Skip to content

Commit 9e8656c

Browse files
rojerrojer
authored
Merge pull request cesanta#197 from mrueg/ldap-cert
Set custom CA certificate for ldap cert verification
2 parents 14dc617 + c7b1c65 commit 9e8656c

File tree

3 files changed

+20
-1
lines changed

3 files changed

+20
-1
lines changed

auth_server/authn/ldap_auth.go

Lines changed: 16 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@ package authn
1919
import (
2020
"bytes"
2121
"crypto/tls"
22+
"crypto/x509"
2223
"fmt"
2324
"io/ioutil"
2425
"strings"
@@ -31,6 +32,7 @@ type LDAPAuthConfig struct {
3132
Addr string `yaml:"addr,omitempty"`
3233
TLS string `yaml:"tls,omitempty"`
3334
InsecureTLSSkipVerify bool `yaml:"insecure_tls_skip_verify,omitempty"`
35+
CACertificate string `yaml:"ca_certificate,omitempty"`
3436
Base string `yaml:"base,omitempty"`
3537
Filter string `yaml:"filter,omitempty"`
3638
BindDN string `yaml:"bind_dn,omitempty"`
@@ -140,7 +142,20 @@ func (la *LDAPAuth) ldapConnection() (*ldap.Conn, error) {
140142
tlsConfig := &tls.Config{InsecureSkipVerify: true}
141143
if !la.config.InsecureTLSSkipVerify {
142144
addr := strings.Split(la.config.Addr, ":")
143-
tlsConfig = &tls.Config{InsecureSkipVerify: false, ServerName: addr[0]}
145+
if la.config.CACertificate != "" {
146+
pool := x509.NewCertPool()
147+
pem, err := ioutil.ReadFile(la.config.CACertificate)
148+
if err != nil {
149+
return nil, fmt.Errorf("Error loading CA File: %s", err)
150+
}
151+
ok := pool.AppendCertsFromPEM(pem)
152+
if !ok {
153+
return nil, fmt.Errorf("Error loading CA File: Couldn't parse PEM in: %s", la.config.CACertificate)
154+
}
155+
tlsConfig = &tls.Config{InsecureSkipVerify: false, ServerName: addr[0], RootCAs: pool}
156+
} else {
157+
tlsConfig = &tls.Config{InsecureSkipVerify: false, ServerName: addr[0]}
158+
}
144159
}
145160

146161
if la.config.TLS == "" || la.config.TLS == "none" || la.config.TLS == "starttls" {

examples/ldap_auth.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,8 @@ ldap_auth:
1818
tls: always
1919
# set to true to allow insecure tls
2020
insecure_tls_skip_verify: false
21+
# set this to specify the ca certificate path
22+
ca_certificate:
2123
# In case bind DN and password is required for querying user information,
2224
# specify them here. Plain text password is read from the file.
2325
bind_dn:

examples/reference.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -131,6 +131,8 @@ ldap_auth:
131131
tls: always
132132
# set to true to allow insecure tls
133133
insecure_tls_skip_verify: false
134+
# set this to specify the ca certificate path
135+
ca_certificate:
134136
# In case bind DN and password is required for querying user information,
135137
# specify them here. Plain text password is read from the file.
136138
bind_dn:

0 commit comments

Comments
 (0)