fix: LDAP - avoid reading empty tls cert file (#2980)

Co-authored-by: Kevyn Bruyere <kevyn@inovasi.fr>
2021-01-31 07:03:24 +01:00 · 2021-01-31 07:03:24 +01:00 · b106018029
commit b106018029
parent cfbd3dca00
1 changed files with 23 additions and 6 deletions
--- a/server/modules/authentication/ldap/authentication.js
+++ b/server/modules/authentication/ldap/authentication.js
@ -18,12 +18,7 @@ module.exports = {
          bindCredentials: conf.bindCredentials,
          searchBase: conf.searchBase,
          searchFilter: conf.searchFilter,
-          tlsOptions: (conf.tlsEnabled) ? {
-            rejectUnauthorized: conf.verifyTLSCertificate,
-            ca: [
-              fs.readFileSync(conf.tlsCertPath)
-            ]
-          } : {},
+          tlsOptions: getTlsOptions(conf),
          includeRaw: true
        },
        usernameField: 'email',
@ -56,3 +51,25 @@ module.exports = {
      ))
  }
 }
+
+function getTlsOptions(conf) {
+  if (!conf.tlsEnabled) {
+    return {}
+  }
+
+  if (!conf.tlsCertPath) {
+    return {
+      rejectUnauthorized: conf.verifyTLSCertificate,
+    }
+  }
+
+  const caList = []
+  if (conf.verifyTLSCertificate) {
+    caList.push(fs.readFileSync(conf.tlsCertPath))
+  }
+
+  return {
+    rejectUnauthorized: conf.verifyTLSCertificate,
+    ca: caList
+  }
+}