Support client certificates for LDAP servers

5bea54ea · Emil Flink · bda49fca · 5bea54ea · 5bea54ea · 5bea54ea
Commit 5bea54ea authored Aug 03, 2018 by Emil Flink
Hide whitespace changes
Inline Side-by-side

Showing with 18 additions and 0 deletions

conf/ldap.toml
+3 -0

docs/sources/installation/ldap.md
+3 -0

pkg/login/ldap.go
+10 -0

pkg/login/ldap_settings.go
+2 -0

No files found.
--- a/conf/ldap.toml
+++ b/conf/ldap.toml
@@ -15,6 +15,9 @@ start_tls = false
 ssl_skip_verify = false
 # set to the path to your root CA certificate or leave unset to use system defaults
 # root_ca_cert = "/path/to/certificate.crt"
+# Authentication against LDAP servers requiring client certificates
+# client_cert = "/path/to/client.crt"
+# client_key = "/path/to/client.key"

 # Search user bind dn
 bind_dn = "cn=admin,dc=grafana,dc=org"

--- a/docs/sources/installation/ldap.md
+++ b/docs/sources/installation/ldap.md
@@ -40,6 +40,9 @@ start_tls = false
 ssl_skip_verify = false
 # set to the path to your root CA certificate or leave unset to use system defaults
 # root_ca_cert = "/path/to/certificate.crt"
+# Authentication against LDAP servers requiring client certificates
+# client_cert = "/path/to/client.crt"
+# client_key = "/path/to/client.key"

 # Search user bind dn
 bind_dn = "cn=admin,dc=grafana,dc=org"

--- a/pkg/login/ldap.go
+++ b/pkg/login/ldap.go
@@ -59,6 +59,13 @@ func (a *ldapAuther) Dial() error {
 			}
 		}
 	}
+	var clientCert tls.Certificate
+	if a.server.ClientCert != "" && a.server.ClientKey != "" {
+		clientCert, err = tls.LoadX509KeyPair(a.server.ClientCert, a.server.ClientKey)
+		if err != nil {
+			return err
+		}
+	}
 	for _, host := range strings.Split(a.server.Host, " ") {
 		address := fmt.Sprintf("%s:%d", host, a.server.Port)
 		if a.server.UseSSL {
@@ -67,6 +74,9 @@ func (a *ldapAuther) Dial() error {
 				ServerName:         host,
 				RootCAs:            certPool,
 			}
+			if len(clientCert.Certificate) > 0 {
+				tlsCfg.Certificates = append(tlsCfg.Certificates, clientCert)
+			}
 			if a.server.StartTLS {
 				a.conn, err = ldap.Dial("tcp", address)
 				if err == nil {

--- a/pkg/login/ldap_settings.go
+++ b/pkg/login/ldap_settings.go
@@ -21,6 +21,8 @@ type LdapServerConf struct {
 	StartTLS      bool             `toml:"start_tls"`
 	SkipVerifySSL bool             `toml:"ssl_skip_verify"`
 	RootCACert    string           `toml:"root_ca_cert"`
+	ClientCert    string           `toml:"client_cert"`
+	ClientKey     string           `toml:"client_key"`
 	BindDN        string           `toml:"bind_dn"`
 	BindPassword  string           `toml:"bind_password"`
 	Attr          LdapAttributeMap `toml:"attributes"`