feat(ldap): added config options for ssl skip verify, and ssl server name, #1450

2024-11-22 08:56:43 -06:00 · 2015-07-16 11:57:59 +02:00 · 2015-07-16 11:57:59 +02:00 · 9afdea8d2a
commit 9afdea8d2a
parent a065f93777
4 changed files with 22 additions and 7 deletions
--- a/conf/ldap.toml
+++ b/conf/ldap.toml
@ -8,6 +8,10 @@ host = "127.0.0.1"
 port = 389
 # Set to true if ldap server supports TLS
 use_ssl = false
+# set to true if you want to skip ssl cert validation
+ssl_skip_verify = false
+# if cert validation is enabled, provide ldap cert server name
+ssl_server_name = ""

 # Search user bind dn
 bind_dn = "cn=admin,dc=grafana,dc=org"
--- a/docs/sources/installation/ldap.md
+++ b/docs/sources/installation/ldap.md
@ -27,6 +27,10 @@ host = "127.0.0.1"
 port = 389
 # Set to true if ldap server supports TLS
 use_ssl = false
+# set to true if you want to skip ssl cert validation
+ssl_skip_verify = false
+# if cert validation is enabled, provide ldap cert server name
+ssl_server_name = ""

 # Search user bind dn
 bind_dn = "cn=admin,dc=grafana,dc=org"
--- a/pkg/login/ldap.go
+++ b/pkg/login/ldap.go
@ -1,6 +1,7 @@
 package login

 import (
+	"crypto/tls"
 	"errors"
 	"fmt"
 	"strings"
@ -25,7 +26,11 @@ func (a *ldapAuther) Dial() error {
 	address := fmt.Sprintf("%s:%d", a.server.Host, a.server.Port)
 	var err error
 	if a.server.UseSSL {
-		a.conn, err = ldap.DialTLS("tcp", address, nil)
+		tlsCfg := &tls.Config{
+			InsecureSkipVerify: a.server.SkipVerifySSL,
+			ServerName:         a.server.CertServerName,
+		}
+		a.conn, err = ldap.DialTLS("tcp", address, tlsCfg)
 	} else {
 		a.conn, err = ldap.Dial("tcp", address)
 	}
--- a/pkg/login/settings.go
+++ b/pkg/login/settings.go
@ -13,12 +13,14 @@ type LdapConfig struct {
 }

 type LdapServerConf struct {
-	Host         string           `toml:"host"`
-	Port         int              `toml:"port"`
-	UseSSL       bool             `toml:"use_ssl"`
-	BindDN       string           `toml:"bind_dn"`
-	BindPassword string           `toml:"bind_password"`
-	Attr         LdapAttributeMap `toml:"attributes"`
+	Host           string           `toml:"host"`
+	Port           int              `toml:"port"`
+	UseSSL         bool             `toml:"use_ssl"`
+	SkipVerifySSL  bool             `toml:"ssl_skip_verify"`
+	CertServerName string           `toml:"ssl_server_name"`
+	BindDN         string           `toml:"bind_dn"`
+	BindPassword   string           `toml:"bind_password"`
+	Attr           LdapAttributeMap `toml:"attributes"`

 	SearchFilter  string   `toml:"search_filter"`
 	SearchBaseDNs []string `toml:"search_base_dns"`