From 0966ba909b107ebbbf7f529d572c541615e7dd4a Mon Sep 17 00:00:00 2001 From: Will Rigby Date: Thu, 16 Apr 2015 00:25:55 -0400 Subject: [PATCH 1/3] Allow connecting to SSL-secured servers with self-signed certificates Adds a new configuration parameter ('check_certificate'), which gets wired up to the rejectUnauthorized option of tls.connect. --- packages/xo-server-auth-ldap/src/index.js | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/packages/xo-server-auth-ldap/src/index.js b/packages/xo-server-auth-ldap/src/index.js index f6e4402cf..9c713e92c 100644 --- a/packages/xo-server-auth-ldap/src/index.js +++ b/packages/xo-server-auth-ldap/src/index.js @@ -26,7 +26,8 @@ class AuthLdap { constructor (conf) { const clientOpts = { url: conf.uri, - maxConnections: 5 + maxConnections: 5, + tlsOptions: { } } { @@ -37,6 +38,10 @@ class AuthLdap { } } + if (conf.check_certificate !== undefined) { + clientOpts.tlsOptions.rejectUnauthorized = conf.check_certificate + } + const {base: searchBase} = conf const searchFilter = conf.filter || '(uid={{name}})' From 068df6f2b122bdd528ca92bf57cac7fa71fdf89a Mon Sep 17 00:00:00 2001 From: Will Rigby Date: Thu, 16 Apr 2015 00:48:04 -0400 Subject: [PATCH 2/3] Support specifying path(s) to CA certificate(s) Wires the 'ca_certificates' configuration option through to tls.connect's 'ca' option. --- packages/xo-server-auth-ldap/src/index.js | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/packages/xo-server-auth-ldap/src/index.js b/packages/xo-server-auth-ldap/src/index.js index 9c713e92c..5835152de 100644 --- a/packages/xo-server-auth-ldap/src/index.js +++ b/packages/xo-server-auth-ldap/src/index.js @@ -42,6 +42,10 @@ class AuthLdap { clientOpts.tlsOptions.rejectUnauthorized = conf.check_certificate } + if (conf.ca_certificates !== undefined) { + clientOpts.tlsOptions.ca = conf.ca_certificates + } + const {base: searchBase} = conf const searchFilter = conf.filter || '(uid={{name}})' From 03cc8248bc8675d82e8455b967b04aa7aa312c5e Mon Sep 17 00:00:00 2001 From: Will Rigby Date: Thu, 16 Apr 2015 00:59:29 -0400 Subject: [PATCH 3/3] Update documentation --- packages/xo-server-auth-ldap/README.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/packages/xo-server-auth-ldap/README.md b/packages/xo-server-auth-ldap/README.md index b88e20f2d..add959999 100644 --- a/packages/xo-server-auth-ldap/README.md +++ b/packages/xo-server-auth-ldap/README.md @@ -26,6 +26,18 @@ plugins: auth-ldap: uri: "ldap://ldap.example.org" + # Path to CA certificates to use when connecting to + # SSL-secured LDAP servers. If not specified, it will use + # a default set of well-known CAs. + ca_certificates: + - /path/to/ca_cert.pem + - /path/to/another/ca_cert.pem + + # Check the validity of the server's certificate. Useful + # when connecting to servers that use a self-signed certificate. + # Defaults to true if not specified. + check_certificate: true + # Credentials to use before looking for the user record. # # Default to anonymous.