Feat/ldap certificate connexion (#92)

* Give the way to connect against LDAP server with certificate and key * fix(ldap) Update cert variable name In order to be more explicit Co-authored-by: Alexis Aurin <alexis@so6.pw>
2025-02-26 05:49:14 +00:00 · 2022-03-15 22:46:00 +01:00 · 2022-03-15 22:46:00 +01:00 · cc50fcf8e6
commit cc50fcf8e6
parent 5d4d06db81
4 changed files with 75 additions and 16 deletions
--- a/README.md
+++ b/README.md
@ -156,6 +156,9 @@ The following configuration options are available:
 | LDAP_ATTR_LASTNAME         | attrLastname            | ldap        | sn                                              | User lastname attribute.                                                                                 |
 | LDAP_ATTR_PHONE            | attrPhone               | ldap        | telephoneNumber                                 | User phone number attribute.                                                                                 |
 | LDAP_ATTR_GROUPS           | attrGroups              | ldap        | memberOf                                        | User groups attribute.                                                                                 |
+| LDAP_CERT_CONN             | ldapCertConn            | ldap        | false                                           | Allow connection with certificate against LDAP server without user/password                            |
+| LDAPTLS_CERT               | ldapTlsCert             | ldap        |                                                 | The LDAP cert's path                                                                                   |
+| LDAPTLS_KEY                | ldapTlsKey              | ldap        |                                                 | The LDAP key's path                                                                                    |
 | LOG_LEVEL                  |                         |             | debug                                           | Specify log level, one of: trace, debug, info, off.                                                                                       |
 | LOG_JSON                   |                         |             | false                                           | Format log output as JSON.                                                                                      |
 | LOG_COLOR                  |                         |             | true                                            | Colorize log output.                                                                                    |
--- a/internal/authentication/providers/ldap/provider.go
+++ b/internal/authentication/providers/ldap/provider.go
@ -2,6 +2,7 @@ package ldap

 import (
 	"crypto/tls"
+	"io/ioutil"
 	"strings"

 	"github.com/gin-gonic/gin"
@ -154,7 +155,33 @@ func (provider Provider) GetUserModel(ctx *authentication.AuthContext) (*authent
 }

 func (provider Provider) open() (*ldap.Conn, error) {
-	tlsConfig := &tls.Config{InsecureSkipVerify: !provider.config.CertValidation}
+	var tlsConfig *tls.Config
+
+	if provider.config.LdapCertConn {
+
+		cert_plain, err := ioutil.ReadFile(provider.config.LdapTlsCert)
+		if err != nil {
+			return nil, errors.WithMessage(err, "failed to load the certificate")
+
+		}
+
+		key, err := ioutil.ReadFile(provider.config.LdapTlsKey)
+		if err != nil {
+			return nil, errors.WithMessage(err, "failed to load the key")
+		}
+
+		cert_x509, err := tls.X509KeyPair(cert_plain, key)
+		if err != nil {
+			return nil, errors.WithMessage(err, "failed X509")
+
+		}
+		tlsConfig = &tls.Config{Certificates: []tls.Certificate{cert_x509}}
+
+	} else {
+
+		tlsConfig = &tls.Config{InsecureSkipVerify: !provider.config.CertValidation}
+	}
+
 	conn, err := ldap.DialURL(provider.config.URL, ldap.DialWithTLSConfig(tlsConfig))
 	if err != nil {
 		return nil, errors.WithMessage(err, "failed to connect to LDAP")
--- a/internal/ldap/config.go
+++ b/internal/ldap/config.go
@ -4,7 +4,6 @@ import (
 	gldap "github.com/go-ldap/ldap/v3"
 )

-
 type Type string

 const (
@ -30,4 +29,7 @@ type Config struct {
 	SyncFilter      string    `yaml:"syncFilter" envconfig:"LDAP_SYNC_FILTER"`
 	AdminLdapGroup  string    `yaml:"adminGroup" envconfig:"LDAP_ADMIN_GROUP"` // Members of this group receive admin rights in WG-Portal
 	AdminLdapGroup_ *gldap.DN `yaml:"-"`
+	LdapCertConn    bool      `yaml:"ldapCertConn" envconfig:"LDAP_CERT_CONN"`
+	LdapTlsCert     string    `yaml:"ldapTlsCert" envconfig:"LDAPTLS_CERT"`
+	LdapTlsKey      string    `yaml:"ldapTlsKey" envconfig:"LDAPTLS_KEY"`
 }
--- a/internal/ldap/ldap.go
+++ b/internal/ldap/ldap.go
@ -2,6 +2,7 @@ package ldap

 import (
 	"crypto/tls"
+	"io/ioutil"

 	"github.com/go-ldap/ldap/v3"
 	"github.com/pkg/errors"
@ -14,7 +15,33 @@ type RawLdapData struct {
 }

 func Open(cfg *Config) (*ldap.Conn, error) {
-	tlsConfig := &tls.Config{InsecureSkipVerify: !cfg.CertValidation}
+	var tlsConfig *tls.Config
+
+	if cfg.LdapCertConn {
+
+		cert_plain, err := ioutil.ReadFile(cfg.LdapTlsCert)
+		if err != nil {
+			return nil, errors.WithMessage(err, "failed to load the certificate")
+
+		}
+
+		key, err := ioutil.ReadFile(cfg.LdapTlsKey)
+		if err != nil {
+			return nil, errors.WithMessage(err, "failed to load the key")
+		}
+
+		cert_x509, err := tls.X509KeyPair(cert_plain, key)
+		if err != nil {
+			return nil, errors.WithMessage(err, "failed X509")
+
+		}
+		tlsConfig = &tls.Config{Certificates: []tls.Certificate{cert_x509}}
+
+	} else {
+
+		tlsConfig = &tls.Config{InsecureSkipVerify: !cfg.CertValidation}
+	}
+
 	conn, err := ldap.DialURL(cfg.URL, ldap.DialWithTLSConfig(tlsConfig))
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to connect to LDAP")