Allow reva to use safer TLS defaults for LDAP

changelog/unreleased/reva-ldap-tls.md

@@ -0,0 +1,10 @@
+Enhancement: TLS config options for ldap in reva
+
+We added the new config options "ldap-cacert" and "ldap-insecure" to the auth-,
+users- and groups-provider services to be able to do proper TLS configuration
+for the LDAP clients. "ldap-cacert" is by default configured to add the bundled
+glauth LDAP servers certificate to the trusted set for the LDAP clients.
+"ldap-insecure" is set to "false" by default and can be used to disable
+certificate checks (only advisable for development and test enviroments).
+
+https://github.com/owncloud/ocis/pull/2492

storage/pkg/command/authbasic.go

@@ -114,6 +114,8 @@ func authBasicConfigFromStruct(c *cli.Context, cfg *config.Config) map[string]in
 						"ldap": map[string]interface{}{
 							"hostname":      cfg.Reva.LDAP.Hostname,
 							"port":          cfg.Reva.LDAP.Port,
+							"cacert":        cfg.Reva.LDAP.CACert,
+							"insecure":      cfg.Reva.LDAP.Insecure,
 							"base_dn":       cfg.Reva.LDAP.BaseDN,
 							"loginfilter":   cfg.Reva.LDAP.LoginFilter,
 							"bind_username": cfg.Reva.LDAP.BindDN,

storage/pkg/command/groups.go

@@ -118,6 +118,8 @@ func groupsConfigFromStruct(c *cli.Context, cfg *config.Config) map[string]inter
 						"ldap": map[string]interface{}{
 							"hostname":        cfg.Reva.LDAP.Hostname,
 							"port":            cfg.Reva.LDAP.Port,
+							"cacert":          cfg.Reva.LDAP.CACert,
+							"insecure":        cfg.Reva.LDAP.Insecure,
 							"base_dn":         cfg.Reva.LDAP.BaseDN,
 							"groupfilter":     cfg.Reva.LDAP.GroupFilter,
 							"attributefilter": cfg.Reva.LDAP.GroupAttributeFilter,

storage/pkg/command/users.go

@@ -121,6 +121,8 @@ func usersConfigFromStruct(c *cli.Context, cfg *config.Config) map[string]interf
 						"ldap": map[string]interface{}{
 							"hostname":        cfg.Reva.LDAP.Hostname,
 							"port":            cfg.Reva.LDAP.Port,
+							"cacert":          cfg.Reva.LDAP.CACert,
+							"insecure":        cfg.Reva.LDAP.Insecure,
 							"base_dn":         cfg.Reva.LDAP.BaseDN,
 							"userfilter":      cfg.Reva.LDAP.UserFilter,
 							"attributefilter": cfg.Reva.LDAP.UserAttributeFilter,

storage/pkg/config/config.go

@@ -332,6 +332,8 @@ type OIDC struct {
 type LDAP struct {
 	Hostname             string
 	Port                 int
+	CACert               string
+	Insecure             bool
 	BaseDN               string
 	LoginFilter          string
 	UserFilter           string

storage/pkg/flagset/ldap.go

@@ -1,8 +1,11 @@
 package flagset
 
 import (
+	"path"
+
 	"github.com/micro/cli/v2"
 	"github.com/owncloud/ocis/ocis-pkg/flags"
+	pkgos "github.com/owncloud/ocis/ocis-pkg/os"
 	"github.com/owncloud/ocis/storage/pkg/config"
 )
 
@@ -23,6 +26,20 @@ func LDAPWithConfig(cfg *config.Config) []cli.Flag {
 			EnvVars:     []string{"STORAGE_LDAP_PORT"},
 			Destination: &cfg.Reva.LDAP.Port,
 		},
+		&cli.StringFlag{
+			Name:        "ldap-cacert",
+			Value:       flags.OverrideDefaultString(cfg.Reva.LDAP.CACert, path.Join(pkgos.MustUserConfigDir("ocis", "ldap"), "ldap.crt")),
+			Usage:       "Path to a trusted Certificate file (in PEM format) for the LDAP Connection",
+			EnvVars:     []string{"STORAGE_LDAP_CACERT"},
+			Destination: &cfg.Reva.LDAP.CACert,
+		},
+		&cli.BoolFlag{
+			Name:        "ldap-insecure",
+			Value:       flags.OverrideDefaultBool(cfg.Reva.LDAP.Insecure, false),
+			Usage:       "Disable TLS certificate and hostname validation",
+			EnvVars:     []string{"STORAGE_LDAP_INSECURE"},
+			Destination: &cfg.Reva.LDAP.Insecure,
+		},
 		&cli.StringFlag{
 			Name:        "ldap-base-dn",
 			Value:       flags.OverrideDefaultString(cfg.Reva.LDAP.BaseDN, "dc=example,dc=org"),