From 3d28c6e6d9065a0153d53ec2879c44025be50a19 Mon Sep 17 00:00:00 2001
From: Ryc O'Chet <rycochet@rycochet.com>
Date: Mon, 8 Jun 2026 12:46:39 +0100
Subject: [PATCH 1/4] Add LDAP BindPasswordFile

Fixes #927
---
 internal/model/config.go         | 19 ++++++++++---------
 internal/service/ldap_service.go |  3 +++
 2 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/internal/model/config.go b/internal/model/config.go
index 0bd4f3b5..975d7e94 100644
--- a/internal/model/config.go
+++ b/internal/model/config.go
@@ -178,15 +178,16 @@ type UIConfig struct {
 }
 
 type LDAPConfig struct {
-	Address       string `description:"LDAP server address." yaml:"address"`
-	BindDN        string `description:"Bind DN for LDAP authentication." yaml:"bindDn"`
-	BindPassword  string `description:"Bind password for LDAP authentication." yaml:"bindPassword"`
-	BaseDN        string `description:"Base DN for LDAP searches." yaml:"baseDn"`
-	Insecure      bool   `description:"Allow insecure LDAP connections." yaml:"insecure"`
-	SearchFilter  string `description:"LDAP search filter." yaml:"searchFilter"`
-	AuthCert      string `description:"Certificate for mTLS authentication." yaml:"authCert"`
-	AuthKey       string `description:"Certificate key for mTLS authentication." yaml:"authKey"`
-	GroupCacheTTL int    `description:"Cache duration for LDAP group membership in seconds." yaml:"groupCacheTTL"`
+	Address      	 string `description:"LDAP server address." yaml:"address"`
+	BindDN       	 string `description:"Bind DN for LDAP authentication." yaml:"bindDn"`
+	BindPassword  	 string `description:"Bind password for LDAP authentication." yaml:"bindPassword"`
+	BindPasswordFile string `description:"Path to the Bind password." yaml:"bindPasswordFile"`
+	BaseDN       	 string `description:"Base DN for LDAP searches." yaml:"baseDn"`
+	Insecure     	 bool   `description:"Allow insecure LDAP connections." yaml:"insecure"`
+	SearchFilter 	 string `description:"LDAP search filter." yaml:"searchFilter"`
+	AuthCert     	 string `description:"Certificate for mTLS authentication." yaml:"authCert"`
+	AuthKey      	 string `description:"Certificate key for mTLS authentication." yaml:"authKey"`
+	GroupCacheTTL	 int    `description:"Cache duration for LDAP group membership in seconds." yaml:"groupCacheTTL"`
 }
 
 type LogConfig struct {
diff --git a/internal/service/ldap_service.go b/internal/service/ldap_service.go
index cb0f0f5a..769ac38e 100644
--- a/internal/service/ldap_service.go
+++ b/internal/service/ldap_service.go
@@ -212,6 +212,9 @@ func (ldap *LdapService) BindService(rebind bool) error {
 	if ldap.cert != nil {
 		return ldap.conn.ExternalBind()
 	}
+	secret := utils.GetSecret(ldap.config.LDAP.BindPassword, ldap.config.LDAP.BindPasswordFile)
+	ldap.config.LDAP.BindPassword = secret
+	ldap.config.LDAP.BindPasswordFile = ""
 	return ldap.conn.Bind(ldap.config.LDAP.BindDN, ldap.config.LDAP.BindPassword)
 }
 

From b90f95a17df35b1d7d8e2f61b3bd3925887eb27f Mon Sep 17 00:00:00 2001
From: Ryc O'Chet <rycochet@rycochet.com>
Date: Mon, 8 Jun 2026 12:55:01 +0100
Subject: [PATCH 2/4] Fix missing import

---
 internal/service/ldap_service.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/internal/service/ldap_service.go b/internal/service/ldap_service.go
index 769ac38e..d59c5680 100644
--- a/internal/service/ldap_service.go
+++ b/internal/service/ldap_service.go
@@ -11,6 +11,7 @@ import (
 	ldapgo "github.com/go-ldap/ldap/v3"
 	"github.com/steveiliop56/ding"
 	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
 

From b68426d931efcf30b6400bf14f7e165325b40386 Mon Sep 17 00:00:00 2001
From: Ryc O'Chet <rycochet@rycochet.com>
Date: Tue, 9 Jun 2026 10:28:23 +0100
Subject: [PATCH 3/4] Move secret loading to only run once

---
 internal/service/ldap_service.go | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/internal/service/ldap_service.go b/internal/service/ldap_service.go
index d59c5680..8f5272a1 100644
--- a/internal/service/ldap_service.go
+++ b/internal/service/ldap_service.go
@@ -62,6 +62,10 @@ func NewLdapService(
 		*/
 	}
 
+	secret := utils.GetSecret(config.LDAP.BindPassword, config.LDAP.BindPasswordFile)
+	config.LDAP.BindPassword = secret
+	config.LDAP.BindPasswordFile = ""
+
 	_, err := ldap.connect()
 
 	if err != nil {
@@ -213,9 +217,6 @@ func (ldap *LdapService) BindService(rebind bool) error {
 	if ldap.cert != nil {
 		return ldap.conn.ExternalBind()
 	}
-	secret := utils.GetSecret(ldap.config.LDAP.BindPassword, ldap.config.LDAP.BindPasswordFile)
-	ldap.config.LDAP.BindPassword = secret
-	ldap.config.LDAP.BindPasswordFile = ""
 	return ldap.conn.Bind(ldap.config.LDAP.BindDN, ldap.config.LDAP.BindPassword)
 }
 

From 42ce47dab3d01476b3a179452e315adc1ef922e6 Mon Sep 17 00:00:00 2001
From: Ryc O'Chet <rycochet@rycochet.com>
Date: Tue, 9 Jun 2026 10:53:44 +0100
Subject: [PATCH 4/4] Ensure the ldap service uses the correct value

---
 internal/service/ldap_service.go | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/internal/service/ldap_service.go b/internal/service/ldap_service.go
index 8f5272a1..819cb9d3 100644
--- a/internal/service/ldap_service.go
+++ b/internal/service/ldap_service.go
@@ -33,6 +33,10 @@ func NewLdapService(
 		return nil, nil
 	}
 
+	secret := utils.GetSecret(config.LDAP.BindPassword, config.LDAP.BindPasswordFile)
+	config.LDAP.BindPassword = secret
+	config.LDAP.BindPasswordFile = ""
+
 	ldap := &LdapService{
 		log:    log,
 		config: config,
@@ -62,10 +66,6 @@ func NewLdapService(
 		*/
 	}
 
-	secret := utils.GetSecret(config.LDAP.BindPassword, config.LDAP.BindPasswordFile)
-	config.LDAP.BindPassword = secret
-	config.LDAP.BindPasswordFile = ""
-
 	_, err := ldap.connect()
 
 	if err != nil {