': dict(type='str', default='anonymous', choices=['disabled', 'anonymous']),
         'server_uri': dict(default='ldapi:///'),
@@ -52,6 +53,7 @@ class LdapGeneric(object):
         self.module = module
         self.bind_dn = self.module.params['bind_dn']
         self.bind_pw = self.module.params['bind_pw']
+        self.ca_path = self.module.params['ca_path']
         self.referrals_chasing = self.module.params['referrals_chasing']
         self.server_uri = self.module.params['server_uri']
         self.start_tls = self.module.params['start_tls']
@@ -97,6 +99,9 @@ class LdapGeneric(object):
         if not self.verify_cert:
             ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
 
+        if self.ca_path:
+            ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, self.ca_path)
+
         connection = ldap.initialize(self.server_uri)
 
         if self.referrals_chasing == 'disabled':