From 4236e141f2c6791be6bee89af40006a6bf9ce9ce Mon Sep 17 00:00:00 2001
From: Chris Lu <chris.lu@gmail.com>
Date: Sun, 11 Jan 2026 19:55:05 -0800
Subject: [PATCH] fix: address PR feedback (Round 3) - LDAP connection
 improvements & build fix

- Improve `LDAPProvider` connection handling:
  - Use `net.Dialer` with configured timeout for connection establishment
  - Enforce TLS 1.2+ (`MinVersion: tls.VersionTLS12`) for both LDAPS and StartTLS
- Fix build error in `s3api_sts.go` (format verb for ErrorCode)
---
 weed/iam/ldap/ldap_provider.go | 10 ++++++++--
 weed/s3api/s3api_sts.go        |  2 +-
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/weed/iam/ldap/ldap_provider.go b/weed/iam/ldap/ldap_provider.go
index 623ad80b7..0b67e5f7b 100644
--- a/weed/iam/ldap/ldap_provider.go
+++ b/weed/iam/ldap/ldap_provider.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"crypto/tls"
 	"fmt"
+	"net"
 	"strings"
 	"sync"
 	"time"
@@ -199,20 +200,25 @@ func (p *LDAPProvider) connect() (*ldap.Conn, error) {
 	var conn *ldap.Conn
 	var err error
 
+	// Create dialer with timeout
+	dialer := &net.Dialer{Timeout: p.config.ConnectionTimeout}
+
 	// Parse server URL
 	if strings.HasPrefix(p.config.Server, "ldaps://") {
 		// LDAPS connection
 		tlsConfig := &tls.Config{
 			InsecureSkipVerify: p.config.InsecureSkipVerify,
+			MinVersion:         tls.VersionTLS12,
 		}
-		conn, err = ldap.DialURL(p.config.Server, ldap.DialWithTLSConfig(tlsConfig))
+		conn, err = ldap.DialURL(p.config.Server, ldap.DialWithDialer(dialer), ldap.DialWithTLSConfig(tlsConfig))
 	} else {
 		// LDAP connection
-		conn, err = ldap.DialURL(p.config.Server)
+		conn, err = ldap.DialURL(p.config.Server, ldap.DialWithDialer(dialer))
 		if err == nil && p.config.UseTLS {
 			// StartTLS
 			tlsConfig := &tls.Config{
 				InsecureSkipVerify: p.config.InsecureSkipVerify,
+				MinVersion:         tls.VersionTLS12,
 			}
 			err = conn.StartTLS(tlsConfig)
 		}
diff --git a/weed/s3api/s3api_sts.go b/weed/s3api/s3api_sts.go
index ed63e812f..77b21c8cb 100644
--- a/weed/s3api/s3api_sts.go
+++ b/weed/s3api/s3api_sts.go
@@ -282,7 +282,7 @@ func (h *STSHandlers) handleAssumeRole(w http.ResponseWriter, r *http.Request) {
 	if sigErrCode != s3err.ErrNone {
 		glog.V(2).Infof("AssumeRole SigV4 verification failed: %v", sigErrCode)
 		h.writeSTSErrorResponse(w, r, STSErrAccessDenied,
-			fmt.Errorf("invalid AWS signature: %s", sigErrCode))
+			fmt.Errorf("invalid AWS signature: %v", sigErrCode))
 		return
 	}