Merge pull request #1278 from veily/master

Support used self-signed certificates LDAP.

Merge pull request #1278 from veily/master
Support used self-signed certificates LDAP.
ff70c045 · Stephan Renatus · GitHub · 316acbee · 317f433a · ff70c045
Unverified Commit ff70c045 authored Sep 22, 2018 by Stephan Renatus Committed by GitHub Sep 22, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 2 deletions

ldap.go connector/ldap/ldap.go +12 -2

No files found.
--- a/connector/ldap/ldap.go
+++ b/connector/ldap/ldap.go
@@ -69,7 +69,10 @@ type Config struct {
 	// Path to a trusted root certificate file.
 	RootCA string `json:"rootCA"`
+	// Path to a client cert file generated by rootCA.
+	ClientCert string `json:"clientCert"`
+	// Path to a client private key file generated by rootCA.
+	ClientKey string `json:"clientKey"`
 	// Base64 encoded PEM data containing root CAs.
 	RootCAData []byte `json:"rootCAData"`
@@ -104,7 +107,6 @@ type Config struct {
 		IDAttr    string `json:"idAttr"`    // Defaults to "uid"
 		EmailAttr string `json:"emailAttr"` // Defaults to "mail"
 		NameAttr  string `json:"nameAttr"`  // No default.
 	} `json:"userSearch"`
 	// Group search configuration.
@@ -226,6 +228,14 @@ func (c *Config) openConnector(logger logrus.FieldLogger) (*ldapConnector, error
 		}
 		tlsConfig.RootCAs = rootCAs
 	}
+	if c.ClientKey != "" && c.ClientCert != "" {
+		cert, err := tls.LoadX509KeyPair(c.ClientCert, c.ClientKey)
+		if err != nil {
+			return nil, fmt.Errorf("ldap: load client cert failed: %v", err)
+		}
+		tlsConfig.Certificates = append(tlsConfig.Certificates, cert)
+	}
 	userSearchScope, ok := parseScope(c.UserSearch.Scope)
 	if !ok {
 		return nil, fmt.Errorf("userSearch.Scope unknown value %q", c.UserSearch.Scope)