🔒 feat: add option to disable TLS for LDAP authentication (#3247)

* feat: add ldap tls config * Update ldapStrategy.js * LDAP_TLS_REJECT_UNAUTHORIZED optional --------- Co-authored-by: Danny Avila <danacordially@gmail.com> Co-authored-by: Danny Avila <danny@librechat.ai>
danny-avila · Aug 5, 2024 · c2925cb · c2925cb
1 parent 7c9fbcf
commit c2925cb
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 0 deletions.
diff --git a/.env.example b/.env.example
@@ -374,6 +374,7 @@ LDAP_BIND_CREDENTIALS=
 LDAP_USER_SEARCH_BASE=
 LDAP_SEARCH_FILTER=mail={{username}}
 LDAP_CA_CERT_PATH=
+# LDAP_TLS_REJECT_UNAUTHORIZED=
 # LDAP_LOGIN_USES_USERNAME=true
 # LDAP_ID=
 # LDAP_USERNAME=

diff --git a/api/strategies/ldapStrategy.js b/api/strategies/ldapStrategy.js
@@ -1,6 +1,7 @@
 const fs = require('fs');
 const LdapStrategy = require('passport-ldapauth');
 const { findUser, createUser, updateUser } = require('~/models/userMethods');
+const { isEnabled } = require('~/server/utils');
 const logger = require('~/utils/logger');
 
 const {
@@ -13,6 +14,7 @@ const {
   LDAP_FULL_NAME,
   LDAP_ID,
   LDAP_USERNAME,
+  LDAP_TLS_REJECT_UNAUTHORIZED,
 } = process.env;
 
 // Check required environment variables
@@ -41,6 +43,7 @@ if (LDAP_ID) {
 if (LDAP_USERNAME) {
   searchAttributes.push(LDAP_USERNAME);
 }
+const rejectUnauthorized = isEnabled(LDAP_TLS_REJECT_UNAUTHORIZED);
 
 const ldapOptions = {
   server: {
@@ -52,6 +55,7 @@ const ldapOptions = {
     searchAttributes: [...new Set(searchAttributes)],
     ...(LDAP_CA_CERT_PATH && {
       tlsOptions: {
+        rejectUnauthorized,
         ca: (() => {
           try {
             return [fs.readFileSync(LDAP_CA_CERT_PATH)];