fix: LDAP - avoid reading empty tls cert file (#2980)

Co-authored-by: Kevyn Bruyere <kevyn@inovasi.fr>

fix: LDAP - avoid reading empty tls cert file (#2980)
b1060180 · Kevyn Bruyere · GitHub · cfbd3dca · b1060180
Unverified Commit b1060180 authored Jan 31, 2021 by Kevyn Bruyere Committed by GitHub Jan 31, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 23 additions and 6 deletions

authentication.js server/modules/authentication/ldap/authentication.js +23 -6

No files found.
--- a/server/modules/authentication/ldap/authentication.js
+++ b/server/modules/authentication/ldap/authentication.js
@@ -18,12 +18,7 @@ module.exports = {
          bindCredentials: conf.bindCredentials,
          searchBase: conf.searchBase,
          searchFilter: conf.searchFilter,
-          tlsOptions: (conf.tlsEnabled) ? {
-            rejectUnauthorized: conf.verifyTLSCertificate,
-            ca: [
-              fs.readFileSync(conf.tlsCertPath)
-            ]
-          } : {},
+          tlsOptions: getTlsOptions(conf),
          includeRaw: true
        },
        usernameField: 'email',
@@ -56,3 +51,25 @@ module.exports = {
      ))
  }
 }
+
+function getTlsOptions(conf) {
+  if (!conf.tlsEnabled) {
+    return {}
+  }
+
+  if (!conf.tlsCertPath) {
+    return {
+      rejectUnauthorized: conf.verifyTLSCertificate,
+    }
+  }
+
+  const caList = []
+  if (conf.verifyTLSCertificate) {
+    caList.push(fs.readFileSync(conf.tlsCertPath))
+  }
+
+  return {
+    rejectUnauthorized: conf.verifyTLSCertificate,
+    ca: caList
+  }
+}