Add support for SSL AD connections using LDAPUseSSL option

TykTechnologies · Nov 21, 2017 · 88e7635 · 88e7635
1 parent e3ef809
commit 88e7635
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -233,6 +233,7 @@ The file is JSON object which is essentially a list of objects:
 	"ProviderConfig": {
 		"FailureRedirect": "http://yourdomain.com/failure-url",
 		"LDAPAttributes": [],
+		"LDAPUseSsl": false,
 		"LDAPBaseDN": "cn=dashboard,ou=Group,dc=ldap,dc=tyk-test,dc=com",
 		"LDAPEmailAttribute": "mail",
 		"LDAPSearchScope": 2,
@@ -468,6 +469,7 @@ The LDAP Identity Provider is experimental currently and provides limited functi
 	"ID": "4",
 	"OrgID": "{YOUR-ORG-ID}",
 	"ProviderConfig": {
+	    "LDAPUseSSL": false,
 		"FailureRedirect": "http://http://{DASH-DOMAIN}:{DASH-PORT}/?fail=true",
 		"LDAPAttributes": [],
 		"LDAPPort": "389",
@@ -510,6 +512,7 @@ LDAP requires little configuration, we can use the same provider config above, w
 	"ProviderConfig": {
 		"FailureRedirect": "http://{PORTAL-DOMAIN}:{PORTAL-PORT}/portal/login/",
 		"LDAPAttributes": [],
+		"LDAPUseSSL": false,
 		"LDAPPort": "389",
 		"LDAPServer": "localhost",
 		"LDAPUserDN": "cn=*USERNAME*,cn=dashboard,ou=Group,dc=test-ldap,dc=tyk,dc=io"
@@ -549,6 +552,7 @@ The configuration below will take a request that is posted to TIB, authenticate
 	"ProviderConfig": {
 		"FailureRedirect": "http://{APP-DOMAIN}:{PORT}/failure",
 		"LDAPAttributes": [],
+		"LDAPUseSSL": false,
 		"LDAPPort": "389",
 		"LDAPServer": "localhost",
 		"LDAPUserDN": "cn=*USERNAME*,cn=dashboard,ou=Group,dc=ldap,dc=tyk-ldap-test,dc=com"
@@ -694,6 +698,7 @@ Authorization: test-secret
 			"ProviderConfig": {
 				"FailureRedirect": "http://{APP-DOMAIN}:{PORT}/failure",
 				"LDAPAttributes": [],
+				"LDAPUseSSL": false,
 				"LDAPPort": "389",
 				"LDAPServer": "localhost",
 				"LDAPUserDN": "cn=*USERNAME*,cn=dashboard,ou=Group,dc=ldap,dc=tyk-ldap-test,dc=com"

diff --git a/providers/active_directory.go b/providers/active_directory.go
@@ -3,6 +3,7 @@ extending TAP to use more providers, add them to this section */
 package providers
 
 import (
+	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -28,6 +29,7 @@ type ADProvider struct {
 
 // ADConfig is the configuration object for an LDAP connector
 type ADConfig struct {
+	LDAPUseSSL          bool
 	LDAPServer          string
 	LDAPPort            string
 	LDAPUserDN          string
@@ -64,7 +66,15 @@ func (s *ADProvider) connect() {
 	var err error
 	sName := fmt.Sprintf("%s:%s", s.config.LDAPServer, s.config.LDAPPort)
 	log.Debug(ADProviderLogTag+" --> To: ", sName)
-	s.connection, err = ldap.Dial("tcp", sName)
+	if s.config.LDAPUseSSL {
+		tlsconfig := &tls.Config{
+			ServerName: s.config.LDAPServer,
+		}
+		s.connection, err = ldap.DialTLS("tcp", sName, tlsconfig)
+	} else {
+		s.connection, err = ldap.Dial("tcp", sName)
+	}
+
 	if err != nil {
 		log.Error(ADProviderLogTag+" Failed to dial: ", err)
 		return