LDAP: permit overriding the CA root

1 files changed, 16 insertions, 1 deletions

diff --git a/lib/pleroma/web/auth/ldap_authenticator.ex b/lib/pleroma/web/auth/ldap_authenticator.ex
index d31f34747..7f2cd3d69 100644
--- a/lib/pleroma/web/auth/ldap_authenticator.ex
+++ b/lib/pleroma/web/auth/ldap_authenticator.ex
@@ -42,11 +42,14 @@ defmodule Pleroma.Web.Auth.LDAPAuthenticator do
     ssl = Keyword.get(ldap, :ssl, false)
     sslopts = Keyword.get(ldap, :sslopts, [])
     tlsopts = Keyword.get(ldap, :tlsopts, [])
+    cacertfile = Keyword.get(ldap, :cacertfile) || CAStore.file_path()
 
     options =
       [{:port, port}, {:ssl, ssl}, {:timeout, @connection_timeout}] ++
         if sslopts != [], do: [{:sslopts, sslopts}], else: []
 
+    cacerts = decode_certfile(cacertfile)
+
     case :eldap.open([to_charlist(host)], options) do
       {:ok, connection} ->
         try do
@@ -58,7 +61,7 @@ defmodule Pleroma.Web.Auth.LDAPAuthenticator do
                    Keyword.merge(
                      [
                        verify: :verify_peer,
-                       cacerts: :certifi.cacerts(),
+                       cacerts: cacerts,
                        customize_hostname_check: [
                          fqdn_fun: fn _ -> to_charlist(host) end
                        ]
@@ -147,4 +150,16 @@ defmodule Pleroma.Web.Auth.LDAPAuthenticator do
       error -> error
     end
   end
+
+  defp decode_certfile(file) do
+    with {:ok, data} <- File.read(file) do
+      data
+      |> :public_key.pem_decode()
+      |> Enum.map(fn {_, b, _} -> b end)
+    else
+      _ ->
+        Logger.error("Unable to read certfile: #{file}")
+        []
+    end
+  end
 end