From b106018029683804d0b5152243dee19c0f4710ef Mon Sep 17 00:00:00 2001
From: Kevyn Bruyere <kevynb@users.noreply.github.com>
Date: Sun, 31 Jan 2021 07:03:24 +0100
Subject: [PATCH] fix: LDAP - avoid reading empty tls cert file (#2980)

Co-authored-by: Kevyn Bruyere <kevyn@inovasi.fr>
---
 .../authentication/ldap/authentication.js     | 29 +++++++++++++++----
 1 file changed, 23 insertions(+), 6 deletions(-)

diff --git a/server/modules/authentication/ldap/authentication.js b/server/modules/authentication/ldap/authentication.js
index 2daeeb36..d1bff88e 100644
--- a/server/modules/authentication/ldap/authentication.js
+++ b/server/modules/authentication/ldap/authentication.js
@@ -18,12 +18,7 @@ module.exports = {
           bindCredentials: conf.bindCredentials,
           searchBase: conf.searchBase,
           searchFilter: conf.searchFilter,
-          tlsOptions: (conf.tlsEnabled) ? {
-            rejectUnauthorized: conf.verifyTLSCertificate,
-            ca: [
-              fs.readFileSync(conf.tlsCertPath)
-            ]
-          } : {},
+          tlsOptions: getTlsOptions(conf),
           includeRaw: true
         },
         usernameField: 'email',
@@ -56,3 +51,25 @@ module.exports = {
       ))
   }
 }
+
+function getTlsOptions(conf) {
+  if (!conf.tlsEnabled) {
+    return {}
+  }
+
+  if (!conf.tlsCertPath) {
+    return {
+      rejectUnauthorized: conf.verifyTLSCertificate,
+    }
+  }
+
+  const caList = []
+  if (conf.verifyTLSCertificate) {
+    caList.push(fs.readFileSync(conf.tlsCertPath))
+  }
+
+  return {
+    rejectUnauthorized: conf.verifyTLSCertificate,
+    ca: caList
+  }
+}