From 18fd8f141634e81bf1b57406dde70e6b9b7995f4 Mon Sep 17 00:00:00 2001 From: Ravi Katiyar <32512108+ravi-katiyar@users.noreply.github.com> Date: Sun, 28 Jul 2024 01:16:39 +0530 Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=20feat:=20add=20option=20to=20disa?= =?UTF-8?q?ble=20TLS=20for=20LDAP=20authentication=20(#3247)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * feat: add ldap tls config * Update ldapStrategy.js * LDAP_TLS_REJECT_UNAUTHORIZED optional --------- Co-authored-by: Danny Avila Co-authored-by: Danny Avila --- .env.example | 1 + api/strategies/ldapStrategy.js | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/.env.example b/.env.example index d7f651c8dc..ca48394983 100644 --- a/.env.example +++ b/.env.example @@ -374,6 +374,7 @@ LDAP_BIND_CREDENTIALS= LDAP_USER_SEARCH_BASE= LDAP_SEARCH_FILTER=mail={{username}} LDAP_CA_CERT_PATH= +# LDAP_TLS_REJECT_UNAUTHORIZED= # LDAP_LOGIN_USES_USERNAME=true # LDAP_ID= # LDAP_USERNAME= diff --git a/api/strategies/ldapStrategy.js b/api/strategies/ldapStrategy.js index 7b6898666a..756e1da422 100644 --- a/api/strategies/ldapStrategy.js +++ b/api/strategies/ldapStrategy.js @@ -1,6 +1,7 @@ const fs = require('fs'); const LdapStrategy = require('passport-ldapauth'); const { findUser, createUser, updateUser } = require('~/models/userMethods'); +const { isEnabled } = require('~/server/utils'); const logger = require('~/utils/logger'); const { @@ -13,6 +14,7 @@ const { LDAP_FULL_NAME, LDAP_ID, LDAP_USERNAME, + LDAP_TLS_REJECT_UNAUTHORIZED, } = process.env; // Check required environment variables @@ -41,6 +43,7 @@ if (LDAP_ID) { if (LDAP_USERNAME) { searchAttributes.push(LDAP_USERNAME); } +const rejectUnauthorized = isEnabled(LDAP_TLS_REJECT_UNAUTHORIZED); const ldapOptions = { server: { @@ -52,6 +55,7 @@ const ldapOptions = { searchAttributes: [...new Set(searchAttributes)], ...(LDAP_CA_CERT_PATH && { tlsOptions: { + rejectUnauthorized, ca: (() => { try { return [fs.readFileSync(LDAP_CA_CERT_PATH)];