From 55eb95ae73820acd7ca57aa15e4fa629f5e1e993 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= <greg@karekinian.com>
Date: Fri, 14 Feb 2020 13:56:52 +0100
Subject: [PATCH] Verify the TLS server's certificate

Do not proceed if a certificate is invalid
---
 site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb
index 5b069d5..a8c37e9 100644
--- a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb
+++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb
@@ -25,6 +25,7 @@ host_config:
     ldap_rootdn: "cn=xmpp,ou=<%= host[:name] %>,<%= @ldap_base %>"
     ldap_password: "<%= host[:ldap_password] %>"
     ldap_encrypt: <%= @ldap_encryption_type %>
+    ldap_tls_verify: hard # when TLS is enabled, don't proceed if a cert is invalid
     ldap_base: "ou=<%= host[:name] %>,<%= @ldap_base %>"
     ldap_filter: "(nsRole=cn=xmpp_role,ou=<%= host[:name] %>,<%= @ldap_base %>)"
   <% end -%>