Skip to content

Commit

Permalink
Server: Allow self-signed certificate for ldap auth (#11531)
Browse files Browse the repository at this point in the history
Co-authored-by: Laurent Cozic <[email protected]>
  • Loading branch information
rcrisanti and laurent22 authored Dec 19, 2024
1 parent 3cba4ec commit 28ff17a
Show file tree
Hide file tree
Showing 6 changed files with 25 additions and 1 deletion.
2 changes: 2 additions & 0 deletions packages/server/src/config.ts
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,7 @@ function ldapConfigFromEnv(env: EnvVariables): LdapConfig[] {
baseDN: env.LDAP_1_BASE_DN,
bindDN: env.LDAP_1_BIND_DN,
bindPW: env.LDAP_1_BIND_PW,
tlsCaFile: env.LDAP_1_TLS_CA_FILE,
});
}

Expand All @@ -138,6 +139,7 @@ function ldapConfigFromEnv(env: EnvVariables): LdapConfig[] {
baseDN: env.LDAP_2_BASE_DN,
bindDN: env.LDAP_2_BIND_DN,
bindPW: env.LDAP_2_BIND_PW,
tlsCaFile: env.LDAP_2_TLS_CA_FILE,
});
}
return ldapConfig;
Expand Down
4 changes: 4 additions & 0 deletions packages/server/src/env.ts
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,7 @@ const defaultEnvValues: EnvVariables = {
LDAP_1_BASE_DN: '',
LDAP_1_BIND_DN: '', // used for user search - leave empty if ldap server allows anonymous bind
LDAP_1_BIND_PW: '', // used for user search - leave empty if ldap server allows anonymous bind
LDAP_1_TLS_CA_FILE: '', // used for self-signed certificate with ldaps - leave empty if using ldap or server uses CA-issued certificate

LDAP_2_ENABLED: false,
LDAP_2_USER_AUTO_CREATION: true, // if set to true, users will be created on the fly after ldap authentication
Expand All @@ -146,6 +147,7 @@ const defaultEnvValues: EnvVariables = {
LDAP_2_BASE_DN: '',
LDAP_2_BIND_DN: '', // used for user search - leave empty if ldap server allows anonymous bind
LDAP_2_BIND_PW: '', // used for user search - leave empty if ldap server allows anonymous bind
LDAP_2_TLS_CA_FILE: '', // used for self-signed certificate with ldaps - leave empty if using ldap or server uses CA-issued certificate

};

Expand Down Expand Up @@ -228,6 +230,7 @@ export interface EnvVariables {
LDAP_1_BASE_DN: string;
LDAP_1_BIND_DN: string;
LDAP_1_BIND_PW: string;
LDAP_1_TLS_CA_FILE: string;

LDAP_2_ENABLED: boolean;
LDAP_2_USER_AUTO_CREATION: boolean;
Expand All @@ -237,6 +240,7 @@ export interface EnvVariables {
LDAP_2_BASE_DN: string;
LDAP_2_BIND_DN: string;
LDAP_2_BIND_PW: string;
LDAP_2_TLS_CA_FILE: string;
}

const parseBoolean = (s: string): boolean => {
Expand Down
5 changes: 5 additions & 0 deletions packages/server/src/routes/api/sessions.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,7 @@ describe('api/sessions', () => {
baseDN: '',
bindDN: '',
bindPW: '',
tlsCaFile: '',
};

{
Expand Down Expand Up @@ -123,6 +124,7 @@ describe('api/sessions', () => {
baseDN: '',
bindDN: '',
bindPW: '',
tlsCaFile: '',
};

const context = await postSession(user.email, password);
Expand Down Expand Up @@ -151,6 +153,7 @@ describe('api/sessions', () => {
baseDN: '',
bindDN: '',
bindPW: '',
tlsCaFile: '',
};

(ldapLogin as jest.Mock).mockResolvedValue(user);
Expand Down Expand Up @@ -179,6 +182,7 @@ describe('api/sessions', () => {
baseDN: '',
bindDN: '',
bindPW: '',
tlsCaFile: '',
};

(ldapLogin as jest.Mock).mockImplementationOnce(() => {
Expand All @@ -203,6 +207,7 @@ describe('api/sessions', () => {
baseDN: '',
bindDN: '',
bindPW: '',
tlsCaFile: '',
};

(ldapLogin as jest.Mock).mockImplementationOnce(() => {
Expand Down
11 changes: 11 additions & 0 deletions packages/server/src/utils/ldapLogin.ts
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ import { User } from '../services/database/types';
import Logger from '@joplin/utils/Logger';
import { LdapConfig } from './types';
import { ErrorForbidden } from './errors';
import { readFile } from 'fs/promises';

const logger = Logger.create('LDAP');

Expand All @@ -16,6 +17,7 @@ export default async function ldapLogin(email: string, password: string, user: U
const baseDN = config.baseDN;
const bindDN = config.bindDN;
const bindPW = config.bindPW;
const tlsCaFile = config.tlsCaFile;

logger.info(`Starting authentication with Server ${host}`);

Expand All @@ -25,10 +27,19 @@ export default async function ldapLogin(email: string, password: string, user: U

if (enabled) {
let searchResults;

let tlsOptions;
if (tlsCaFile.length !== 0) {
tlsOptions = {
ca: [await readFile(tlsCaFile)],
};
}

const client = new Client({
url: host,
timeout: 5000,
connectTimeout: 1000,
tlsOptions: tlsOptions,
});

if (bindDN.length !== 0) {
Expand Down
1 change: 1 addition & 0 deletions packages/server/src/utils/types.ts
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,7 @@ export interface LdapConfig {
baseDN: string;
bindDN: string;
bindPW: string;
tlsCaFile: string;
}

export interface Config extends EnvVariables {
Expand Down
3 changes: 2 additions & 1 deletion packages/tools/cspell/dictionary4.txt
Original file line number Diff line number Diff line change
Expand Up @@ -153,4 +153,5 @@ tablist
Favorite
tablist
Edubirdie
Useviral
Useviral
ldaps

0 comments on commit 28ff17a

Please sign in to comment.