Switch to the ldap.DialURL function and introduce an option for TLS v…

…erification Currently we're using ldap.Dial which offers only the option to use plain LDAP. Using the new DialURL offers a way to pass full URIs, with the library taking care using TLS or not depending on the schema provided. This commit also introduced an option to disable TLS certificate verification when LDAPS is being used.
criteo · Jan 4, 2023 · 5d9fd80 · 5d9fd80
1 parent 6364fff
commit 5d9fd80
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 3 deletions.
diff --git a/cmd/haproxy-spoe-auth/main.go b/cmd/haproxy-spoe-auth/main.go
@@ -51,6 +51,7 @@ func main() {
 			Password:   viper.GetString("ldap.password"),
 			BaseDN:     viper.GetString("ldap.base_dn"),
 			UserFilter: viper.GetString("ldap.user_filter"),
+			VerifyTLS:  viper.GetBool("ldap.verify_tls"),
 		})
 		authenticators["try-auth-ldap"] = ldapAuthentifier
 	}

diff --git a/internal/auth/authenticator_ldap.go b/internal/auth/authenticator_ldap.go
@@ -1,6 +1,7 @@
 package auth
 
 import (
+	"crypto/tls"
 	"encoding/base64"
 	"fmt"
 	"strings"
@@ -18,6 +19,7 @@ type LDAPConnectionDetails struct {
 	Password   string
 	BaseDN     string
 	UserFilter string
+	VerifyTLS  bool
 }
 
 // LDAPAuthenticator is the LDAP implementation of the Authenticator interface
@@ -33,7 +35,8 @@ func NewLDAPAuthenticator(options LDAPConnectionDetails) *LDAPAuthenticator {
 }
 
 func verifyCredentials(ldapDetails *LDAPConnectionDetails, username, password, group string) error {
-	l, err := ldap.Dial("tcp", fmt.Sprintf("%s:%d", ldapDetails.Hostname, ldapDetails.Port))
+	l, err := ldap.DialURL(fmt.Sprintf("%s:%d", ldapDetails.Hostname, ldapDetails.Port),
+		ldap.DialWithTLSConfig(&tls.Config{InsecureSkipVerify: !ldapDetails.VerifyTLS}))
 	if err != nil {
 		return err
 	}

diff --git a/resources/configuration/config.yml b/resources/configuration/config.yml
@@ -6,9 +6,11 @@ server:
 
 # If set, the LDAP authenticator is enabled
 ldap:
-  # The hostname an port to the ldap server
-  hostname: ldap
+  # The URI and port to the ldap server
+  hostname: ldap://ldap
   port: 389
+  # In case of an ldaps connection, verify the TLS certificate of the server
+  verify_tls: true
   # The DN and password of the user to bind with in order to perform the search query to find the user
   user_dn: cn=admin,dc=example,dc=com
   password: password