fix: address PR feedback (Round 3) - LDAP connection improvements & build fix

- Improve `LDAPProvider` connection handling:
  - Use `net.Dialer` with configured timeout for connection establishment
  - Enforce TLS 1.2+ (`MinVersion: tls.VersionTLS12`) for both LDAPS and StartTLS
- Fix build error in `s3api_sts.go` (format verb for ErrorCode)

weed/iam/ldap/ldap_provider.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"crypto/tls"
 	"fmt"
+	"net"
 	"strings"
 	"sync"
 	"time"
@@ -199,20 +200,25 @@ func (p *LDAPProvider) connect() (*ldap.Conn, error) {
 	var conn *ldap.Conn
 	var err error
 
+	// Create dialer with timeout
+	dialer := &net.Dialer{Timeout: p.config.ConnectionTimeout}
+
 	// Parse server URL
 	if strings.HasPrefix(p.config.Server, "ldaps://") {
 		// LDAPS connection
 		tlsConfig := &tls.Config{
 			InsecureSkipVerify: p.config.InsecureSkipVerify,
+			MinVersion:         tls.VersionTLS12,
 		}
-		conn, err = ldap.DialURL(p.config.Server, ldap.DialWithTLSConfig(tlsConfig))
+		conn, err = ldap.DialURL(p.config.Server, ldap.DialWithDialer(dialer), ldap.DialWithTLSConfig(tlsConfig))
 	} else {
 		// LDAP connection
-		conn, err = ldap.DialURL(p.config.Server)
+		conn, err = ldap.DialURL(p.config.Server, ldap.DialWithDialer(dialer))
 		if err == nil && p.config.UseTLS {
 			// StartTLS
 			tlsConfig := &tls.Config{
 				InsecureSkipVerify: p.config.InsecureSkipVerify,
+				MinVersion:         tls.VersionTLS12,
 			}
 			err = conn.StartTLS(tlsConfig)
 		}

weed/s3api/s3api_sts.go

@@ -282,7 +282,7 @@ func (h *STSHandlers) handleAssumeRole(w http.ResponseWriter, r *http.Request) {
 	if sigErrCode != s3err.ErrNone {
 		glog.V(2).Infof("AssumeRole SigV4 verification failed: %v", sigErrCode)
 		h.writeSTSErrorResponse(w, r, STSErrAccessDenied,
-			fmt.Errorf("invalid AWS signature: %s", sigErrCode))
+			fmt.Errorf("invalid AWS signature: %v", sigErrCode))
 		return
 	}