Merge pull request #1 from wrigby/tls_options

Ability to ignore SSL/TLS certs errors and to specify custom CAs.

packages/xo-server-auth-ldap/README.md

@@ -26,6 +26,18 @@ plugins:
   auth-ldap:
     uri: "ldap://ldap.example.org"
 
+    # Path to CA certificates to use when connecting to
+    # SSL-secured LDAP servers. If not specified, it will use
+    # a default set of well-known CAs.
+    ca_certificates:
+        - /path/to/ca_cert.pem
+        - /path/to/another/ca_cert.pem
+
+    # Check the validity of the server's certificate. Useful
+    # when connecting to servers that use a self-signed certificate.
+    # Defaults to true if not specified.
+    check_certificate: true
+
     # Credentials to use before looking for the user record.
     #
     # Default to anonymous.

packages/xo-server-auth-ldap/src/index.js

@@ -26,7 +26,8 @@ class AuthLdap {
   constructor (conf) {
     const clientOpts = {
       url: conf.uri,
-      maxConnections: 5
+      maxConnections: 5,
+      tlsOptions: { }
     }
 
     {
@@ -37,6 +38,14 @@ class AuthLdap {
       }
     }
 
+    if (conf.check_certificate !== undefined) {
+      clientOpts.tlsOptions.rejectUnauthorized = conf.check_certificate
+    }
+
+    if (conf.ca_certificates !== undefined) {
+      clientOpts.tlsOptions.ca = conf.ca_certificates
+    }
+
     const {base: searchBase} = conf
     const searchFilter = conf.filter || '(uid={{name}})'