diff --git a/src/app/tabs/settings.component.html b/src/app/tabs/settings.component.html index 1bf06600..45c053be 100644 --- a/src/app/tabs/settings.component.html +++ b/src/app/tabs/settings.component.html @@ -35,39 +35,54 @@
- - + +
-

{{'ldapSslUntrustedDesc' | i18n}}

- - - +
+ + +
+
+ + +
-
- - - +
+

{{'ldapTlsUntrustedDesc' | i18n}}

+
+ + + +
-
- - - +
+

{{'ldapSslUntrustedDesc' | i18n}}

+
+ + + +
+
+ + + +
+
+ + + +
- - + +
diff --git a/src/locales/en/messages.json b/src/locales/en/messages.json index 1b1fb549..72a21cdc 100644 --- a/src/locales/en/messages.json +++ b/src/locales/en/messages.json @@ -414,8 +414,20 @@ "sync": { "message": "Sync" }, + "ldapEncrypted": { + "message": "This server uses an encrypted connection" + }, + "ldapTls": { + "message": "Use TLS (STARTTLS)" + }, + "ldapTlsCa": { + "message": "Certificate CA Chain (PEM)" + }, "ldapSsl": { - "message": "This server uses SSL (LDAPS)" + "message": "Use SSL (LDAPS)" + }, + "ldapTlsUntrustedDesc": { + "message": "If your LDAP server uses a self-signed certificate for STARTTLS, you can configure certificate options below." }, "ldapSslUntrustedDesc": { "message": "If your LDAPS server uses an untrusted certificate you can configure certificate options below." @@ -429,8 +441,8 @@ "ldapSslKey": { "message": "Certificate Private Key (PEM)" }, - "ldapSslAllowUnauthorized": { - "message": "Allow untrusted SSL connections (not recommended)." + "ldapCertDoNotVerify": { + "message": "Do not verify server certificates (not recommended)." }, "ldapAd": { "message": "This server uses Active Directory" diff --git a/src/models/ldapConfiguration.ts b/src/models/ldapConfiguration.ts index 2060d81e..e41b6dc1 100644 --- a/src/models/ldapConfiguration.ts +++ b/src/models/ldapConfiguration.ts @@ -1,5 +1,7 @@ export class LdapConfiguration { ssl = false; + starttls = true; + tlsCaPath: string; sslAllowUnauthorized = false; sslCertPath: string; sslKeyPath: string; diff --git a/src/services/ldap-directory.service.ts b/src/services/ldap-directory.service.ts index aecabdce..d267ddf9 100644 --- a/src/services/ldap-directory.service.ts +++ b/src/services/ldap-directory.service.ts @@ -324,32 +324,41 @@ export class LdapDirectoryService implements DirectoryService { reject(this.i18nService.t('dirConfigIncomplete')); return; } - - const url = 'ldap' + (this.dirConfig.ssl ? 's' : '') + '://' + this.dirConfig.hostname + + const protocol = 'ldap' + (this.dirConfig.ssl && !this.dirConfig.starttls ? 's' : ''); + const url = protocol + '://' + this.dirConfig.hostname + ':' + this.dirConfig.port; const options: ldap.ClientOptions = { url: url.trim().toLowerCase(), }; + + const tlsOptions: any = {}; if (this.dirConfig.ssl) { - const tlsOptions: any = {}; - if (this.dirConfig.sslAllowUnauthorized != null) { + if (!this.dirConfig.starttls) { + if (this.dirConfig.sslCaPath != null && this.dirConfig.sslCaPath !== '' && + fs.existsSync(this.dirConfig.sslCaPath)) { + tlsOptions.ca = [fs.readFileSync(this.dirConfig.sslCaPath)]; + } + if (this.dirConfig.sslCertPath != null && this.dirConfig.sslCertPath !== '' && + fs.existsSync(this.dirConfig.sslCertPath)) { + tlsOptions.cert = fs.readFileSync(this.dirConfig.sslCertPath); + } + if (this.dirConfig.sslKeyPath != null && this.dirConfig.sslKeyPath !== '' && + fs.existsSync(this.dirConfig.sslKeyPath)) { + tlsOptions.key = fs.readFileSync(this.dirConfig.sslKeyPath); + } + } else { + if (this.dirConfig.tlsCaPath != null && this.dirConfig.tlsCaPath !== '' && + fs.existsSync(this.dirConfig.tlsCaPath)) { + tlsOptions.ca = [fs.readFileSync(this.dirConfig.tlsCaPath)]; + } + } + if (this.dirConfig.sslAllowUnauthorized) { tlsOptions.rejectUnauthorized = !this.dirConfig.sslAllowUnauthorized; } - if (this.dirConfig.sslCaPath != null && this.dirConfig.sslCaPath !== '' && - fs.existsSync(this.dirConfig.sslCaPath)) { - tlsOptions.ca = [fs.readFileSync(this.dirConfig.sslCaPath)]; - } - if (this.dirConfig.sslCertPath != null && this.dirConfig.sslCertPath !== '' && - fs.existsSync(this.dirConfig.sslCertPath)) { - tlsOptions.cert = fs.readFileSync(this.dirConfig.sslCertPath); - } - if (this.dirConfig.sslKeyPath != null && this.dirConfig.sslKeyPath !== '' && - fs.existsSync(this.dirConfig.sslKeyPath)) { - tlsOptions.key = fs.readFileSync(this.dirConfig.sslKeyPath); - } - if (Object.keys(tlsOptions).length > 0) { - options.tlsOptions = tlsOptions; - } + } + + if (Object.keys(tlsOptions).length > 0) { + options.tlsOptions = tlsOptions; } this.client = ldap.createClient(options); @@ -364,13 +373,29 @@ export class LdapDirectoryService implements DirectoryService { return; } - this.client.bind(user, pass, (err) => { - if (err != null) { - reject(err.message); - } else { - resolve(); - } - }); + if (this.dirConfig.starttls && this.dirConfig.ssl) { + this.client.starttls(options.tlsOptions, undefined, (err, res) => { + if (err != null) { + reject(err.message); + } else { + this.client.bind(user, pass, (err) => { + if (err != null) { + reject(err.message); + } else { + resolve(); + } + }); + } + }); + } else { + this.client.bind(user, pass, (err) => { + if (err != null) { + reject(err.message); + } else { + resolve(); + } + }); + } }); }