From 37f198d5e8aea9cd6f4b7a1d6639c7e3aff96947 Mon Sep 17 00:00:00 2001 From: Mihai Doarna Date: Thu, 8 Aug 2024 15:29:00 +0300 Subject: [PATCH] LDAP: Add guide on how to configure LDAP with TLS (#91686) add guide on how to configure LDAP with TLS --- .gitignore | 1 + devenv/docker/blocks/auth/openldap/README.md | 40 ++++++++++++++++++- .../blocks/auth/openldap/docker-compose.yaml | 5 +++ 3 files changed, 45 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 1c322725e58..f289c47dced 100644 --- a/.gitignore +++ b/.gitignore @@ -87,6 +87,7 @@ example-apiserver/ /devenv/docker/blocks/tempo/tempo-data/ /devenv/docker/ha-test-unified-alerting/logs/webhook/dumps/ /devenv/docker/ha-test-unified-alerting/logs/webhook/webhook-listener.log +/devenv/docker/blocks/auth/openldap/certs/ conf/custom.ini diff --git a/devenv/docker/blocks/auth/openldap/README.md b/devenv/docker/blocks/auth/openldap/README.md index b02e4cb84e0..ee86f0daab4 100644 --- a/devenv/docker/blocks/auth/openldap/README.md +++ b/devenv/docker/blocks/auth/openldap/README.md @@ -53,4 +53,42 @@ The default configuration between Grafana and the OpenLDAP container is configur - admins - ldap-posix-admin - no groups - - ldap-posix \ No newline at end of file + - ldap-posix + +## Configure LDAP with TLS + +After the `openldap` container has been deployed, you have to copy the CA from the docker container: +```bash +# get the container ID +docker ps + +docker cp CONTAINER-ID:"/container/service/:ssl-tools/assets/default-ca/default-ca.pem" devenv/docker/blocks/auth/openldap/certs +``` + +To configure TLS you need the following lines in the .toml file under the `[[servers]]` section: + +```ini +tls_ciphers = ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"] +min_tls_version = "TLS1.2" +ssl_skip_verify = true +root_ca_cert = "devenv/docker/blocks/auth/openldap/certs/default-ca.pem" +client_cert = "devenv/docker/blocks/auth/openldap/certs/ldap.crt" +client_key = "devenv/docker/blocks/auth/openldap/certs/ldap.key" +``` + +For simplicity, the same private key is shared between the server and the client. To generate your own private keys and certificates please follow this guide: https://enlook.wordpress.com/2015/09/30/howto-generate-certificate-for-openldap-and-using-it-for-certificate-authentication/. + +- To connect over LDAPS include this config: + +```ini +port = 636 +use_ssl = true +start_tls = false +``` +- To connect with STARTTLS use this config: + +```ini +port = 389 +use_ssl = true +start_tls = true +``` diff --git a/devenv/docker/blocks/auth/openldap/docker-compose.yaml b/devenv/docker/blocks/auth/openldap/docker-compose.yaml index 9f813e598c4..383f96c9336 100644 --- a/devenv/docker/blocks/auth/openldap/docker-compose.yaml +++ b/devenv/docker/blocks/auth/openldap/docker-compose.yaml @@ -6,9 +6,14 @@ LDAP_DOMAIN: grafana.org LDAP_ADMIN_PASSWORD: grafana LDAP_SEED_INTERNAL_LDIF_PATH: /tmp/smt/ + LDAP_TLS_CRT_FILENAME: ldap.crt + LDAP_TLS_KEY_FILENAME: ldap.key + LDAP_TLS_CA_CRT_FILENAME: ca.crt + LDAP_TLS_CIPHER_SUITE: SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC ports: - 389:389 - 636:636 restart: unless-stopped volumes: - ./docker/blocks/auth/openldap/prepopulate/:/tmp/smt/ + - ./docker/blocks/auth/openldap/certs/:/container/service/slapd/assets/certs/