Merge pull request cesanta#48 from cesanta/tls

Support different TLS methods for LDAP
deploymentbox · Nov 22, 2015 · 3fcaf82 · 3fcaf82
2 parents f12af26 + a9c3c39
commit 3fcaf82
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 20 deletions.
diff --git a/auth_server/authn/ldap_auth.go b/auth_server/authn/ldap_auth.go
@@ -28,21 +28,25 @@ import (
 )
 
 type LDAPAuthConfig struct {
-	Addr             string `yaml:"addr,omitempty"`
-	StartTLS         bool   `yaml:"tls,omitempty"`
-	Base             string `yaml:"base,omitempty"`
-	Filter           string `yaml:"filter,omitempty"`
-	BindDN           string `yaml:"bind_dn,omitempty"`
-	BindPasswordFile string `yaml:"bind_password_file,omitempty"`
-	GroupBaseDN      string `yaml:"group_base_dn,omitempty"`
-	GroupFilter      string `yaml:"group_filter,omitempty"`
+	Addr                  string `yaml:"addr,omitempty"`
+	TLS                   string `yaml:"tls,omitempty"`
+	InsecureTLSSkipVerify bool   `yaml:"insecure_tls_skip_verify,omitempty"`
+	Base                  string `yaml:"base,omitempty"`
+	Filter                string `yaml:"filter,omitempty"`
+	BindDN                string `yaml:"bind_dn,omitempty"`
+	BindPasswordFile      string `yaml:"bind_password_file,omitempty"`
+	GroupBaseDN           string `yaml:"group_base_dn,omitempty"`
+	GroupFilter           string `yaml:"group_filter,omitempty"`
 }
 
 type LDAPAuth struct {
 	config *LDAPAuthConfig
 }
 
 func NewLDAPAuth(c *LDAPAuthConfig) (*LDAPAuth, error) {
+	if c.TLS == "" && strings.HasSuffix(c.Addr, ":636") {
+		c.TLS = "always"
+	}
 	return &LDAPAuth{
 		config: c,
 	}, nil
@@ -124,18 +128,24 @@ func (la *LDAPAuth) escapeAccountInput(account string) string {
 }
 
 func (la *LDAPAuth) ldapConnection() (*ldap.Conn, error) {
-	glog.V(2).Infof("Dial: starting...%s", la.config.Addr)
-	l, err := ldap.Dial("tcp", fmt.Sprintf("%s", la.config.Addr))
+	var l *ldap.Conn
+	var err error
+	if la.config.TLS == "" || la.config.TLS == "none" || la.config.TLS == "starttls" {
+		glog.V(2).Infof("Dial: starting...%s", la.config.Addr)
+		l, err = ldap.Dial("tcp", fmt.Sprintf("%s", la.config.Addr))
+		if err == nil && la.config.TLS == "starttls" {
+			glog.V(2).Infof("StartTLS...")
+			if tlserr := l.StartTLS(&tls.Config{InsecureSkipVerify: la.config.InsecureTLSSkipVerify}); tlserr != nil {
+				return nil, tlserr
+			}
+		}
+	} else if la.config.TLS == "always" {
+		glog.V(2).Infof("DialTLS: starting...%s", la.config.Addr)
+		l, err = ldap.DialTLS("tcp", fmt.Sprintf("%s", la.config.Addr), &tls.Config{InsecureSkipVerify: la.config.InsecureTLSSkipVerify})
+	}
 	if err != nil {
 		return nil, err
 	}
-	if la.config.StartTLS {
-		glog.V(2).Infof("StartTLS...")
-		err = l.StartTLS(&tls.Config{InsecureSkipVerify: true})
-		if err != nil {
-			return nil, err
-		}
-	}
 	return l, nil
 }
 

diff --git a/examples/ldap_auth.yml b/examples/ldap_auth.yml
@@ -1,13 +1,17 @@
 server:
   addr: :5001
-  certificate: /path/to/server.pem 
+  certificate: /path/to/server.pem
   key: /path/to/server.key
 token:
   issuer: Acme auth server
   expiration: 900
 ldap_auth:
-  addr: ldap.example.com:389
-  tls: true
+  addr: ldap.example.com:636
+  # Setup tls connection method to be
+  # "" or "none": the communication won't be encrypted
+  # "always": setup LDAP over SSL/TLS
+  # "starttls": sets StartTLS as the encryption method
+  tls: always
   bind_dn:
   bind_password_file:
   base: o=example.com