Skip to content

N
nexpie-grafana-theme
Commit 4cebf38f by Marcus Efraimsson Committed by GitHub
Options

Merge pull request #12807 from nyxi/master 

Support client certificates for LDAP servers
parents 39669e50 5bea54ea
Showing with 18 additions and 0 deletions
conf/ldap.toml
...@@ -15,6 +15,9 @@ start_tls = false ...@@ -15,6 +15,9 @@ start_tls = false
ssl_skip_verify = false ssl_skip_verify = false
# set to the path to your root CA certificate or leave unset to use system defaults # set to the path to your root CA certificate or leave unset to use system defaults
# root_ca_cert = "/path/to/certificate.crt" # root_ca_cert = "/path/to/certificate.crt"
# Authentication against LDAP servers requiring client certificates
# client_cert = "/path/to/client.crt"
# client_key = "/path/to/client.key"
# Search user bind dn # Search user bind dn
bind_dn = "cn=admin,dc=grafana,dc=org" bind_dn = "cn=admin,dc=grafana,dc=org"
......
docs/sources/installation/ldap.md
...@@ -40,6 +40,9 @@ start_tls = false ...@@ -40,6 +40,9 @@ start_tls = false
ssl_skip_verify = false ssl_skip_verify = false
# set to the path to your root CA certificate or leave unset to use system defaults # set to the path to your root CA certificate or leave unset to use system defaults
# root_ca_cert = "/path/to/certificate.crt" # root_ca_cert = "/path/to/certificate.crt"
# Authentication against LDAP servers requiring client certificates
# client_cert = "/path/to/client.crt"
# client_key = "/path/to/client.key"
# Search user bind dn # Search user bind dn
bind_dn = "cn=admin,dc=grafana,dc=org" bind_dn = "cn=admin,dc=grafana,dc=org"
......
pkg/login/ldap.go
...@@ -59,6 +59,13 @@ func (a *ldapAuther) Dial() error { ...@@ -59,6 +59,13 @@ func (a *ldapAuther) Dial() error {
} }
} }
} }
var clientCert tls.Certificate
if a.server.ClientCert != "" && a.server.ClientKey != "" {
clientCert, err = tls.LoadX509KeyPair(a.server.ClientCert, a.server.ClientKey)
if err != nil {
return err
}
}
for _, host := range strings.Split(a.server.Host, " ") { for _, host := range strings.Split(a.server.Host, " ") {
address := fmt.Sprintf("%s:%d", host, a.server.Port) address := fmt.Sprintf("%s:%d", host, a.server.Port)
if a.server.UseSSL { if a.server.UseSSL {
...@@ -67,6 +74,9 @@ func (a *ldapAuther) Dial() error { ...@@ -67,6 +74,9 @@ func (a *ldapAuther) Dial() error {
ServerName: host, ServerName: host,
RootCAs: certPool, RootCAs: certPool,
} }
if len(clientCert.Certificate) > 0 {
tlsCfg.Certificates = append(tlsCfg.Certificates, clientCert)
}
if a.server.StartTLS { if a.server.StartTLS {
a.conn, err = ldap.Dial("tcp", address) a.conn, err = ldap.Dial("tcp", address)
if err == nil { if err == nil {
......
pkg/login/ldap_settings.go
...@@ -21,6 +21,8 @@ type LdapServerConf struct { ...@@ -21,6 +21,8 @@ type LdapServerConf struct {
StartTLS bool `toml:"start_tls"` StartTLS bool `toml:"start_tls"`
SkipVerifySSL bool `toml:"ssl_skip_verify"` SkipVerifySSL bool `toml:"ssl_skip_verify"`
RootCACert string `toml:"root_ca_cert"` RootCACert string `toml:"root_ca_cert"`
ClientCert string `toml:"client_cert"`
ClientKey string `toml:"client_key"`
BindDN string `toml:"bind_dn"` BindDN string `toml:"bind_dn"`
BindPassword string `toml:"bind_password"` BindPassword string `toml:"bind_password"`
Attr LdapAttributeMap `toml:"attributes"` Attr LdapAttributeMap `toml:"attributes"`
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment