Server: allow self-signed certificate for ldap auth

laurent22 · Dec 17, 2024 · 8c43f80 · 8c43f80
1 parent 51d5d58
commit 8c43f80
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 1 deletion.
diff --git a/packages/server/src/config.ts b/packages/server/src/config.ts
@@ -125,6 +125,7 @@ function ldapConfigFromEnv(env: EnvVariables): LdapConfig[] {
 			baseDN: env.LDAP_1_BASE_DN,
 			bindDN: env.LDAP_1_BIND_DN,
 			bindPW: env.LDAP_1_BIND_PW,
+			sslCaFile: env.LDAP_1_SSL_CA_FILE,
 		});
 	}
 
@@ -138,6 +139,7 @@ function ldapConfigFromEnv(env: EnvVariables): LdapConfig[] {
 			baseDN: env.LDAP_2_BASE_DN,
 			bindDN: env.LDAP_2_BIND_DN,
 			bindPW: env.LDAP_2_BIND_PW,
+			sslCaFile: env.LDAP_2_SSL_CA_FILE,
 		});
 	}
 	return ldapConfig;

diff --git a/packages/server/src/env.ts b/packages/server/src/env.ts
@@ -137,6 +137,7 @@ const defaultEnvValues: EnvVariables = {
 	LDAP_1_BASE_DN: '',
 	LDAP_1_BIND_DN: '', // used for user search - leave empty if ldap server allows anonymous bind
 	LDAP_1_BIND_PW: '', // used for user search - leave empty if ldap server allows anonymous bind
+	LDAP_1_SSL_CA_FILE: '', // used for self-signed certificate with ldaps - leave empty if using ldap or server uses CA-issued certificate
 
 	LDAP_2_ENABLED: false,
 	LDAP_2_USER_AUTO_CREATION: true, // if set to true, users will be created on the fly after ldap authentication
@@ -146,6 +147,7 @@ const defaultEnvValues: EnvVariables = {
 	LDAP_2_BASE_DN: '',
 	LDAP_2_BIND_DN: '', // used for user search - leave empty if ldap server allows anonymous bind
 	LDAP_2_BIND_PW: '', // used for user search - leave empty if ldap server allows anonymous bind
+	LDAP_2_SSL_CA_FILE: '', // used for self-signed certificate with ldaps - leave empty if using ldap or server uses CA-issued certificate
 
 };
 
@@ -228,6 +230,7 @@ export interface EnvVariables {
 	LDAP_1_BASE_DN: string;
 	LDAP_1_BIND_DN: string;
 	LDAP_1_BIND_PW: string;
+	LDAP_1_SSL_CA_FILE: string;
 
 	LDAP_2_ENABLED: boolean;
 	LDAP_2_USER_AUTO_CREATION: boolean;
@@ -237,6 +240,7 @@ export interface EnvVariables {
 	LDAP_2_BASE_DN: string;
 	LDAP_2_BIND_DN: string;
 	LDAP_2_BIND_PW: string;
+	LDAP_2_SSL_CA_FILE: string;
 }
 
 const parseBoolean = (s: string): boolean => {

diff --git a/packages/server/src/utils/ldapLogin.ts b/packages/server/src/utils/ldapLogin.ts
@@ -3,6 +3,7 @@ import { User } from '../services/database/types';
 import Logger from '@joplin/utils/Logger';
 import { LdapConfig } from './types';
 import { ErrorForbidden } from './errors';
+import { readFileSync } from 'node:fs';
 
 const logger = Logger.create('LDAP');
 
@@ -16,6 +17,7 @@ export default async function ldapLogin(email: string, password: string, user: U
 	const baseDN = config.baseDN;
 	const bindDN = config.bindDN;
 	const bindPW = config.bindPW;
+	const sslCaFile = config.sslCaFile;
 
 	logger.info(`Starting authentication with Server ${host}`);
 
@@ -25,10 +27,21 @@ export default async function ldapLogin(email: string, password: string, user: U
 
 	if (enabled) {
 		let searchResults;
+
+		let tlsOptions;
+		if (sslCaFile.length !== 0) {
+			tlsOptions = {
+				ca: [readFileSync(sslCaFile)],
+			};
+		} else {
+			null;
+		}
+
 		const client = new Client({
 			url: host,
 			timeout: 5000,
 			connectTimeout: 1000,
+			tlsOptions: tlsOptions,
 		});
 
 		if (bindDN.length !== 0) {

diff --git a/packages/server/src/utils/types.ts b/packages/server/src/utils/types.ts
@@ -141,6 +141,7 @@ export interface LdapConfig {
 	baseDN: string;
 	bindDN: string;
 	bindPW: string;
+	sslCaFile?: string;
 }
 
 export interface Config extends EnvVariables {

diff --git a/packages/tools/cspell/dictionary4.txt b/packages/tools/cspell/dictionary4.txt
@@ -151,4 +151,5 @@ devbox
 Favorite
 tablist
 Edubirdie
-Useviral
+Useviral
+ldaps