From fe6152ea3110807eeec6cb31954a050df1ce6621 Mon Sep 17 00:00:00 2001
From: Adrian Woeltche <adrian.woeltche@iisys.de>
Date: Thu, 21 Jun 2018 15:58:46 +0200
Subject: [PATCH] added ca options

---
 config/default.toml |  2 ++
 lib/passport.js     | 15 +++++++++++++--
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/config/default.toml b/config/default.toml
index 0f086856..563083bd 100644
--- a/config/default.toml
+++ b/config/default.toml
@@ -123,6 +123,7 @@ passwordresetlink=""
 # Use a different user to bind LDAP (final bind DN will be: {{uidTag}}={{bindUser}},{{baseDN}})
 bindUser=""
 bindPassword=""
+#ca="self-signed-ca.pem"
 
 [ldapauth]
 # Alternative LDAP implementation using the more popular passport-ldapauth library.
@@ -138,6 +139,7 @@ passwordresetlink=""
 # Credentials for the initial search operation (final bind DN will be exactly as specified)
 bindUser="name@company.net"
 bindPassword="mySecretPassword"
+#ca="self-signed-ca.pem"
 
 [postfixbounce]
 # Enable to allow writing Postfix bounce log to Mailtrain listener
diff --git a/lib/passport.js b/lib/passport.js
index 0e52e58e..ebbb5bfb 100644
--- a/lib/passport.js
+++ b/lib/passport.js
@@ -6,6 +6,7 @@ let _ = require('./translate')._;
 let util = require('util');
 
 let passport = require('passport');
+let fs = require('fs');
 let LocalStrategy = require('passport-local').Strategy;
 
 let csrf = require('csurf');
@@ -87,7 +88,12 @@ if (config.ldap.enabled && LdapStrategy) {
 
     let opts = {
         server: {
-            url: config.ldap.url
+            url: config.ldap.url,
+            tlsOptions: {
+                ca: config.ldap.ca ? [
+                    fs.readFileSync(config.ldap.ca)
+                ] : undefined
+            }
         },
         base: config.ldap.baseDN,
         search: {
@@ -135,7 +141,12 @@ if (config.ldap.enabled && LdapStrategy) {
             searchFilter: config.ldapauth.filter,
             searchAttributes: [config.ldapauth.uidTag, 'mail'],
             bindDN: config.ldapauth.bindUser,
-            bindCredentials: config.ldapauth.bindPassword
+            bindCredentials: config.ldapauth.bindPassword,
+            tlsOptions: {
+                ca: config.ldapauth.ca ? [
+                    fs.readFileSync(config.ldapauth.ca)
+                ] : undefined
+            }
         }
     };