added ca options

config/default.toml

@@ -123,6 +123,7 @@ passwordresetlink=""
 # Use a different user to bind LDAP (final bind DN will be: {{uidTag}}={{bindUser}},{{baseDN}})
 bindUser=""
 bindPassword=""
+#ca="self-signed-ca.pem"
 
 [ldapauth]
 # Alternative LDAP implementation using the more popular passport-ldapauth library.
@@ -138,6 +139,7 @@ passwordresetlink=""
 # Credentials for the initial search operation (final bind DN will be exactly as specified)
 bindUser="name@company.net"
 bindPassword="mySecretPassword"
+#ca="self-signed-ca.pem"
 
 [postfixbounce]
 # Enable to allow writing Postfix bounce log to Mailtrain listener

lib/passport.js

@@ -6,6 +6,7 @@ let _ = require('./translate')._;
 let util = require('util');
 
 let passport = require('passport');
+let fs = require('fs');
 let LocalStrategy = require('passport-local').Strategy;
 
 let csrf = require('csurf');
@@ -87,7 +88,12 @@ if (config.ldap.enabled && LdapStrategy) {
 
     let opts = {
         server: {
-            url: config.ldap.url
+            url: config.ldap.url,
+            tlsOptions: {
+                ca: config.ldap.ca ? [
+                    fs.readFileSync(config.ldap.ca)
+                ] : undefined
+            }
         },
         base: config.ldap.baseDN,
         search: {
@@ -135,7 +141,12 @@ if (config.ldap.enabled && LdapStrategy) {
             searchFilter: config.ldapauth.filter,
             searchAttributes: [config.ldapauth.uidTag, 'mail'],
             bindDN: config.ldapauth.bindUser,
-            bindCredentials: config.ldapauth.bindPassword
+            bindCredentials: config.ldapauth.bindPassword,
+            tlsOptions: {
+                ca: config.ldapauth.ca ? [
+                    fs.readFileSync(config.ldapauth.ca)
+                ] : undefined
+            }
         }
     };