Allow user specified CA certs

Signed-off-by: Alex Bligh <alex@alex.org.uk>

conf/ldap.toml

@@ -10,6 +10,8 @@ port = 389
 use_ssl = false
 # set to true if you want to skip ssl cert validation
 ssl_skip_verify = false
+# set to the path to your root CA certificate or leave unset to use system defaults
+# root_ca_cert = /path/to/certificate.crt
 
 # Search user bind dn
 bind_dn = "cn=admin,dc=grafana,dc=org"

pkg/login/ldap.go

@@ -2,8 +2,10 @@ package login
 
 import (
 	"crypto/tls"
+	"crypto/x509"
 	"errors"
 	"fmt"
+	"io/ioutil"
 	"strings"
 
 	"github.com/davecgh/go-spew/spew"
@@ -25,12 +27,26 @@ func NewLdapAuthenticator(server *LdapServerConf) *ldapAuther {
 
 func (a *ldapAuther) Dial() error {
 	var err error
+	var certPool *x509.CertPool
+	if a.server.RootCACert != "" {
+		certPool := x509.NewCertPool()
+		for _, caCertFile := range strings.Split(a.server.RootCACert, " ") {
+			if pem, err := ioutil.ReadFile(caCertFile); err != nil {
+				return err
+			} else {
+				if !certPool.AppendCertsFromPEM(pem) {
+					return errors.New("Failed to append CA certficate " + caCertFile)
+				}
+			}
+		}
+	}
 	for _, host := range strings.Split(a.server.Host, " ") {
 		address := fmt.Sprintf("%s:%d", host, a.server.Port)
 		if a.server.UseSSL {
 			tlsCfg := &tls.Config{
 				InsecureSkipVerify: a.server.SkipVerifySSL,
 				ServerName:         host,
+				RootCAs:            certPool,
 			}
 			a.conn, err = ldap.DialTLS("tcp", address, tlsCfg)
 		} else {

pkg/login/settings.go

@@ -19,6 +19,7 @@ type LdapServerConf struct {
 	Port          int              `toml:"port"`
 	UseSSL        bool             `toml:"use_ssl"`
 	SkipVerifySSL bool             `toml:"ssl_skip_verify"`
+	RootCACert    string           `toml:"root_ca_cert"`
 	BindDN        string           `toml:"bind_dn"`
 	BindPassword  string           `toml:"bind_password"`
 	Attr          LdapAttributeMap `toml:"attributes"`