Turn of "insecure" of built-in IDP

Setup idp to verify the LDAP server certificate. As this certificate might be generated on startup, this also moved the IDP to the "delayed" set of services. So it starts after "idm".
2026-01-02 02:11:18 -06:00 · 2022-03-16 12:40:57 +01:00
parent 1a38f3623c
commit 45f0940071
4 changed files with 9 additions and 3 deletions
--- a/extensions/idp/pkg/config/config.go
+++ b/extensions/idp/pkg/config/config.go
@@ -27,7 +27,8 @@ type Config struct {

 // Ldap defines the available LDAP configuration.
 type Ldap struct {
-	URI string `yaml:"uri" env:"LDAP_URI;IDP_LDAP_URI"`
+	URI       string `yaml:"uri" env:"LDAP_URI;IDP_LDAP_URI"`
+	TLSCACert string `yaml:"cacert" env:"LDAP_CACERT;IDP_LDAP_TLS_CACERT"`

 	BindDN       string `yaml:"bind_dn" env:"LDAP_BIND_DN;IDP_LDAP_BIND_DN"`
 	BindPassword string `yaml:"bind_password" env:"LDAP_BIND_PASSWORD;IDP_LDAP_BIND_PASSWORD"`
--- a/extensions/idp/pkg/config/defaults/defaultconfig.go
+++ b/extensions/idp/pkg/config/defaults/defaultconfig.go
@@ -42,7 +42,7 @@ func DefaultConfig() *config.Config {
 			SignedOutURI:                      "",
 			AuthorizationEndpointURI:          "",
 			EndsessionEndpointURI:             "",
-			Insecure:                          true,
+			Insecure:                          false,
 			TrustedProxy:                      nil,
 			AllowScope:                        nil,
 			AllowClientGuests:                 false,
@@ -69,6 +69,7 @@ func DefaultConfig() *config.Config {
 		},
 		Ldap: config.Ldap{
 			URI:               "ldaps://localhost:9235",
+			TLSCACert:         path.Join(defaults.BaseDataPath(), "idm", "ldap.crt"),
 			BindDN:            "uid=idp,ou=sysusers,o=libregraph-idm",
 			BindPassword:      "idp",
 			BaseDN:            "ou=users,o=libregraph-idm",
--- a/extensions/idp/pkg/service/v0/service.go
+++ b/extensions/idp/pkg/service/v0/service.go
@@ -142,6 +142,10 @@ func initLicoInternalEnvVars(ldap *config.Ldap) error {
 		"LDAP_FILTER":              filter,
 	}

+	if ldap.TLSCACert != "" {
+		defaults["LDAP_TLS_CACERT"] = ldap.TLSCACert
+	}
+
 	for k, v := range defaults {
 		if err := os.Setenv(k, v); err != nil {
 			return fmt.Errorf("could not set env var %s=%s", k, v)
--- a/ocis/pkg/runtime/service/service.go
+++ b/ocis/pkg/runtime/service/service.go
@@ -112,7 +112,6 @@ func NewService(options ...Option) (*Service, error) {
 	s.ServicesRegistry["glauth"] = glauth.NewSutureService
 	s.ServicesRegistry["graph"] = graph.NewSutureService
 	s.ServicesRegistry["graph-explorer"] = graphExplorer.NewSutureService
-	s.ServicesRegistry["idp"] = idp.NewSutureService
 	s.ServicesRegistry["idm"] = idm.NewSutureService
 	s.ServicesRegistry["ocs"] = ocs.NewSutureService
 	s.ServicesRegistry["store"] = store.NewSutureService
@@ -137,6 +136,7 @@ func NewService(options ...Option) (*Service, error) {
 	s.Delayed["accounts"] = accounts.NewSutureService
 	s.Delayed["proxy"] = proxy.NewSutureService
 	s.Delayed["ocdav"] = ocdav.NewOCDav
+	s.Delayed["idp"] = idp.NewSutureService

 	return s, nil
 }