Allow to add trusted certificates for LDAP

This add a new configparameter "cacert" to allow to add trusted CAs and Server Certificates for the LDAP connections. This allows us to avoid using "insecure" when running against self-signed certificates. (As e.g. issued for glauth by default)
cs3org · Sep 13, 2021 · b07fb10 · b07fb10
1 parent 7574c62
commit b07fb10
Showing 1 changed file with 16 additions and 1 deletion.
diff --git a/pkg/utils/ldap.go b/pkg/utils/ldap.go
@@ -19,17 +19,32 @@ package utils
 
 import (
 	"crypto/tls"
+	"crypto/x509"
 	"fmt"
+	"io/ioutil"
 
 	"github.com/go-ldap/ldap/v3"
+	"github.com/pkg/errors"
 )
 
 type LDAPConn struct {
 	Hostname string `mapstructure:"hostname"`
 	Port     int    `mapstructure:"port"`
 	Insecure bool   `mapstructure:"insecure"`
+	CACert   string `mapstructure:"cacert"`
 }
 
 func GetLDAPConnection(c *LDAPConn) (*ldap.Conn, error) {
-	return ldap.DialTLS("tcp", fmt.Sprintf("%s:%d", c.Hostname, c.Port), &tls.Config{InsecureSkipVerify: c.Insecure})
+	tlsconfig := &tls.Config{InsecureSkipVerify: c.Insecure}
+
+	if !c.Insecure && c.CACert != "" {
+		if pemBytes, err := ioutil.ReadFile(c.CACert); err == nil {
+			rpool, _ := x509.SystemCertPool()
+			rpool.AppendCertsFromPEM(pemBytes)
+			tlsconfig.RootCAs = rpool
+		} else {
+			return nil, errors.Wrapf(err, "Error reading LDAP CA Cert '%s.'", c.CACert)
+		}
+	}
+	return ldap.DialTLS("tcp", fmt.Sprintf("%s:%d", c.Hostname, c.Port), tlsconfig)
 }