Add "insecure" flag to graph LDAP backend

To allow skipping TLS Certificate verification in development environments.
2026-01-06 12:19:37 -06:00 · 2022-02-09 11:54:41 +01:00
parent 21c7b10f98
commit 8a57545c30
4 changed files with 42 additions and 14 deletions
--- a/graph/pkg/config/config.go
+++ b/graph/pkg/config/config.go
@@ -37,6 +37,7 @@ type Spaces struct {

 type LDAP struct {
 	URI           string `ocisConfig:"uri" env:"GRAPH_LDAP_URI"`
+	Insecure      bool   `ocisConfig:"insecure" env:"OCIS_INSECURE;GRAPH_LDAP_INSECURE"`
 	BindDN        string `ocisConfig:"bind_dn" env:"GRAPH_LDAP_BIND_DN"`
 	BindPassword  string `ocisConfig:"bind_password" env:"GRAPH_LDAP_BIND_PASSWORD"`
 	UseServerUUID bool   `ocisConfig:"use_server_uuid" env:"GRAPH_LDAP_SERVER_UUID"`
--- a/graph/pkg/config/defaultconfig.go
+++ b/graph/pkg/config/defaultconfig.go
@@ -30,6 +30,7 @@ func DefaultConfig() *Config {
 			Backend: "cs3",
 			LDAP: LDAP{
 				URI:                      "ldap://localhost:9125",
+				Insecure:                 false,
 				BindDN:                   "",
 				BindPassword:             "",
 				UseServerUUID:            false,
--- a/graph/pkg/identity/ldap/reconnect.go
+++ b/graph/pkg/identity/ldap/reconnect.go
@@ -31,14 +31,21 @@ type ConnWithReconnect struct {
 	logger  *log.Logger
 }

-func NewLDAPWithReconnect(logger *log.Logger, ldapURI, bindDN, bindPassword string) ConnWithReconnect {
+type Config struct {
+	URI          string
+	BindDN       string
+	BindPassword string
+	TLSConfig    *tls.Config
+}
+
+func NewLDAPWithReconnect(logger *log.Logger, config Config) ConnWithReconnect {
 	conn := ConnWithReconnect{
 		conn:    make(chan ldapConnection),
 		reset:   make(chan *ldap.Conn),
 		retries: 1,
 		logger:  logger,
 	}
-	go conn.ldapAutoConnect(ldapURI, bindDN, bindPassword)
+	go conn.ldapAutoConnect(config)
 	return conn
 }

@@ -172,8 +179,8 @@ func (c ConnWithReconnect) GetConnection() (*ldap.Conn, error) {
 	return c.reconnect(conn.Conn)
 }

-func (c ConnWithReconnect) ldapAutoConnect(ldapURI, bindDN, bindPassword string) {
-	l, err := c.ldapConnect(ldapURI, bindDN, bindPassword)
+func (c ConnWithReconnect) ldapAutoConnect(config Config) {
+	l, err := c.ldapConnect(config)
 	if err != nil {
 		c.logger.Error().Err(err).Msg("autoconnect could not get ldap Connection")
 	}
@@ -190,7 +197,7 @@ func (c ConnWithReconnect) ldapAutoConnect(ldapURI, bindDN, bindPassword string)
 			}
 			if l == resConn || l == nil {
 				c.logger.Debug().Msg("reconnecting to LDAP")
-				l, err = c.ldapConnect(ldapURI, bindDN, bindPassword)
+				l, err = c.ldapConnect(config)
 			} else {
 				c.logger.Debug().Msg("already reconnected")
 			}
@@ -199,16 +206,24 @@ func (c ConnWithReconnect) ldapAutoConnect(ldapURI, bindDN, bindPassword string)
 	}
 }

-func (c ConnWithReconnect) ldapConnect(ldapURI, bindDN, bindPassword string) (*ldap.Conn, error) {
-	c.logger.Debug().Msgf("Connecting to %s", ldapURI)
-	l, err := ldap.DialURL(ldapURI)
+func (c ConnWithReconnect) ldapConnect(config Config) (*ldap.Conn, error) {
+	c.logger.Debug().Msgf("Connecting to %s", config.URI)
+
+	var err error
+	var l *ldap.Conn
+	if config.TLSConfig != nil {
+		l, err = ldap.DialURL(config.URI, ldap.DialWithTLSConfig(config.TLSConfig))
+	} else {
+		l, err = ldap.DialURL(config.URI)
+	}
+
 	if err != nil {
 		c.logger.Error().Err(err).Msg("could not get ldap Connection")
 	} else {
 		c.logger.Debug().Msg("LDAP Connected")
-		if bindDN != "" {
-			c.logger.Debug().Msgf("Binding as %s", bindDN)
-			err = l.Bind(bindDN, bindPassword)
+		if config.BindDN != "" {
+			c.logger.Debug().Msgf("Binding as %s", config.BindDN)
+			err = l.Bind(config.BindDN, config.BindPassword)
 			if err != nil {
 				c.logger.Error().Err(err).Msg("Bind failed")
 				l.Close()
--- a/graph/pkg/service/v0/service.go
+++ b/graph/pkg/service/v0/service.go
@@ -59,10 +59,21 @@ func NewService(opts ...Option) Service {
 		}
 	case "ldap":
 		var err error
+
+		var tlsConf *tls.Config
+		if options.Config.Identity.LDAP.Insecure {
+			tlsConf = &tls.Config{
+				InsecureSkipVerify: true,
+			}
+		}
+
 		conn := ldap.NewLDAPWithReconnect(&options.Logger,
-			options.Config.Identity.LDAP.URI,
-			options.Config.Identity.LDAP.BindDN,
-			options.Config.Identity.LDAP.BindPassword,
+			ldap.Config{
+				URI:          options.Config.Identity.LDAP.URI,
+				BindDN:       options.Config.Identity.LDAP.BindDN,
+				BindPassword: options.Config.Identity.LDAP.BindPassword,
+				TLSConfig:    tlsConf,
+			},
 		)
 		if backend, err = identity.NewLDAPBackend(conn, options.Config.Identity.LDAP, &options.Logger); err != nil {
 			options.Logger.Error().Msgf("Error initializing LDAP Backend: '%s'", err)