8000 Support used self-signed certificates LDAP. · Issue #1277 · dexidp/dex · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Support used self-signed certificates LDAP. #1277

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
liweiv opened this issue Aug 26, 2018 · 3 comments
Closed

Support used self-signed certificates LDAP. #1277

liweiv opened this issue Aug 26, 2018 · 3 comments

Comments

@liweiv
Copy link
Contributor
liweiv commented Aug 26, 2018
edited
Loading

For LDAP server that used self-signed certificates and demanded TLS client verification,dex should load self-signed certificates for client.
This is my solution.

  1. add clientCA & clientKey config.
	// Path to a trusted root certificate file.
	RootCA string `json:"rootCA"`
	// Path to a client cert file generated by rootCA.
	ClientCert string `json:"clientCert"`
	// Path to a client private key file generated by rootCA.
	ClientKey string `json:"clientKey"`
	// Base64 encoded PEM data containing root CAs.
	RootCAData []byte `json:"rootCAData"`
  1. Load self-signed certificates.
        if c.ClientKey != "" && c.ClientCert != "" {
                cert, err := tls.LoadX509KeyPair(c.ClientCert, c.ClientKey)
                if err != nil {
                        return nil, fmt.Errorf("ldap: load self signed certs file failed.error:%s", err)
                }
                tlsConfig.Certificates = append(tlsConfig.Certificates, cert)
        }
  1. Setting self-signed certificates in config file.
connectors:
- type: ldap
  name: OpenLDAP
  id: ldap
  config:
    host: localhost:636
    rootCA: /etc/dex/sslcerts/ca.crt
    clientCA: /etc/dex/sslcerts/client.crt
    clientKey: /etc/dex/sslcerts/client.key
@liweiv liweiv mentioned this issue Aug 26, 2018
Merged
@liweiv liweiv changed the title Support self-signed certificates LDAP. Support used self-signed certificates LDAP. Aug 26, 2018
@ericchiang
Copy link
Contributor
8000

Which providers do this? Got some docs?

@liweiv
Copy link
Contributor Author
liweiv commented Sep 7, 2018

Used for LDAP server that used self-signed certificates (RootCA, server cert) and setting TLS verify client. In this case, dex should use the client certificates generated by the Ldap server RootCA.
Without the client certificates, dex all requests to ldap server will be rejected.

http://www.openldap.org/doc/admin24/tls.html

16.1.2. Client Certificates
The DN of a client certificate can be used directly as an authentication DN.
...

@srenatus
Copy link
Contributor

Fixed in v2.12.0 (#1314), thanks to your help in #1278. 🎉

@mhoshi-vm mhoshi-vm mentioned this issue Jul 6, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3374
Development

No branches or pull requests
3 participants
@srenatus @liweiv @ericchiang
0