ssl options for ldap

src/app/tabs/settings.component.html

@@ -27,14 +27,38 @@
                     </div>
                     <div class="form-group">
                         <div class="form-check">
-                            <input class="form-check-input" type="checkbox" id="ssl" [(ngModel)]="ldap.ssl" name="SSL">
-                            <label class="form-check-label" for="ssl">{{'ldapSsl' | i18n}}</label>
+                            <input class="form-check-input" type="checkbox" id="ad" [(ngModel)]="ldap.ad" name="AD">
+                            <label class="form-check-label" for="ad">{{'ldapAd' | i18n}}</label>
                         </div>
                     </div>
                     <div class="form-group">
                         <div class="form-check">
-                            <input class="form-check-input" type="checkbox" id="ad" [(ngModel)]="ldap.ad" name="AD">
-                            <label class="form-check-label" for="ad">{{'ldapAd' | i18n}}</label>
+                            <input class="form-check-input" type="checkbox" id="ssl" [(ngModel)]="ldap.ssl" name="SSL">
+                            <label class="form-check-label" for="ssl">{{'ldapSsl' | i18n}}</label>
+                        </div>
+                    </div>
+                    <div class="ml-4" *ngIf="ldap.ssl">
+                        <p>{{'ldapSslUntrustedDesc' | i18n}}</p>
+                        <div class="form-group">
+                            <label for="sslCertPath">{{'ldapSslCert' | i18n}}</label>
+                            <input type="file" class="form-control-file mb-2" id="sslCertPath_file" (change)="setSslPath('sslCertPath')">
+                            <input type="text" class="form-control" id="sslCertPath" name="SSLCertPath" [(ngModel)]="ldap.sslCertPath">
+                        </div>
+                        <div class="form-group">
+                            <label for="sslKeyPath">{{'ldapSslKey' | i18n}}</label>
+                            <input type="file" class="form-control-file mb-2" id="sslKeyPath_file" (change)="setSslPath('sslKeyPath')">
+                            <input type="text" class="form-control" id="sslKeyPath" name="SSLKeyPath" [(ngModel)]="ldap.sslKeyPath">
+                        </div>
+                        <div class="form-group">
+                            <label for="sslCaPath">{{'ldapSslCa' | i18n}}</label>
+                            <input type="file" class="form-control-file mb-2" id="sslCaPath_file" (change)="setSslPath('sslCaPath')">
+                            <input type="text" class="form-control" id="sslCaPath" name="SSLCaPath" [(ngModel)]="ldap.sslCaPath">
+                        </div>
+                        <div class="form-group">
+                            <div class="form-check">
+                                <input class="form-check-input" type="checkbox" id="sslAllowUnauthorized" [(ngModel)]="ldap.sslAllowUnauthorized" name="SSLAllowUnauthorized">
+                                <label class="form-check-label" for="sslAllowUnauthorized">{{'ldapSslAllowUnauthorized' | i18n}}</label>
+                            </div>
                         </div>
                     </div>
                     <div class="form-group" [hidden]="true">

src/app/tabs/settings.component.ts

@@ -111,7 +111,7 @@ export class SettingsComponent implements OnInit, OnDestroy {
         await this.configurationService.saveSync(this.sync);
     }
 
-    async parseKeyFile() {
+    parseKeyFile() {
         const filePicker = (document.getElementById('keyFile') as HTMLInputElement);
         if (filePicker.files == null || filePicker.files.length < 0) {
             return;
@@ -122,7 +122,7 @@ export class SettingsComponent implements OnInit, OnDestroy {
         reader.onload = (evt) => {
             this.ngZone.run(async () => {
                 try {
-                    const result = JSON.parse((evt.target as FileReader).result);
+                    const result = JSON.parse((evt.target as FileReader).result as string);
                     if (result.client_email != null && result.private_key != null) {
                         this.gsuite.clientEmail = result.client_email;
                         this.gsuite.privateKey = result.private_key;
@@ -138,4 +138,18 @@ export class SettingsComponent implements OnInit, OnDestroy {
             filePicker.value = '';
         };
     }
+
+    setSslPath(id: string) {
+        const filePicker = (document.getElementById(id + '_file') as HTMLInputElement);
+        if (filePicker.files == null || filePicker.files.length < 0) {
+            return;
+        }
+
+        (this.ldap as any)[id] = filePicker.files[0].path;
+        // reset file input
+        // ref: https://stackoverflow.com/a/20552042
+        filePicker.type = '';
+        filePicker.type = 'file';
+        filePicker.value = '';
+    }
 }

src/locales/en/messages.json

@@ -417,6 +417,21 @@
     "ldapSsl": {
         "message": "This server uses SSL (LDAPS)"
     },
+    "ldapSslUntrustedDesc": {
+        "message": "If your LDAPS server uses an untrusted certificate you can configure certificate options below."
+    },
+    "ldapSslCa": {
+        "message": "Certificate CA Chain (PEM)"
+    },
+    "ldapSslCert": {
+        "message": "Certificate (PEM)"
+    },
+    "ldapSslKey": {
+        "message": "Certificate Private Key (PEM)"
+    },
+    "ldapSslAllowUnauthorized": {
+        "message": "Allow untrusted SSL connections (not recommended)."
+    },
     "ldapAd": {
         "message": "This server uses Active Directory"
     },

src/models/ldapConfiguration.ts

@@ -1,7 +1,9 @@
-import { DirectoryType } from '../enums/directoryType';
-
 export class LdapConfiguration {
     ssl = false;
+    sslAllowUnauthorized = false;
+    sslCertPath: string;
+    sslKeyPath: string;
+    sslCaPath: string;
     hostname: string;
     port = 389;
     domain: string;

src/services/ldap-directory.service.ts

@@ -1,3 +1,4 @@
+import * as fs from 'fs';
 import * as ldap from 'ldapjs';
 
 import { DirectoryType } from '../enums/directoryType';
@@ -326,10 +327,32 @@ export class LdapDirectoryService implements DirectoryService {
 
             const url = 'ldap' + (this.dirConfig.ssl ? 's' : '') + '://' + this.dirConfig.hostname +
                 ':' + this.dirConfig.port;
-
-            this.client = ldap.createClient({
+            const options: ldap.ClientOptions = {
                 url: url.trim().toLowerCase(),
-            });
+            };
+            if (this.dirConfig.ssl) {
+                const tlsOptions: any = {};
+                if (this.dirConfig.sslAllowUnauthorized != null) {
+                    tlsOptions.rejectUnauthorized = !this.dirConfig.sslAllowUnauthorized;
+                }
+                if (this.dirConfig.sslCaPath != null && this.dirConfig.sslCaPath !== '' &&
+                    fs.existsSync(this.dirConfig.sslCaPath)) {
+                    tlsOptions.ca = [fs.readFileSync(this.dirConfig.sslCaPath)];
+                }
+                if (this.dirConfig.sslCertPath != null && this.dirConfig.sslCertPath !== '' &&
+                    fs.existsSync(this.dirConfig.sslCertPath)) {
+                    tlsOptions.cert = fs.readFileSync(this.dirConfig.sslCertPath);
+                }
+                if (this.dirConfig.sslKeyPath != null && this.dirConfig.sslKeyPath !== '' &&
+                    fs.existsSync(this.dirConfig.sslKeyPath)) {
+                    tlsOptions.key = fs.readFileSync(this.dirConfig.sslKeyPath);
+                }
+                if (Object.keys(tlsOptions).length > 0) {
+                    options.tlsOptions = tlsOptions;
+                }
+            }
+
+            this.client = ldap.createClient(options);
 
             const user = this.dirConfig.username == null || this.dirConfig.username.trim() === '' ? null :
                 this.dirConfig.username;