ldap: add starttls support and option to specificy ca certificate

This commit is contained in:
Bradley Girardeau 2015-07-02 15:49:51 -07:00
parent f6f95d5f2b
commit 42050fe77b
2 changed files with 53 additions and 8 deletions

View file

@ -2,6 +2,7 @@ package ldap
import ( import (
"crypto/tls" "crypto/tls"
"crypto/x509"
"fmt" "fmt"
"net" "net"
"net/url" "net/url"
@ -32,9 +33,17 @@ func pathConfig(b *backend) *framework.Path {
Type: framework.TypeString, Type: framework.TypeString,
Description: "Attribute used for users (default: cn)", Description: "Attribute used for users (default: cn)",
}, },
"certificate": &framework.FieldSchema{
Type: framework.TypeString,
Description: "CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded (optional)",
},
"insecure_tls": &framework.FieldSchema{ "insecure_tls": &framework.FieldSchema{
Type: framework.TypeBool, Type: framework.TypeBool,
Description: "Skip LDAP server SSL Certificate verification - VERY insecure", Description: "Skip LDAP server SSL Certificate verification - VERY insecure (optional)",
},
"starttls": &framework.FieldSchema{
Type: framework.TypeBool,
Description: "Issue a StartTLS command after establishing unencrypted connection (optional)",
}, },
}, },
@ -81,7 +90,9 @@ func (b *backend) pathConfigRead(
"userdn": cfg.UserDN, "userdn": cfg.UserDN,
"groupdn": cfg.GroupDN, "groupdn": cfg.GroupDN,
"userattr": cfg.UserAttr, "userattr": cfg.UserAttr,
"certificate": cfg.Certificate,
"insecure_tls": cfg.InsecureTLS, "insecure_tls": cfg.InsecureTLS,
"starttls": cfg.StartTLS,
}, },
}, nil }, nil
} }
@ -106,10 +117,18 @@ func (b *backend) pathConfigWrite(
if groupdn != "" { if groupdn != "" {
cfg.GroupDN = groupdn cfg.GroupDN = groupdn
} }
certificate := d.Get("certificate").(string)
if certificate != "" {
cfg.Certificate = certificate
}
insecureTLS := d.Get("insecure_tls").(bool) insecureTLS := d.Get("insecure_tls").(bool)
if insecureTLS { if insecureTLS {
cfg.InsecureTLS = insecureTLS cfg.InsecureTLS = insecureTLS
} }
startTLS := d.Get("starttls").(bool)
if startTLS {
cfg.StartTLS = startTLS
}
// Try to connect to the LDAP server, to validate the URL configuration // Try to connect to the LDAP server, to validate the URL configuration
// We can also check the URL at this stage, as anything else would probably // We can also check the URL at this stage, as anything else would probably
@ -136,7 +155,27 @@ type ConfigEntry struct {
UserDN string UserDN string
GroupDN string GroupDN string
UserAttr string UserAttr string
Certificate string
InsecureTLS bool InsecureTLS bool
StartTLS bool
}
func (c *ConfigEntry) GetTLSConfig(host string) (*tls.Config, error) {
tlsConfig := &tls.Config{
ServerName: host,
}
if c.InsecureTLS {
tlsConfig.InsecureSkipVerify = true
}
if c.Certificate != "" {
caPool := x509.NewCertPool()
ok := caPool.AppendCertsFromPEM([]byte(c.Certificate))
if !ok {
return nil, fmt.Errorf("could not append CA certificate")
}
tlsConfig.RootCAs = caPool
}
return tlsConfig, nil
} }
func (c *ConfigEntry) DialLDAP() (*ldap.Conn, error) { func (c *ConfigEntry) DialLDAP() (*ldap.Conn, error) {
@ -157,18 +196,22 @@ func (c *ConfigEntry) DialLDAP() (*ldap.Conn, error) {
port = "389" port = "389"
} }
conn, err = ldap.Dial("tcp", host+":"+port) conn, err = ldap.Dial("tcp", host+":"+port)
if c.StartTLS {
tlsConfig, err := c.GetTLSConfig(host)
if err != nil {
break
}
err = conn.StartTLS(tlsConfig)
}
case "ldaps": case "ldaps":
if port == "" { if port == "" {
port = "636" port = "636"
} }
tlsConfig := tls.Config{ tlsConfig, err := c.GetTLSConfig(host)
ServerName: host, if err != nil {
InsecureSkipVerify: false, break
} }
if c.InsecureTLS { conn, err = ldap.DialTLS("tcp", host+":"+port, tlsConfig)
tlsConfig.InsecureSkipVerify = true
}
conn, err = ldap.DialTLS("tcp", host+":"+port, &tlsConfig)
default: default:
return nil, fmt.Errorf("invalid LDAP scheme") return nil, fmt.Errorf("invalid LDAP scheme")
} }

View file

@ -90,7 +90,9 @@ $ vault write auth/ldap/config url="ldap://ldap.forumsys.com" \
userattr=uid \ userattr=uid \
userdn="dc=example,dc=com" \ userdn="dc=example,dc=com" \
groupdn="dc=example,dc=com" \ groupdn="dc=example,dc=com" \
certificate=@ldap_ca_cert.pem \
insecure_tls=false \ insecure_tls=false \
starttls=true
... ...
``` ```