diff --git a/changelog/unreleased/reva-ldap-tls.md b/changelog/unreleased/reva-ldap-tls.md new file mode 100644 index 000000000..8cc1846bb --- /dev/null +++ b/changelog/unreleased/reva-ldap-tls.md @@ -0,0 +1,10 @@ +Enhancement: TLS config options for ldap in reva + +We added the new config options "ldap-cacert" and "ldap-insecure" to the auth-, +users- and groups-provider services to be able to do proper TLS configuration +for the LDAP clients. "ldap-cacert" is by default configured to add the bundled +glauth LDAP servers certificate to the trusted set for the LDAP clients. +"ldap-insecure" is set to "false" by default and can be used to disable +certificate checks (only advisable for development and test enviroments). + +https://github.com/owncloud/ocis/pull/2492 diff --git a/storage/pkg/command/authbasic.go b/storage/pkg/command/authbasic.go index 3e0d11db4..7b1bd96b9 100644 --- a/storage/pkg/command/authbasic.go +++ b/storage/pkg/command/authbasic.go @@ -114,6 +114,8 @@ func authBasicConfigFromStruct(c *cli.Context, cfg *config.Config) map[string]in "ldap": map[string]interface{}{ "hostname": cfg.Reva.LDAP.Hostname, "port": cfg.Reva.LDAP.Port, + "cacert": cfg.Reva.LDAP.CACert, + "insecure": cfg.Reva.LDAP.Insecure, "base_dn": cfg.Reva.LDAP.BaseDN, "loginfilter": cfg.Reva.LDAP.LoginFilter, "bind_username": cfg.Reva.LDAP.BindDN, diff --git a/storage/pkg/command/groups.go b/storage/pkg/command/groups.go index 47f0bbb4e..0c11d3d18 100644 --- a/storage/pkg/command/groups.go +++ b/storage/pkg/command/groups.go @@ -118,6 +118,8 @@ func groupsConfigFromStruct(c *cli.Context, cfg *config.Config) map[string]inter "ldap": map[string]interface{}{ "hostname": cfg.Reva.LDAP.Hostname, "port": cfg.Reva.LDAP.Port, + "cacert": cfg.Reva.LDAP.CACert, + "insecure": cfg.Reva.LDAP.Insecure, "base_dn": cfg.Reva.LDAP.BaseDN, "groupfilter": cfg.Reva.LDAP.GroupFilter, "attributefilter": cfg.Reva.LDAP.GroupAttributeFilter, diff --git a/storage/pkg/command/users.go b/storage/pkg/command/users.go index 4836afe6d..24ef2b573 100644 --- a/storage/pkg/command/users.go +++ b/storage/pkg/command/users.go @@ -121,6 +121,8 @@ func usersConfigFromStruct(c *cli.Context, cfg *config.Config) map[string]interf "ldap": map[string]interface{}{ "hostname": cfg.Reva.LDAP.Hostname, "port": cfg.Reva.LDAP.Port, + "cacert": cfg.Reva.LDAP.CACert, + "insecure": cfg.Reva.LDAP.Insecure, "base_dn": cfg.Reva.LDAP.BaseDN, "userfilter": cfg.Reva.LDAP.UserFilter, "attributefilter": cfg.Reva.LDAP.UserAttributeFilter, diff --git a/storage/pkg/config/config.go b/storage/pkg/config/config.go index 4d73c02c7..e50bc34c5 100644 --- a/storage/pkg/config/config.go +++ b/storage/pkg/config/config.go @@ -332,6 +332,8 @@ type OIDC struct { type LDAP struct { Hostname string Port int + CACert string + Insecure bool BaseDN string LoginFilter string UserFilter string diff --git a/storage/pkg/flagset/ldap.go b/storage/pkg/flagset/ldap.go index b5f069a45..cea3c2bdd 100644 --- a/storage/pkg/flagset/ldap.go +++ b/storage/pkg/flagset/ldap.go @@ -1,8 +1,11 @@ package flagset import ( + "path" + "github.com/micro/cli/v2" "github.com/owncloud/ocis/ocis-pkg/flags" + pkgos "github.com/owncloud/ocis/ocis-pkg/os" "github.com/owncloud/ocis/storage/pkg/config" ) @@ -23,6 +26,20 @@ func LDAPWithConfig(cfg *config.Config) []cli.Flag { EnvVars: []string{"STORAGE_LDAP_PORT"}, Destination: &cfg.Reva.LDAP.Port, }, + &cli.StringFlag{ + Name: "ldap-cacert", + Value: flags.OverrideDefaultString(cfg.Reva.LDAP.CACert, path.Join(pkgos.MustUserConfigDir("ocis", "ldap"), "ldap.crt")), + Usage: "Path to a trusted Certificate file (in PEM format) for the LDAP Connection", + EnvVars: []string{"STORAGE_LDAP_CACERT"}, + Destination: &cfg.Reva.LDAP.CACert, + }, + &cli.BoolFlag{ + Name: "ldap-insecure", + Value: flags.OverrideDefaultBool(cfg.Reva.LDAP.Insecure, false), + Usage: "Disable TLS certificate and hostname validation", + EnvVars: []string{"STORAGE_LDAP_INSECURE"}, + Destination: &cfg.Reva.LDAP.Insecure, + }, &cli.StringFlag{ Name: "ldap-base-dn", Value: flags.OverrideDefaultString(cfg.Reva.LDAP.BaseDN, "dc=example,dc=org"),