From d1f92e45b6e9138e68777aebb158460b4017ef2a Mon Sep 17 00:00:00 2001 From: Michal Budzyn Date: Mon, 12 Oct 2020 00:57:42 +0200 Subject: [PATCH] LDAP plugin: rename flag ldap-cacert to ldap-ca-cert-file, new flag ldap-insecure-skip-verify --- cmd/plugin-auth-ldap/README.md | 6 +++--- cmd/plugin-auth-ldap/main.go | 22 ++++++++++++---------- 2 files changed, 15 insertions(+), 13 deletions(-) diff --git a/cmd/plugin-auth-ldap/README.md b/cmd/plugin-auth-ldap/README.md index 8dcea68a..233f4c92 100644 --- a/cmd/plugin-auth-ldap/README.md +++ b/cmd/plugin-auth-ldap/README.md @@ -13,7 +13,7 @@ build/kafka-proxy server \ --auth-local-enable \ --auth-local-command=build/auth-ldap \ --auth-local-param=--url=ldap://localhost:389 \ - --auth-local-param=--ldap-cacerts=/certs/ldap/pem \ + --auth-local-param=--ldap-ca-cert-file=/certs/ldap/ca-cert-file.pem \ --auth-local-param=--start-tls=false \ --auth-local-param=--search-ldap \ --auth-local-param=--bind-dn=cn=admin,dc=example,dc=org \ @@ -25,8 +25,8 @@ build/kafka-proxy server \ Setting the flag `--search-ldap` will search the user dn in LDAP, even if `--bind-dn` is not given. This is for LDAP installations that don't need a bind before allowing readonly actions.(and therefore don't have a readony user) -If `--ldap-cacerts` is set, a (chain of) certificates in PEM format needed to verify the LDAP server's identity -is read from the file given. If the flag ist not set, TLS verification will be skipped +If `--ldap-ca-cert-file` is set, a (chain of) certificates in PEM format needed to verify the LDAP server's identity +is read from the file given. If the flag ist not set, TLS verification can be skipped if `ldap-insecure-skip-verify` flag is true. diff --git a/cmd/plugin-auth-ldap/main.go b/cmd/plugin-auth-ldap/main.go index f95a2cd0..f6843fa5 100644 --- a/cmd/plugin-auth-ldap/main.go +++ b/cmd/plugin-auth-ldap/main.go @@ -194,12 +194,13 @@ func (pa LdapAuthenticator) DialLDAP() (*ldap.Conn, error) { } type pluginMeta struct { - url string - cacert string - startTLS bool - upnDomain string - userDN string - userAttr string + url string + caCertFile string + insecureSkipVerify bool + startTLS bool + upnDomain string + userDN string + userAttr string searchLDAP bool bindDN string @@ -212,7 +213,8 @@ func (f *pluginMeta) flagSet() *flag.FlagSet { fs := flag.NewFlagSet("auth plugin settings", flag.ContinueOnError) fs.StringVar(&f.url, "url", "", "LDAP URL to connect to (eg: ldaps://127.0.0.1:636). Multiple URLs can be specified by concatenating them with commas.") - fs.StringVar(&f.cacert, "ldap-cacert", "", "X509 CA certificate (PEM) to verify peer against") + fs.StringVar(&f.caCertFile, "ldap-ca-cert-file", "", "X509 CA certificate (PEM) to verify peer against") + fs.BoolVar(&f.insecureSkipVerify, "ldap-insecure-skip-verify", false, "It controls whether a client verifies the server's certificate chain and host name") fs.BoolVar(&f.startTLS, "start-tls", true, "Issue a StartTLS command after establishing unencrypted connection (optional)") fs.StringVar(&f.upnDomain, "upn-domain", "", "Enables userPrincipalDomain login with [username]@UPNDomain (optional)") fs.StringVar(&f.userDN, "user-dn", "", "LDAP domain to use for users (eg: cn=users,dc=example,dc=org)") @@ -283,7 +285,7 @@ func main() { os.Exit(1) } - tlsConfig, err := getTlsConfig(pluginMeta.cacert) + tlsConfig, err := getTlsConfig(pluginMeta.caCertFile, pluginMeta.insecureSkipVerify) if err != nil { logrus.Errorf("error %v getting TLS config", err) os.Exit(1) @@ -311,9 +313,9 @@ func main() { }) } -func getTlsConfig(caCertFile string) (*tls.Config, error) { +func getTlsConfig(caCertFile string, insecureSkipVerify bool) (*tls.Config, error) { if caCertFile == "" { - return &tls.Config{InsecureSkipVerify: true}, nil + return &tls.Config{InsecureSkipVerify: insecureSkipVerify}, nil } else { certData, err := ioutil.ReadFile(caCertFile) if err != nil {