From 2234f1653aabddce4799b710fc34f559d4c6b1a3 Mon Sep 17 00:00:00 2001 From: bilo1967 <17109395+bilo1967@users.noreply.github.com> Date: Sat, 1 Feb 2025 13:22:29 +0100 Subject: [PATCH 1/3] Update MyLdapAuth.js If tls_ca is set to false, then allow to ignore client certificates Signed-off-by: bilo1967 <17109395+bilo1967@users.noreply.github.com> --- lib/MyLdapAuth.js | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/lib/MyLdapAuth.js b/lib/MyLdapAuth.js index 3d57ad0..c696cc7 100644 --- a/lib/MyLdapAuth.js +++ b/lib/MyLdapAuth.js @@ -75,7 +75,12 @@ MyLdapAuth.prototype._adminBind = function (cb) { if (typeof(self.opts.tls_ca !== 'undefined')) { clientOpts.tlsOptions = {}; - clientOpts.tlsOptions.ca = self.opts.tls_ca; + // if tls_ca is set to false, then ignore certificates, else use the provided one + if (self.opts.tls_ca == false) { + clientOpts.tlsOptions.rejectUnauthorized = false; + } else { + clientOpts.tlsOptions.ca = self.opts.tls_ca; + } } self._adminClient = ldap.createClient(clientOpts); @@ -158,7 +163,12 @@ MyLdapAuth.prototype.authenticate = function (username, password, cb) { if (typeof(self.opts.tls_ca !== 'undefined')) { clientOpts.tlsOptions = {}; - clientOpts.tlsOptions.ca = self.opts.tls_ca; + // if tls_ca is set to false, then ignore certificates, else use the provided one + if (self.opts.tls_ca == false) { + clientOpts.tlsOptions.rejectUnauthorized = false; + } else { + clientOpts.tlsOptions.ca = self.opts.tls_ca; + } } var userClient = ldap.createClient(clientOpts); From 7a217875eb46346557ddd599589a725ea2d1cfd4 Mon Sep 17 00:00:00 2001 From: bilo1967 <17109395+bilo1967@users.noreply.github.com> Date: Sat, 1 Feb 2025 13:32:15 +0100 Subject: [PATCH 2/3] Update ep_ldapauth.js Allow to ignore client certificates by setting tls_ca_file to false Signed-off-by: bilo1967 <17109395+bilo1967@users.noreply.github.com> --- ep_ldapauth.js | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/ep_ldapauth.js b/ep_ldapauth.js index c1ddbbd..d21f856 100644 --- a/ep_ldapauth.js +++ b/ep_ldapauth.js @@ -40,7 +40,13 @@ exports.authenticate = function(hook_name, context, cb) { }; if (typeof(settings.users.ldapauth.tls_ca_file) !== 'undefined') { - myLdapAuthOpts.tls_ca = fs.readFileSync(settings.users.ldapauth.tls_ca_file); + // if parameter tls_ca_file is set to false, then ignore client certificates, + // else, use the provided PEM format certificate + if (settings.users.ldapauth.tls_ca_file == false) { + myLdapAuthOpts.tls_ca = false; + } else { + myLdapAuthOpts.tls_ca = fs.readFileSync(settings.users.ldapauth.tls_ca_file); + } } var authenticateLDAP = new MyLdapAuth(myLdapAuthOpts); From 0a3c417a0ee7ea47033c33446145fbcca99644e6 Mon Sep 17 00:00:00 2001 From: bilo1967 <17109395+bilo1967@users.noreply.github.com> Date: Sat, 1 Feb 2025 13:50:09 +0100 Subject: [PATCH 3/3] Update README.md to document the tls_ca_file parameter Update the README.md to document the tls_ca_file parameter Signed-off-by: bilo1967 <17109395+bilo1967@users.noreply.github.com> --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 5e5ba89..14b8d5e 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,9 @@ Add to settings.json: "groupAttributeIsDN": true, "searchScope": "sub", "groupSearch": "(&(cn=admin)(objectClass=groupOfNames))", - "anonymousReadonly": false + "anonymousReadonly": false, + // The following is optional. You can also set it to false to ignore peer certificates + "tls_ca_file": "/path/to/yourcert.pem" } },