From 5325f2ea7864ce5f42a9a6df3408af7ffbd32591 Mon Sep 17 00:00:00 2001 From: Adrian Woeltche Date: Thu, 21 Jun 2018 15:15:44 +0200 Subject: [PATCH 1/2] ldap change to url for making it possible to use ldaps:// too --- config/default.toml | 6 ++---- lib/passport.js | 4 ++-- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/config/default.toml b/config/default.toml index e31cef4e..0f086856 100644 --- a/config/default.toml +++ b/config/default.toml @@ -114,8 +114,7 @@ host="0.0.0.0" [ldap] # enable to use ldap user backend enabled=false -host="localhost" -port=3002 +url="ldap://localhost:3002" baseDN="ou=users,dc=company" filter="(|(username={{username}})(mail={{username}}))" #Username field in LDAP (uid/cn/username) @@ -128,8 +127,7 @@ bindPassword="" [ldapauth] # Alternative LDAP implementation using the more popular passport-ldapauth library. enabled=false -host="localhost" -port=389 +url="ldap://localhost:389" # Subtree in which the searchrequest for the user is done baseDN="ou=users,dc=company" # What whe are searching for. This should return a single user. diff --git a/lib/passport.js b/lib/passport.js index 9e1f0fc0..0e52e58e 100644 --- a/lib/passport.js +++ b/lib/passport.js @@ -87,7 +87,7 @@ if (config.ldap.enabled && LdapStrategy) { let opts = { server: { - url: 'ldap://' + config.ldap.host + ':' + config.ldap.port + url: config.ldap.url }, base: config.ldap.baseDN, search: { @@ -130,7 +130,7 @@ if (config.ldap.enabled && LdapStrategy) { log.info('Using LDAP auth (passport-ldapauth)'); let opts = { server: { - url: 'ldap://' + config.ldap.host + ':' + config.ldap.port, + url: config.ldapauth.url, searchBase: config.ldapauth.baseDN, searchFilter: config.ldapauth.filter, searchAttributes: [config.ldapauth.uidTag, 'mail'], From fe6152ea3110807eeec6cb31954a050df1ce6621 Mon Sep 17 00:00:00 2001 From: Adrian Woeltche Date: Thu, 21 Jun 2018 15:58:46 +0200 Subject: [PATCH 2/2] added ca options --- config/default.toml | 2 ++ lib/passport.js | 15 +++++++++++++-- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/config/default.toml b/config/default.toml index 0f086856..563083bd 100644 --- a/config/default.toml +++ b/config/default.toml @@ -123,6 +123,7 @@ passwordresetlink="" # Use a different user to bind LDAP (final bind DN will be: {{uidTag}}={{bindUser}},{{baseDN}}) bindUser="" bindPassword="" +#ca="self-signed-ca.pem" [ldapauth] # Alternative LDAP implementation using the more popular passport-ldapauth library. @@ -138,6 +139,7 @@ passwordresetlink="" # Credentials for the initial search operation (final bind DN will be exactly as specified) bindUser="name@company.net" bindPassword="mySecretPassword" +#ca="self-signed-ca.pem" [postfixbounce] # Enable to allow writing Postfix bounce log to Mailtrain listener diff --git a/lib/passport.js b/lib/passport.js index 0e52e58e..ebbb5bfb 100644 --- a/lib/passport.js +++ b/lib/passport.js @@ -6,6 +6,7 @@ let _ = require('./translate')._; let util = require('util'); let passport = require('passport'); +let fs = require('fs'); let LocalStrategy = require('passport-local').Strategy; let csrf = require('csurf'); @@ -87,7 +88,12 @@ if (config.ldap.enabled && LdapStrategy) { let opts = { server: { - url: config.ldap.url + url: config.ldap.url, + tlsOptions: { + ca: config.ldap.ca ? [ + fs.readFileSync(config.ldap.ca) + ] : undefined + } }, base: config.ldap.baseDN, search: { @@ -135,7 +141,12 @@ if (config.ldap.enabled && LdapStrategy) { searchFilter: config.ldapauth.filter, searchAttributes: [config.ldapauth.uidTag, 'mail'], bindDN: config.ldapauth.bindUser, - bindCredentials: config.ldapauth.bindPassword + bindCredentials: config.ldapauth.bindPassword, + tlsOptions: { + ca: config.ldapauth.ca ? [ + fs.readFileSync(config.ldapauth.ca) + ] : undefined + } } };