diff --git a/LDAPCnx.cc b/LDAPCnx.cc index 4662fef..e0ecb6b 100644 --- a/LDAPCnx.cc +++ b/LDAPCnx.cc @@ -62,6 +62,7 @@ void LDAPCnx::New(const Nan::FunctionCallbackInfo& info) { int debug = info[5]->NumberValue(); int verifycert = info[6]->NumberValue(); int referrals = info[7]->NumberValue(); + Nan::Utf8String cacertfile(info[8]); int zero = 0; ld->ldap_callback = (ldap_conncb *)malloc(sizeof(ldap_conncb)); @@ -76,6 +77,10 @@ void LDAPCnx::New(const Nan::FunctionCallbackInfo& info) { struct timeval ntimeout = { timeout/1000, (timeout%1000) * 1000 }; + if (info[8]->IsString()) { + ldap_set_option(ld->ld, LDAP_OPT_X_TLS_CACERTFILE, *cacertfile); + } + ldap_set_option(ld->ld, LDAP_OPT_PROTOCOL_VERSION, &ver); ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &debug); ldap_set_option(ld->ld, LDAP_OPT_CONNECT_CB, ld->ldap_callback); diff --git a/README.md b/README.md index 8b54b22..77544a0 100644 --- a/README.md +++ b/README.md @@ -63,6 +63,7 @@ var LDAP = require('ldap-client'); var ldap = new LDAP({ uri: 'ldap://server', // string validatecert: false, // Verify server certificate + ca: "ca.pem", // optional path of a ca certificate file connecttimeout: -1, // seconds, default is -1 (infinite timeout), connect timeout base: 'dc=com', // default base for all future searches attrs: '*', // default attribute list for future searches @@ -94,7 +95,7 @@ var ldap = new LDAP({ TLS === -TLS can be used via the ldaps:// protocol string in the URI attribute on instantiation. If you want to eschew server certificate checking (if you have a self-signed cserver certificate, for example), you can set the `verifycert` attribute to `LDAP.LDAP_OPT_X_TLS_NEVER`, or one of the following values: +TLS can be used via the ldaps:// protocol string in the URI attribute on instantiation. If you want to eschew server certificate checking, you can set the `verifycert` attribute to `LDAP.LDAP_OPT_X_TLS_NEVER`, or one of the following values: ```js var LDAP=require('ldap-client'); diff --git a/index.js b/index.js index bd10bca..7a85945 100644 --- a/index.js +++ b/index.js @@ -98,7 +98,8 @@ function LDAP(opt, fn) { this.options.ntimeout, this.options.debug, this.options.validatecert, - this.options.referrals); + this.options.referrals, + this.options.ca); if (typeof fn !== 'function') { fn = function() {}; diff --git a/test/certs/ca.crt b/test/certs/ca.crt new file mode 100644 index 0000000..7ca3ce0 --- /dev/null +++ b/test/certs/ca.crt @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDAjCCAeoCCQCJz+e6p8ebYzANBgkqhkiG9w0BAQsFADBDMQswCQYDVQQGEwJH +QjETMBEGA1UECAwKQ2hlbHRlbmhhbTENMAsGA1UECgwESm9zaDEQMA4GA1UEAwwH +Sm9zaCBDQTAeFw0yMDAzMDYxMjEyNDFaFw00NzA3MjMxMjEyNDFaMEMxCzAJBgNV +BAYTAkdCMRMwEQYDVQQIDApDaGVsdGVuaGFtMQ0wCwYDVQQKDARKb3NoMRAwDgYD +VQQDDAdKb3NoIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6PDH +4W4xF8eai4Ijz/uuRpvVElHnD8MzqfMBx16TzxKXVGMK2MCUYK+WCAv32u06e6bB +Ocj9IyOumGktRqVwrY0r43yKjssUp+k0Q4/PWHsBo4VgSzRVUXiUbB08tikHS7XZ +vXBjRtlsW+/PWGkuce6n/MfiRDHUgedRPa4Q5wYMOdi04D5uhE/nH1WYP+K0/sFi +FhjrruzpGoPrRdNa2TN8EzgU/83y/6bMlLrG8TXD/s2+7gBodY7zl1AP0A/+Gna2 +rZQFOBPC6o4Jj/q4YzLbldrJ9TBjxGwT0gFCOVcd7kwOtgdpdzHWfb0+rBSS8cw+ +IR3ZhJsfyum6OXDU+wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAAL3fvqGAeWZMG +MgEh6UQP0dgerLTb+lUiLKJzsOpm5Ys0sIoaAEee9q3TxyD6v/u8Vh2ildHGpyS2 +Nge8uzznW34sTCpFLJf0JysbV7l4xYkmEn/z5iYYqh+p6khUUzQkkhy/MT0CWVtq +5pYTpMREGJMTFAgP03cZ66HyCuENcijWW7Xfu0dFjvOzyNOUc3/PrQKgDRQODzz/ +8+bR+9xY++cGSe0O8o54FSWqV43V5yIpusIBXJR+dPh6Cua7UnqUNW824RFSRnsQ +2XddOhCYHhRpzN5XPmFtOYlfhvnQDQo82CH3A/kKO7t1XsTUTwRskT1yafqEnajg +CnnloSdU +-----END CERTIFICATE----- diff --git a/test/certs/ca.key b/test/certs/ca.key new file mode 100644 index 0000000..c722efc --- /dev/null +++ b/test/certs/ca.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEA6PDH4W4xF8eai4Ijz/uuRpvVElHnD8MzqfMBx16TzxKXVGMK +2MCUYK+WCAv32u06e6bBOcj9IyOumGktRqVwrY0r43yKjssUp+k0Q4/PWHsBo4Vg +SzRVUXiUbB08tikHS7XZvXBjRtlsW+/PWGkuce6n/MfiRDHUgedRPa4Q5wYMOdi0 +4D5uhE/nH1WYP+K0/sFiFhjrruzpGoPrRdNa2TN8EzgU/83y/6bMlLrG8TXD/s2+ +7gBodY7zl1AP0A/+Gna2rZQFOBPC6o4Jj/q4YzLbldrJ9TBjxGwT0gFCOVcd7kwO +tgdpdzHWfb0+rBSS8cw+IR3ZhJsfyum6OXDU+wIDAQABAoIBAQCsXEW6Q5vl2Zc8 +NT6kjblFm9cMaDgNzMV0slAVoqDCLyJ0mZiUC+N+q03bhGeQwcptZlVBmbvc/XEa +a3DJ/m6irHvWJvgrco9FM2StvUKSWOo8gdtfqkibMRq56ORccX1pgxSrfPaonQb1 +/DszUxi/yvTYMVr2VNzGhk/x0NPG7KQ+OsYz1sCSJCXJOhtzjNIHNobEgog/+Cj2 +hX5Qe9wF2+cygsUCjsKKvkYhCDN6AYjyEuVdKRZHDsBCu3Q2ErfAmFgO0Fs5D7v0 +bcTf1HCT+WCoyw3DDJu+TDlId8ChN+8fOjEJKajBdAddh84DsJWc00fmyYUShEez +VtfleW35AoGBAPgwbR8njas0RBTHes6hQYrTem5Gu75mOAHQeIWVUEOpoS3ReVtS +yhw4T35HPmA7IKmKZu4/GYBCjISYpM5SMK1fLxV/PnbrqRnyZDXEslRKduexfkxX +4wOL6SR6XNIA/Gc15uOmoPcZhlkzUwPl9QaAxwWJ0OikcHr3tTYmhuB1AoGBAPBF +gHIUNEIYripRTyFe8N75I3Sq7QtmZ592m76vVXtM5xPPQHZGkzVmGctY70GVCP5J +lAtW0U7QWnH8SiLkI8Ezjv/wssjnrkvCsVXTdV3sU5eEaN9fXaGfyXNDg00E6Ata +qw08kImb9uxx2VoeYa2ukJoERQ9Ys+OZ2D8QSzGvAoGBAJAt0bafi7VBj6tilv0i +wKidYipd/QMG7tJfASTZMN+d03yCjDV5SuBJ9iQtzxaoQrk7JcCR94aDIo6E/ni9 +VnnhKcEbQnZjQMFKBt0Vf2NoPtsqSWygQcj1pmMCkpmM6RQsRA1L54ak1V9MaZWC +KW21seiNv0bnAFDvRd5HU2NhAoGAc34VBcDsdbEDVtgKn1HRmnxLLLNUihxJRv9u +UbRZ9JC8qmr+41t9Oze+wl4Xc4C99+1KOkEbDzVbpFrPEAJ1pVKxNBlw9t1WjJgj +QcwJKIKGk9hTyLtAeIYkAUG8hXMMTxjgC9bG6z6K7JC1F3pvHVtBqqbOw1ex8H9s +0LN2UYUCgYEAqU5hznevJYnkdsGr/xxpCqHUpbllEWDBCVrZraUxJ2DP/6U61hH6 +StqyN2qutkSDTLNMUDeAR1tLIAb9xonbQzzsd07/CbNu9iHJwidYopU3RBRdHjtj +iPiyb8EP5x7ugYx7l8OT2ZFF75d2DbuUzabj5P8BpSFjyvr5Xmj72hg= +-----END RSA PRIVATE KEY----- diff --git a/test/certs/device.crt b/test/certs/device.crt deleted file mode 100644 index 1a14d76..0000000 --- a/test/certs/device.crt +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDnDCCAoQCCQDpkoraKTv49zANBgkqhkiG9w0BAQUFADCBjzELMAkGA1UEBhMC -Q0ExCzAJBgNVBAgTAk5UMRQwEgYDVQQHEwtZZWxsb3drbmlmZTENMAsGA1UEChME -RGVtbzENMAsGA1UECxMERGVtbzEaMBgGA1UEAxMRZGVtby5zc2ltaWNyby5jb20x -IzAhBgkqhkiG9w0BCQEWFGplcmVteWNAc3NpbWljcm8uY29tMB4XDTE1MTAyMjE1 -NTcxOFoXDTI5MDYzMDE1NTcxOFowgY8xCzAJBgNVBAYTAkNBMQswCQYDVQQIEwJO -VDEUMBIGA1UEBxMLWWVsbG93a25pZmUxDTALBgNVBAoTBERlbW8xDTALBgNVBAsT -BERlbW8xGjAYBgNVBAMTEWRlbW8uc3NpbWljcm8uY29tMSMwIQYJKoZIhvcNAQkB -FhRqZXJlbXljQHNzaW1pY3JvLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC -AQoCggEBAMBx7klo3CxR5vvFxf0Su58PXQjFe5IEc3p0HKXsOHNVOchIy1raU0+O -RpBFX+e/XkNPjMi/0Y4TKLiwxKVW7KtBBltBRx+2UjuY4qIWAZJQSGcq6qNAtzms -tQP2HWOhSeFFHoW1NXK88HYo7KDVIAD135cUSvn5+jqiwGYe0rX/lBUkOCmPQu6/ -LyzBDgRVsrZOUzGdgsWjhQQFQSPM6LlgOzCkj1oCGgaO8C7/9D1p+f2ACP5zTcE+ -JZ3Sn1ry10IK58RBAR0tQnX6o06cSlLzxNbj5/Zl2rA/r0nB8ZN/iILbas440V+h -DPPxo1irBsW9TsElA5JWHi/KXBXfZSsCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEA -sd3QR94dPIPpi+EmkD9pKuLu6UTTQXe49QaqdZ1zbmzcm5I446Mnca5QbwrjR1HJ -mLyQ7vUeIqBWwJTmXnKS7A0ZjeSXy1r4mC8oHdyjF/2xgYXPltsaKUjn+qBUo/ID -QgOAREfn+sR3hoqUsHFCohW6mO4ZLartUNRlliNWWATaq60SB5AmMDe9UixSq5xq -9i073cNmnWUcIJ/ApWh5jS6FlHL7P7tBdWXR4+yud9+18khdeab3HW7diFGTNsvU -XirNk7tjReltkgPqfRcCe9gv0QVgy31aK0eBNvt15IiT3jhQdEC1W3TyvId3MhTa -xNzjR8MXrASMZbIve6tFQw== ------END CERTIFICATE----- diff --git a/test/certs/device.csr b/test/certs/device.csr deleted file mode 100644 index 8d3fa79..0000000 --- a/test/certs/device.csr +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE REQUEST----- -MIIC1TCCAb0CAQAwgY8xCzAJBgNVBAYTAkNBMQswCQYDVQQIEwJOVDEUMBIGA1UE -BxMLWWVsbG93a25pZmUxDTALBgNVBAoTBERlbW8xDTALBgNVBAsTBERlbW8xGjAY -BgNVBAMTEWRlbW8uc3NpbWljcm8uY29tMSMwIQYJKoZIhvcNAQkBFhRqZXJlbXlj -QHNzaW1pY3JvLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMBx -7klo3CxR5vvFxf0Su58PXQjFe5IEc3p0HKXsOHNVOchIy1raU0+ORpBFX+e/XkNP -jMi/0Y4TKLiwxKVW7KtBBltBRx+2UjuY4qIWAZJQSGcq6qNAtzmstQP2HWOhSeFF -HoW1NXK88HYo7KDVIAD135cUSvn5+jqiwGYe0rX/lBUkOCmPQu6/LyzBDgRVsrZO -UzGdgsWjhQQFQSPM6LlgOzCkj1oCGgaO8C7/9D1p+f2ACP5zTcE+JZ3Sn1ry10IK -58RBAR0tQnX6o06cSlLzxNbj5/Zl2rA/r0nB8ZN/iILbas440V+hDPPxo1irBsW9 -TsElA5JWHi/KXBXfZSsCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQA8LNE65w+r -zBLxvZ64o2xSDS3QAFox6sEXCDSCe/0ExJ56TzvaGbUET9HnlDrHcOrWEyIVxkf0 -Ifyyzz0akpNYcBSfY5cckipmIIBSVcXYVGTDRJ/pdls58Nh+CMXMkR+PQ5dBvNBK -GTh/MVLGTYdpvDw0gEprqi3VevYkEtg2QpLt/AfKiHMOkZ8F5lo+oRF+D/GJmt5r -2tZDfJVWgoYlkMtRRuJZUOQAp9XFwl+K96/MLh/IlY41RbzQNyG898PRRfslTXB1 -dmT56IIuLz47fS7Dxd0XqzpE7QJUeJXKZGwvthZc6C8k2lH23dOWvLqHsaY3VfZL -36wOVxdY4PR+ ------END CERTIFICATE REQUEST----- diff --git a/test/certs/device.key b/test/certs/device.key deleted file mode 100644 index 6a45f42..0000000 --- a/test/certs/device.key +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAwHHuSWjcLFHm+8XF/RK7nw9dCMV7kgRzenQcpew4c1U5yEjL -WtpTT45GkEVf579eQ0+MyL/RjhMouLDEpVbsq0EGW0FHH7ZSO5jiohYBklBIZyrq -o0C3Oay1A/YdY6FJ4UUehbU1crzwdijsoNUgAPXflxRK+fn6OqLAZh7Stf+UFSQ4 -KY9C7r8vLMEOBFWytk5TMZ2CxaOFBAVBI8zouWA7MKSPWgIaBo7wLv/0PWn5/YAI -/nNNwT4lndKfWvLXQgrnxEEBHS1CdfqjTpxKUvPE1uPn9mXasD+vScHxk3+Igttq -zjjRX6EM8/GjWKsGxb1OwSUDklYeL8pcFd9lKwIDAQABAoIBAQCSKrazGSsJmpeX -KWsswbqxoCiojd5CVJElM+XCfH2P0+6UWf3inqriZQzhbV/flHFTLKugmlje0Vx/ -kvt5HWGa3UOnshgEVSV2ULPqKk69Q68KdQVMQ84mxy+ht6Aw2QNVT3tUUQMsh6cY -CBNaQSYStK1Dgc1EuoI9YPpDVivywL+2TCUDhSzyTOlmuN71eVJVJ5z5lEVRTcjH -kZhyojJbc4bOVWNtd04E0lINYb47Nw5y42Dbl3hzXEHjbxDtqwaH/8zCr514UKwb -R0sP2qbZGhW3D8SKFobqFKBioO5RIOBaLvAN5IbmgjNNelk3jKVrNireczbRRY7t -6pGEfi4RAoGBAOj4R414Z5yEM3z5IGctOKnNlnvqV1t8OuAn1admhxOpFQmEpdsy -FgO3dQ2i1wVomWJFnf05nLqnhMs5RInOPt4X5FPuL3O9FQpRfo7la0JGxF0ILWyY -dpIsBhFvBFKX/KcklX+TU/Pvw/6sj0H2vb+KadNrCZo4F06vDgGQM4JJAoGBANN4 -GTKR9PQnhg5LAYVFQ27W8cUzMyvhr3t9DhrA/4NQNfPO5NdUSVyzIScO37RjHlB/ -yjRiATGkhz0xWidxef716tVNpSNpH/exBL8UGmTNPwp89Uy/N9mgYo/yVwugcGor -iqxvh2s7kyHVfZffWoEN9Q1I28LbkqejNNB8QuvTAoGAOt7qrew8OogJvs3xi0EZ -LYefPGcGdj7ZXeWTDv9QqP40K7iSdOaeO4gzkyOQNHSvNe8jsmbJnT1RyE0Lbctp -hZQCBdeNtDCWzYm0coW06gWZ/2xeli+c3ukzC1rDe9+eX9pV0Ow47c6r94JBnUit -wGZIwb0tqwP7l82Su4BmE8kCgYAo92MqQMxLYDzAGBe7Uae2mT1NDpYjMh1ktt08 -oZbeQXOyP6plbJaptqn9fwwnTexZe+gYLcQ9cbohSKZGbd1MXyeXGuua6Iqg2VIq -EiLq1DgaOArtSz3ukvuFF1V1kycz6it7LD/3rhrauxkRittllOacJDkujorinuNk -YC42sQKBgQDNY2eCtKMC7Lf8Lm5jnbNdW7s3iGSkeHBrxLf6+5JaV9ANHPU2DC23 -rUecryszi/mIePeEYbbSiqxSa/2rbIS8s4WkNRpXENWRpACaOeRzNLhxbL5kFKKh -aiiK/+rGS+T1KDSoTm5VYsyj1MG0bRfIdGhrnvCapDgTBDchItF82w== ------END RSA PRIVATE KEY----- diff --git a/test/certs/rootCA.key b/test/certs/rootCA.key deleted file mode 100644 index 5e669d1..0000000 --- a/test/certs/rootCA.key +++ /dev/null @@ -1,30 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -Proc-Type: 4,ENCRYPTED -DEK-Info: DES-EDE3-CBC,22673A99BDDF38E8 - -ffN8zTCH8u/KHRSdxR8KrcXMKkN3laq5e4gANucNBznvj7Nx4mCHi82ggdc/KRu9 -lSS90qb7Mkcd9bJZ9WiJF+JnaShAGlLH0vyfwYN1EniSCx6HlqPCGgBt/w6bU97o -HLPRsWHXIVf/LZ+YcB8X9Z0e/ookZqBHsbsGb2+uBX7EDtok6P6K+wYR1ousppDA -3cTp42e4U2egNt1bUyYFnfC3+p5Rci7wHopcrDgouEP8NeSqM7Jhrtl59Kl0eHvV -nI2G//5asbvlLz1CcY+HkJ3acJbsiUwxXQtUcLmAytgKiyJ6Mc8tF8e2hpbLmGJZ -y0QY/Tc2eUXAX//nxnlyAT1YGghAORnxyQU6+lXvqk/9qLq/fEaT9GhcK1bVqCxU -vkMKZx9WleetuESgpo83J/RrOdoToQL0ngyd311ivmuFUg7RaJLAPVtxiz3nydxN -2QXkKaGw4UOnEgkDVGyzIfJLqTuuiluFuvAPx1DhbdIe7schbM5AIbpkEtnJIVU1 -QMxZ/P51rjJlBOqELQBEiD63dZ6J7MBX7zzuEOLF8SW1RyuA5y2f8O0n/DubqapH -ZC0uZGfG6C/Auy+DY/wrAfFsgA4DBGUdX3/iXg0SXJcwIwOOyJdUAgWbtNtMx0vu -qOb1vu28UMfns6pPi64DWSARy4pDkpPKsPnakQ7M87sOiaXSM259RAwJhMoWJwcc -xPkWOsF7hKS1Jy/ZVfZcbIF4Fs6m6Zo1oUi35blVH5QfKlLujP8jlaF7UgFovI7w -1zoJ6JU99ZAFT3gA9GOQYIWEDq+3MCnOmqU+JlNynsrOr7kF9PkoewQuzcJeA0/n -MP1O6dCVmqdBngt1nAHTyXjiKQj5WmFsoaAhzl5daOL0fSTcBnDXBqTjPZl8l3Iy -FN5r7pVYyggWCgHoMQiV0zUUAb80jiLNaHULjhUakeKbVIOTagPDpy36K3xRrFz2 -1cM1XpJKfTaN9Rovf6+BRr6ecqUHVStdgusAW5VErSsYmZhz5KuyYJeZwFnZR7uP -SPCD8QwBsLpf3t9h2UoBe/GTKZcajnNv6nZ/ld5YkPa2G+BMZlg5/wNhhfdc5vjV -czeixVl3iOFn5zwbUCPZq1oxXkgT5HExwWGqKtAUyjg2O4tWUDshJX7vwlQ8PEJ5 -9Fy61ZWlzY1xTzYIh3AzQAHHSWVqt6cuOXITlTJGCON02OHgJ56NOe/Ci7/XWyoI -k+SQ2dvPjoaQL5r7HS6fmRO+VlcugB3zSBiTZTCv4+z1/cUVT8HWH6PNV2cDAxx7 -HCGmTPe3WFJZxKTxGJ6x1NKRsyz6a5Uk3BzB5HVG5av3sXlTDy6dNI5oXHtZ1ND5 -2M2KNC9bif8RqrUXrhbrTLbIYIog6JxJcdJsxxkhTInQs7P5/xEvKxosHkxdWTM7 -UVH4c/5WRn35l2jTUe4QIKWokrCDggpbyh+qMLo7AEdUQ72raXZ3MxKD9tXL82xh -uNV+vG0ojsy4zjFBEGqlbchDShfOVzIZBRV2Q7yAKWJ9h6Q2sTl2CQG8obG73b2K -QDJ6jw2H3BeaBXnWdbl3QqhPVPCA4Tl8I2egkujPILUkDLVsLeq95g== ------END RSA PRIVATE KEY----- diff --git a/test/certs/rootCA.pem b/test/certs/rootCA.pem deleted file mode 100644 index 1bd4035..0000000 --- a/test/certs/rootCA.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEmzCCA4OgAwIBAgIJAL6wGd1s4F9TMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYD -VQQGEwJDQTELMAkGA1UECBMCTlQxFDASBgNVBAcTC1llbGxvd2tuaWZlMQ0wCwYD -VQQKEwREZW1vMQ0wCwYDVQQLEwREZW1vMRowGAYDVQQDExFkZW1vLnNzaW1pY3Jv -LmNvbTEjMCEGCSqGSIb3DQEJARYUamVyZW15Y0Bzc2ltaWNyby5jb20wHhcNMTUx -MDIyMTU1NjAwWhcNMTgwODExMTU1NjAwWjCBjzELMAkGA1UEBhMCQ0ExCzAJBgNV -BAgTAk5UMRQwEgYDVQQHEwtZZWxsb3drbmlmZTENMAsGA1UEChMERGVtbzENMAsG -A1UECxMERGVtbzEaMBgGA1UEAxMRZGVtby5zc2ltaWNyby5jb20xIzAhBgkqhkiG -9w0BCQEWFGplcmVteWNAc3NpbWljcm8uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC -AQ8AMIIBCgKCAQEA0s3y2/WY1ZEtsU6/5UwRCZKsf88ApctqB3P5aTB9Ow53AOLF -hj/oN/cT2qfFtPAp0jKtUS9/bROQbsy0tzRc9OBDZ5qc7XZhlXikcPAN16esmA7j -uyNdQ6wgfX9GVdOywQKONEqePvg+SX9xiq5TrulDfHF2IS+G1UJRWkACuGSaTXhb -v5CCQceSvPipRZts+7SMERkgciCH2oVuyGs6n7Sc1LGmNtq7FsQgTs8RvtgEJ+eV -SkGqiy4/59evohRg2fSos/kfQFGMvYyYj4EDe8spnGOa919wU5z+16Oog/VOB/jv -V3CpRuegD2R9at1Rc8XGb+xpwn0JtjTbYDEQnQIDAQABo4H3MIH0MB0GA1UdDgQW -BBQr9y+Kq4lHtM0ELtphzSkA8ck8PjCBxAYDVR0jBIG8MIG5gBQr9y+Kq4lHtM0E -LtphzSkA8ck8PqGBlaSBkjCBjzELMAkGA1UEBhMCQ0ExCzAJBgNVBAgTAk5UMRQw -EgYDVQQHEwtZZWxsb3drbmlmZTENMAsGA1UEChMERGVtbzENMAsGA1UECxMERGVt -bzEaMBgGA1UEAxMRZGVtby5zc2ltaWNyby5jb20xIzAhBgkqhkiG9w0BCQEWFGpl -cmVteWNAc3NpbWljcm8uY29tggkAvrAZ3WzgX1MwDAYDVR0TBAUwAwEB/zANBgkq -hkiG9w0BAQUFAAOCAQEAhOxS1ti8/X+neasbkX0x6k+3cQ7cVmzuyALJbn+smotG -kjFK0ulY/zAYhnAvLQBu625vHugW1UMIvXxpJBFOS5x/O8+B07FweJxvqclF1xcG -A481xXuMcPQEvcysjY/6rJbo8PRVydCegZTWwy7PgA30gmouzLkSUkRgamcZftqR -xjkQYvFvQ9YkIMLgZedpikLZ/9rp60udzAyN44FPfhGVqgIYu2wxtAnfaIYtLOgf -KTQorr6PMIlOmhGu9QGGPsTen2QRukbk48isuDCV6JXyHtDmJQrsyjc61yc1sh7e -ZfH1tBk4OUCauZIH9Pk+WfpFkbyjWJDSBVqsQGBuvQ== ------END CERTIFICATE----- diff --git a/test/certs/rootCA.srl b/test/certs/rootCA.srl deleted file mode 100644 index 3835be0..0000000 --- a/test/certs/rootCA.srl +++ /dev/null @@ -1 +0,0 @@ -E9928ADA293BF8F7 diff --git a/test/certs/server.crt b/test/certs/server.crt new file mode 100644 index 0000000..41ae015 --- /dev/null +++ b/test/certs/server.crt @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC/DCCAeQCCQC/bkZwDQTlnjANBgkqhkiG9w0BAQsFADBDMQswCQYDVQQGEwJH +QjETMBEGA1UECAwKQ2hlbHRlbmhhbTENMAsGA1UECgwESm9zaDEQMA4GA1UEAwwH +Sm9zaCBDQTAeFw0yMDAzMDYxMjE1NTdaFw00NzA3MjMxMjE1NTdaMD0xCzAJBgNV +BAYTAkdCMRMwEQYDVQQIDApDaGVsdGVuaGFtMQ0wCwYDVQQKDARKb3NoMQowCAYD +VQQDDAEqMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwD4jhNzitaEu +Yw9e/3wDgdvbDoote5diOPUsE3r9jHm4ZQcSiZmgj93ulYBDzzNX4q8Nbgk04keU +EUJBx/7sN4n2QpsJ8iN+cThRNDMU0LeQ/ekKpzAcq9bi60QzTuazfcC/INVXKyOr +b0ZqsGMRxnKAB8BRITuoDDOBQPFVvay4VXV5i4wKb12hJTqEbhmHpFHAtpEInZHk +Tj5ADUjlYnnvy3VxJjFSAWW2mRjm39LPtFQR1Rgohq8xOnhRIS/WmEJMrYrj596I +srmo/QvGADgTzPg7R5WaJHChqCj9bYtS9pVs5GQpBqaQMLo4CdqrQ9ipTXxfA0Zg +gEaau2LT3wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA4NsGrkqQHpZDM9lrybGLf +fhMQD791zOEYzAiGSKCNqcIPeOGXeLEEN2afs76HcrCa3j0LLwZXO0B+QXLW0fZk +z+xweyaJQ/3z3hW0LnmQNmO9wekKRw+8dknNSz3eo4H5qY0QRVq9ZQgdNx50Zry6 +kCtkOhtU5cihfdaEj2GhV5cfm6L6CMIhbXY8BDY+7NpFYfvQzWT9Z+Ohf9j+OHOo +jB5mIv04Evdt6FWB60Ar1MkSiQjQVdE9C+4ordsTKGCQpjXRgXri5Qc6+rqguO8o +Mixd1SAwrim5lhTSgz/ctlngzbJiqcOW83x+J9xLTsjBVi0Z/pXGkatZMa6/iV1W +-----END CERTIFICATE----- diff --git a/test/certs/server.key b/test/certs/server.key new file mode 100644 index 0000000..5f842bd --- /dev/null +++ b/test/certs/server.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEAwD4jhNzitaEuYw9e/3wDgdvbDoote5diOPUsE3r9jHm4ZQcS +iZmgj93ulYBDzzNX4q8Nbgk04keUEUJBx/7sN4n2QpsJ8iN+cThRNDMU0LeQ/ekK +pzAcq9bi60QzTuazfcC/INVXKyOrb0ZqsGMRxnKAB8BRITuoDDOBQPFVvay4VXV5 +i4wKb12hJTqEbhmHpFHAtpEInZHkTj5ADUjlYnnvy3VxJjFSAWW2mRjm39LPtFQR +1Rgohq8xOnhRIS/WmEJMrYrj596Isrmo/QvGADgTzPg7R5WaJHChqCj9bYtS9pVs +5GQpBqaQMLo4CdqrQ9ipTXxfA0ZggEaau2LT3wIDAQABAoIBAQCRgvdTq/YWUOhR +puLbMz1cX9PRj5mZwR5hyoIQRLoCSGfgYJgRey1jeDMNCkdJYK2XMbVSorlaxZ83 +6RTtkvGtoEm8ZKoElAUzIdOlVTzeNvQSnQCpR+uLzl14gujrQgh+mRSSf6k5SAiN +c5lx5asgsK5kL5e5NfSfN6UQSRwDMpc6oOqLvAT2XzMVRew6ivj1+OubYiC2Wdku +2tmeixNVVwgMKwHzRfuFkwYOcvcjIw4lWg32A+yW2Rqn0Nq7kXLeDlTrkacPCfoa +4yADV+2eyIxC+kMRnMdLgA91aM49wvtCJknNA60GYcQdLN9Pw/MDukR3gN+L3nDl +hWbChGSRAoGBAOdUFWJmmWdq84k7z5DSJ1lO8tVkDXE35oYtMX2jQD8QMVw/UU8X +4c8Wb1Ql9uSIkI95vixujYL7V76k52Lp/7FIdWShaS+itoJnmCKCTwbG9nCnp5lj +Do04n873X0gcWQjUojiGmpfi2M3RsKGm4MUucWxRIw0095j++yjl8MzrAoGBANS+ +57zUTeecXT8EUf9HumLtFavAbWEgB0q4q4ewXr2VZBNXCE5dKnlvT2CDFZg/Upfg +INsRi8dk7//bnpp8m8DzG9F8R8F1DWO/qata6rvdlNpQ07aL25Z7gJchAAVbLmIC +pdNmqppODiF/g3rYlMwbQllJuzjoMZYt+rhW1ofdAoGBAK6fioT9bk/jLHQr8kQg +YBPKxQTQwlT1Hc+rzfBJi/YPAzPfmEFchdkN1nxvLDDX5khoXmasDacSlOoVEZZZ +jesGB5gvQHf1HFDUYsOqGn3DM8VWye3AGPwCAqD5m7OTsqI34T1KXujJFWBJKkzc +7E/s/zIFDbCqiz2zPWViLqSBAoGANSPiWqZlNz81g3Ie0TcndWJnEVmleKc5aw6p +ueDyKUTRlIsexgQ7gc2t9BuKH1dh2BHh4xaE5a9uy2geO9R4Sz/uaOs0OTx1tb7A +MM8q5vY4IjgiSeyxUutSeW2CxdO6yDyFE0MHxjdNDEz/mIXU1Q7SCd+C5noJOMwP +XlBCkfkCgYEA2d018ARx9l0CerVTz1uG1RyOWVLH/d5XuApov3+Bye7BeKlirv6m +1RCFUDduXI3lr1TbifP7XK0W1E9A9u46KmTWm5PWRvNJOmSi3qXvI9nQsGvBmSQd +VJfCUAeI1KaAMHp1fQq/tLbnOWUkEx1WjLe5Rs86CJ2VjCFfyATTYh4= +-----END RSA PRIVATE KEY----- diff --git a/test/certs/wrongca.crt b/test/certs/wrongca.crt new file mode 100644 index 0000000..8306dca --- /dev/null +++ b/test/certs/wrongca.crt @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFfTCCA2WgAwIBAgIUI8YwKAVnOqAcsENwBMFoOju6/20wDQYJKoZIhvcNAQEL +BQAwTjELMAkGA1UEBhMCVUsxEDAOBgNVBAgMB0VuZ2xhbmQxEzARBgNVBAcMCkNo +ZWx0ZW5oYW0xDDAKBgNVBAoMA2pqaDEKMAgGA1UEAwwBKjAeFw0xOTA2MTQyMDMy +NDhaFw0yMjA2MTQyMDMyNDhaME4xCzAJBgNVBAYTAlVLMRAwDgYDVQQIDAdFbmds +YW5kMRMwEQYDVQQHDApDaGVsdGVuaGFtMQwwCgYDVQQKDANqamgxCjAIBgNVBAMM +ASowggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC0Vex3WyX6zHorsi28 +3+INfk/BxK8uT+peO4bcSBJvIp/3xswIGN0D7RnOsP5EpXDn57DWQGXW72Or3ec6 +dGYOQVA/tSv9qyx2HHytbvArhPVDwDscwDlict3qNoSCZIH5gjQZchmLxi5L0RJ7 +qBSiOzbMFcJGHJJvTCY10XeImlde+T/jak5NZQ3CAWBh6BEMZE7gK+ufdX4+M3N5 +ZfD7VlxA6q5TiZT50r5g9G9mKPM66UEK4TrosBGbCYNeGunLC4Q94oX7MzhAsAwl +i8aHsA71455IH8g9WQ5/y2mYxuwdz4xdmBNtcmGlvd+BJ4PFtGvUqWdG5ECD55Ah +718C2dnFnA53ZnHbIzf2XFSKILsUd/1uWhq0vBm5OlF96eD8BWYlBiBj6CXH9A24 +Gu0HzZtkKyO83yWC+uF3zz2/Ec7VN/cQUHIn2pixYL737o6EPxWnWxFuRCau2sue +YnIw1x9BEg1cOLmSL6lHZj5Llr4mVCsewNMgMxzE2MfMpsnsEc0lwfX1ICFM347L +sqx2LuArRytDV+ZJYueL33/eLw86BMjQ9FEBDNv3oEPi84raA76RMz1Z4yFAEW0M +kcj9cUOsrM8G8Kud3eC/YnAMnOTQx2QETlnJv+E3frbgTYVxan8G5ynrbkJ7v0SD ++R8j57QzoTPAsDzJiIR0h2XfHQIDAQABo1MwUTAdBgNVHQ4EFgQUrQHskQDWP3Az +mBnBpsC+wcBts7MwHwYDVR0jBBgwFoAUrQHskQDWP3AzmBnBpsC+wcBts7MwDwYD +VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAar561zQXRH+t9nALpOuU +ew1+hUqQlNmpg98Up2ZAjMtQmB+FiFc/2xMgk56F/sMUB3NHhtxQdPTpKELqdgmh +sWJH0VwtAWB0lYOIvkTSLYEHvRRyzJOLJ9hUdS0ghLd52fNyBH5XOMo68z1CtjvN +SCejAwkI/iZfXy94ZQAKaRLzRMd/MHDdIf4HrG3QHDA5WTlUUMnL+YyrmMtVjt3d +9xZSIAXDvvAtqhyQN29wPY8d+m2xZIUs/sqluXvWB/z4Ze54tMqdKtnOfoBDIPoy +Rnb24NY4pOrptj1qo2O7uNILXuK7snKBgVL4QtyG3UdOuVmzw+KfDr5fL1DmitIw +JcLgQPY3ImVZA0owtScTV2sza7p7hrQJb3tc+JmXO7jywRzcr051Yrx9MgSO53RY +veghNUHJYT/k4w4SbrNw5nJvcvnYMFxQgme/fLHhds+UsyjtlGRHI1VI39uZzjn2 +y8pPMPE+UWybc1BHP0xUCbShbqHlT2NTN8E+WyRM6SwzDTXRWKe87JaJQ/BU4InM +3Msa9rdveyJMFBYmsq+/ikOltjp4kYSv2eUg38eemaK2Vo4E+lV9Vh7mjRinF1GA +6cu6C8VbhlEIVz2KlS+hc7asLO2KNMbZYVSQf+4ASsLoVH2SeFZ4jIydEVAfhbJx +pV7SBCA1RpxXszJYCDf4A6w= +-----END CERTIFICATE----- diff --git a/test/run_sasl.sh b/test/run_sasl.sh index 2c51333..c99dc6c 100755 --- a/test/run_sasl.sh +++ b/test/run_sasl.sh @@ -1,15 +1,27 @@ #!/bin/sh if [[ -z $SLAPD ]] ; then - SLAPD=/usr/local/libexec/slapd + if [ -f /usr/local/libexec/slapd ] ; then + SLAPD=/usr/local/libexec/slapd + else + SLAPD=slapd + fi fi if [[ -z $SLAPADD ]] ; then - SLAPADD=/usr/local/sbin/slapadd + if [ -f /usr/local/sbin/slapadd ] ; then + SLAPADD=/usr/local/sbin/slapadd + else + SLAPADD=slapadd + fi fi if [[ -z $SLAPD_CONF ]] ; then - SLAPD_CONF=sasl.conf + if [ -d /usr/local/etc/openldap/ ]; then + SLAPD_CONF=sasl.conf + else + SLAPD_CONF=sasl.linux.conf + fi fi MKDIR=/bin/mkdir diff --git a/test/run_server.sh b/test/run_server.sh index c4f61ea..96c549e 100755 --- a/test/run_server.sh +++ b/test/run_server.sh @@ -1,7 +1,7 @@ #!/bin/sh -SLAPD=/usr/local/libexec/slapd -SLAPADD=/usr/local/sbin/slapadd +SLAPD=`test -f /usr/local/libexec/slapd && echo /usr/local/libexec/slapd || echo slapd` +SLAPADD=`test -f /usr/local/sbin/slapadd && echo /usr/local/sbin/slapadd || echo slapadd` MKDIR=/bin/mkdir RM=/bin/rm KILL=/bin/kill @@ -9,8 +9,13 @@ KILL=/bin/kill $RM -rf openldap-data $MKDIR openldap-data -$SLAPADD -f slapd.conf < startup.ldif -$SLAPD -d999 -f slapd.conf -h "ldap://:1234 ldapi://%2ftmp%2fslapd.sock ldaps://localhost:1235" +if [ -d /usr/local/etc/openldap/ ]; then + $SLAPADD -f slapd.conf < startup.ldif + $SLAPD -d999 -f slapd.conf -h "ldap://:1234 ldapi://%2ftmp%2fslapd.sock ldaps://localhost:1235" +else + $SLAPADD -f slapd.linux.conf < startup.ldif + $SLAPD -d999 -f slapd.linux.conf -h "ldap://:1234 ldapi://%2ftmp%2fslapd.sock ldaps://localhost:1235" +fi + SLAPD_PID=$! # slapd should be running now - diff --git a/test/sasl.linux.conf b/test/sasl.linux.conf new file mode 100644 index 0000000..c5f62c6 --- /dev/null +++ b/test/sasl.linux.conf @@ -0,0 +1,26 @@ +include /etc/openldap/schema/core.schema +include /etc/openldap/schema/cosine.schema +include /etc/openldap/schema/inetorgperson.schema + +pidfile ./slapd.pid +argsfile ./slapd.args + +modulepath /usr/libexec/openldap +moduleload back_bdb + +idletimeout 100 + +database bdb + +sasl-auxprops slapd +sasl-secprops none +authz-regexp uid=(.*),cn=PLAIN,cn=auth cn=$1,dc=sample,dc=com +authz-regexp uid=(.*),cn=authz,cn=auth cn=$1,dc=sample,dc=com +password-hash {CLEARTEXT} +authz-policy from + +suffix "dc=sample,dc=com" +rootdn "cn=Manager,dc=sample,dc=com" +rootpw secret +directory ./openldap-data +index objectClass,cn,contextCSN eq diff --git a/test/slapd.conf b/test/slapd.conf index dc854fd..016f69d 100644 --- a/test/slapd.conf +++ b/test/slapd.conf @@ -7,9 +7,9 @@ include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema # Define global ACLs to disable default read access. -TLSCACertificateFile certs/rootCA.pem -TLSCertificateFile certs/device.crt -TLSCertificateKeyFile certs/device.key +TLSCACertificateFile certs/ca.crt +TLSCertificateFile certs/server.crt +TLSCertificateKeyFile certs/server.key # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. @@ -26,9 +26,9 @@ moduleload back_mdb timelimit 10 -TLSCACertificateFile certs/rootCA.pem -TLSCertificateFile certs/device.crt -TLSCertificateKeyFile certs/device.key +TLSCACertificateFile certs/ca.crt +TLSCertificateFile certs/server.crt +TLSCertificateKeyFile certs/server.key # Sample security restrictions diff --git a/test/slapd.linux.conf b/test/slapd.linux.conf new file mode 100644 index 0000000..87890fa --- /dev/null +++ b/test/slapd.linux.conf @@ -0,0 +1,82 @@ +# +# See slapd.conf(5) for details on configuration options. +# This file should NOT be world readable. +# +include /etc/openldap/schema/core.schema +include /etc/openldap/schema/cosine.schema +include /etc/openldap/schema/inetorgperson.schema +# Define global ACLs to disable default read access. + +TLSCACertificateFile certs/ca.crt +TLSCertificateFile certs/server.crt +TLSCertificateKeyFile certs/server.key + +# Do not enable referrals until AFTER you have a working directory +# service AND an understanding of referrals. +#referral ldap://root.openldap.org + +pidfile ./slapd.pid +argsfile ./slapd.args + +# Load dynamic backend modules: +#modulepath /usr/local/libexec/openldap +#moduleload back_mdb +# moduleload back_hdb +# moduleload back_ldap + +timelimit 10 + +TLSCACertificateFile certs/ca.crt +TLSCertificateFile certs/server.crt +TLSCertificateKeyFile certs/server.key + + +# Sample security restrictions +# Require integrity protection (prevent hijacking) +# Require 112-bit (3DES or better) encryption for updates +# Require 63-bit encryption for simple bind +# security ssf=1 update_ssf=112 simple_bind=64 + +# Sample access control policy: +# Root DSE: allow anyone to read it +# Subschema (sub)entry DSE: allow anyone to read it +# Other DSEs: +# Allow self write access +# Allow authenticated users read access +# Allow anonymous users to authenticate +# Directives needed to implement policy: +access to dn.base="" by * read +access to dn.base="cn=Subschema" by * read +access to * + by self write + by users read + by anonymous read +# +# if no access controls are present, the default policy +# allows anyone and everyone to read anything but restricts +# updates to rootdn. (e.g., "access to * by * read") +# +# rootdn can always read and write EVERYTHING! + +idletimeout 100 + +####################################################################### +# BDB database definitions +####################################################################### + +database mdb +# overlay syncprov +# syncprov-checkpoint 10 10 + +suffix "dc=sample,dc=com" +rootdn "cn=Manager,dc=sample,dc=com" +# Cleartext passwords, especially for the rootdn, should +# be avoid. See slappasswd(8) and slapd.conf(5) for details. +# Use of strong authentication encouraged. +rootpw secret +# The database directory MUST exist prior to running slapd AND +# should only be accessible by the slapd and slap tools. +# Mode 700 recommended. +directory ./openldap-data +# Indices to maintain +index objectClass,cn,contextCSN eq diff --git a/test/tls.js b/test/tls.js index 061f2ab..2ce6e47 100644 --- a/test/tls.js +++ b/test/tls.js @@ -82,4 +82,55 @@ describe('LDAP TLS', function() { assert(ldap.tlsactive()); ldap.close(); }); + it ('Should validate cert', function(done) { + this.timeout(10000); + const ldap = new LDAP({ + uri: 'ldap://localhost:1234', + base: 'dc=sample,dc=com', + attrs: '*', + validatecert: true, + ca: "test/certs/ca.crt" + }, function(err) { + assert.ifError(err); + ldap.starttls(function(err) { + assert.ifError(err); + ldap.installtls(); + assert(ldap.tlsactive()); + ldap.search({ + filter: '(cn=babs)', + scope: LDAP.SUBTREE + }, function(err, res) { + assert.ifError(err); + assert.equal(res.length, 1); + assert.equal(res[0].sn[0], 'Jensen'); + assert.equal(res[0].dn, 'cn=Babs,dc=sample,dc=com'); + done(); + }); + }); + }); + }); + it ('Should not validate cert', function(done) { + this.timeout(10000); + const ldap = new LDAP({ + uri: 'ldap://localhost:1234', + base: 'dc=sample,dc=com', + attrs: '*', + validatecert: true, + ca: "test/certs/wrongca.crt" + }, function(err) { + assert.ifError(err); + ldap.starttls(function(err) { + assert.ifError(err); + ldap.installtls(); + assert(ldap.tlsactive()); + ldap.search({ + filter: '(cn=babs)', + scope: LDAP.SUBTREE + }, function(err, res) { + assert.ifError(!err); + done(); + }); + }); + }); + }); });