diff --git a/examples/conf-from-tls-toml-file.yml b/examples/conf-from-tls-toml-file.yml new file mode 100644 index 0000000..94c3176 --- /dev/null +++ b/examples/conf-from-tls-toml-file.yml @@ -0,0 +1,40 @@ +version: "3.3" + +services: + + traefik: + # build: + # context: . + image: traefik:v2.10.0 + container_name: "traefik" + command: + #- "--log.level=DEBUG" + - "--api.insecure=true" + - "--providers.docker=true" + - "--entrypoints.web.address=:80" + # Load ldapAuth from local private plugins format ===============================# + # https://github.com/traefik/traefik/pull/8224 # + # "A plugin must be declared in the static configuration" # + # https://doc.traefik.io/traefik-pilot/plugins/overview/#installing-plugins # + - "--experimental.localPlugins.ldapAuth.moduleName=github.com/wiltonsr/ldapAuth" # + # ===============================================================================# + # Load ldapAuth Dynamic conf from file ==========================================# + # https://doc.traefik.io/traefik/providers/file/#filename # + - "--providers.file.filename=/dynamic-conf/ldapAuth-tls-conf.toml" # + # ===============================================================================# + ports: + - "80:80" + - "8080:8080" + volumes: + - "/var/run/docker.sock:/var/run/docker.sock:ro" + - "../../ldapAuth:/plugins-local/src/github.com/wiltonsr/ldapAuth:ro" + - "./dynamic-conf/ldapAuth-tls-conf.toml:/dynamic-conf/ldapAuth-tls-conf.toml:ro" + + whoami: + image: "traefik/whoami" + container_name: "whoami" + labels: + - "traefik.http.routers.whoami.rule=Host(`whoami.localhost`)" + - "traefik.http.routers.whoami.entrypoints=web" + # Enable LDAP Auth Middleware defined in ldapAuth-tls-conf.toml + - "traefik.http.routers.whoami.middlewares=my-ldapAuth@file" diff --git a/examples/conf-from-tls-yml-file.yml b/examples/conf-from-tls-yml-file.yml new file mode 100644 index 0000000..777bc13 --- /dev/null +++ b/examples/conf-from-tls-yml-file.yml @@ -0,0 +1,40 @@ +version: "3.3" + +services: + + traefik: + # build: + # context: . + image: traefik:v2.10.0 + container_name: "traefik" + command: + #- "--log.level=DEBUG" + - "--api.insecure=true" + - "--providers.docker=true" + - "--entrypoints.web.address=:80" + # Load ldapAuth from local private plugins format ===============================# + # https://github.com/traefik/traefik/pull/8224 # + # "A plugin must be declared in the static configuration" # + # https://doc.traefik.io/traefik-pilot/plugins/overview/#installing-plugins # + - "--experimental.localPlugins.ldapAuth.moduleName=github.com/wiltonsr/ldapAuth" # + # ===============================================================================# + # Load ldapAuth Dynamic conf from file ==========================================# + # https://doc.traefik.io/traefik/providers/file/#filename # + - "--providers.file.filename=/dynamic-conf/ldapAuth-tls-conf.yml" # + # ===============================================================================# + ports: + - "80:80" + - "8080:8080" + volumes: + - "/var/run/docker.sock:/var/run/docker.sock:ro" + - "../../ldapAuth:/plugins-local/src/github.com/wiltonsr/ldapAuth:ro" + - "./dynamic-conf/ldapAuth-tls-conf.yml:/dynamic-conf/ldapAuth-tls-conf.yml:ro" + + whoami: + image: "traefik/whoami" + container_name: "whoami" + labels: + - "traefik.http.routers.whoami.rule=Host(`whoami.localhost`)" + - "traefik.http.routers.whoami.entrypoints=web" + # Enable LDAP Auth Middleware defined in ldapAuth-tls-conf.yml + - "traefik.http.routers.whoami.middlewares=my-ldapAuth@file" diff --git a/examples/conf-from-toml-file.yml b/examples/conf-from-toml-file.yml index 531665c..ec18292 100644 --- a/examples/conf-from-toml-file.yml +++ b/examples/conf-from-toml-file.yml @@ -36,5 +36,5 @@ services: labels: - "traefik.http.routers.whoami.rule=Host(`whoami.localhost`)" - "traefik.http.routers.whoami.entrypoints=web" - # Enable LDAP Auth Middleware defined in ldapAuth-conf.yml + # Enable LDAP Auth Middleware defined in ldapAuth-conf.toml - "traefik.http.routers.whoami.middlewares=my-ldapAuth@file" diff --git a/examples/dynamic-conf/ldapAuth-tls-conf.toml b/examples/dynamic-conf/ldapAuth-tls-conf.toml new file mode 100644 index 0000000..7c2977b --- /dev/null +++ b/examples/dynamic-conf/ldapAuth-tls-conf.toml @@ -0,0 +1,68 @@ +[http.middlewares] +[http.middlewares.my-ldapAuth.plugin.ldapAuth] +Attribute = "uid" +BaseDN = "cn=users,cn=accounts,dc=demo1,dc=freeipa,dc=org" +Enabled = true +LogLevel = "DEBUG" +Port = "636" +Url = "ldaps://ipa.demo1.freeipa.org" +CertificateAuthority = ''' +-----BEGIN CERTIFICATE----- +MIIFWzCCA8OgAwIBAgIBCDANBgkqhkiG9w0BAQsFADA8MRowGAYDVQQKDBFERU1P +MS5GUkVFSVBBLk9SRzEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X +DTIzMDQyMDEzMzYxNFoXDTI1MDQyMDEzMzYxNFowPDEaMBgGA1UECgwRREVNTzEu +RlJFRUlQQS5PUkcxHjAcBgNVBAMMFWlwYS5kZW1vMS5mcmVlaXBhLm9yZzCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMEzBE9i2gqOMM2HKyNnM7Ih5+mv +duVmE5D+5raJtqA1eNZkNrQmSaKwS9cnHGX+2/zSY1FDkZnIhGXySPf0/7fxCuG/ +J9MvRlecGnJTWOCvPIVhkvd5PyTKkClmsk4ojx2IwCU6q2nvy0zvSxhhzd2UpOL6 +y7fNtS3VBYYZjWNEv0K7F+pGtW40MauGDotsP1zQmyVW5J1IszDDlRgTLC6azdBs ++RP0vYCyKkgh1tpWLYfFnQhNVOlja79QcnlKdvnZu4sFdDSvOqext28mBJuCm8ib +HLnQQcxTqg2jMx8AW2zh9F8sMoEsn/mjDHI41oGGsHeZt3j5a8Ab7jtlz8MCAwEA +AaOCAeYwggHiMB8GA1UdIwQYMBaAFKFAgcvZmgX3tnFhcPQ5i4jZ+xE9MEMGCCsG +AQUFBwEBBDcwNTAzBggrBgEFBQcwAYYnaHR0cDovL2lwYS1jYS5kZW1vMS5mcmVl +aXBhLm9yZy9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEF +BQcDAQYIKwYBBQUHAwIwfAYDVR0fBHUwczBxoDmgN4Y1aHR0cDovL2lwYS1jYS5k +ZW1vMS5mcmVlaXBhLm9yZy9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAM +BgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYD +VR0OBBYEFGsje2irExO4AvvLW6jv2oEkrZfSMIGtBgNVHREEgaUwgaKCFWlwYS5k +ZW1vMS5mcmVlaXBhLm9yZ6A8BgorBgEEAYI3FAIDoC4MLGxkYXAvaXBhLmRlbW8x +LmZyZWVpcGEub3JnQERFTU8xLkZSRUVJUEEuT1JHoEsGBisGAQUCAqBBMD+gExsR +REVNTzEuRlJFRUlQQS5PUkehKDAmoAMCAQGhHzAdGwRsZGFwGxVpcGEuZGVtbzEu +ZnJlZWlwYS5vcmcwDQYJKoZIhvcNAQELBQADggGBADO5SovCVFoVJQOKxrePdh5y +VIQ45UQSjmfXT+FlzbzlX47ejpvdqDKDl0yj5JBUKtKxv3Mj6natUQAVnveRcXlo +mjzEOQsozCaWcCrtnIW8AOny78DjxnSdwPqd/TRV4r2/T2cRndd0GCg6LrQxEdTf +VNKJAMAYin6xmopsarpXwVJVd7YweFUMd7Tu5Tvpde1oubnBtb7ZEGixb6AB200g +lHQroWz6s+a/d7BxsyM0DA5bOk728LqroIJ8m/9xIbnACoyeVdmM5BF/1/cUsX4N +RkRJIfcITNB3zr/4WUldKsM/7bfEA5S0GQUjTd4njt5r7d8j2r6V88maN9ANgXZ4 +Vf1RbjmTOw4OovwGXtRu8DkQ4kSqnyd1COelH48EfGxtOYbzqNNgnip+95mmMoFr +3BkxKP8G/lQ3kGOYqBIQ+1ICtvx29Smllo87RkJ3KltHy7RKVMZry7inLTqCNBAA +uIdew6R5uJhBBrfjmXGyGjba9wtxDPiPoTa9gGAu7w== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIEnTCCAwWgAwIBAgIBATANBgkqhkiG9w0BAQsFADA8MRowGAYDVQQKDBFERU1P +MS5GUkVFSVBBLk9SRzEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X +DTIzMDQyMDEzMzM1NFoXDTQzMDQyMDEzMzM1NFowPDEaMBgGA1UECgwRREVNTzEu +RlJFRUlQQS5PUkcxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCAaIw +DQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALLzV665748bW3Da/ZVTZ4BVHrCW +RuuT+7bgT6CZOUMri8F+KuQ6sT+o3hQuyrp4qWn0sU3bO9TCXjkQ4B8uo8ZR3RvR ++2FXENtUQukI4PTXXoKjqJkGrgWVyISfkvNZvsl/bOEtVJ6nh3DBLhYM0HEENccL +0b1SALdntQwGFJfWkRD0FbjBo7CPxePm7L2VViDMY0cYeUdgETcqc9Zw90gUEqTt +keHqPmBkiOUVk09f3qtdoukRqAvx3nKhUu7vHEf+DJJoQtr3ilUXZQZ/6lKkYl9k +mdwjt+9YeCaKV0s7RI4G+25xo1ZSB3IfMMGISGf/0mOyg4LgWyuuDF/ip5+gI46b +Ol85DrhJAfeYoFbjx+zsoY9mn0kiMBnxg+NkvJitsb5EFexXtqfLLeGjFTu2a9rw +bB6mM3GKmMszwif/i9uO/NeK1LlmN6g1vy07HtjQWh2LUa9AbeIp6s1UUcruCGem +FSzLRmcOY4wi0gGm8Vwg9MRtS6sUe7bfM7uPXwIDAQABo4GpMIGmMB8GA1UdIwQY +MBaAFKFAgcvZmgX3tnFhcPQ5i4jZ+xE9MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0P +AQH/BAQDAgHGMB0GA1UdDgQWBBShQIHL2ZoF97ZxYXD0OYuI2fsRPTBDBggrBgEF +BQcBAQQ3MDUwMwYIKwYBBQUHMAGGJ2h0dHA6Ly9pcGEtY2EuZGVtbzEuZnJlZWlw +YS5vcmcvY2Evb2NzcDANBgkqhkiG9w0BAQsFAAOCAYEAH0du998ux4CkH/W9/2l0 +GnnHE5GbBBcGd4zEIxxoe0kYm7MKJjXL9gDRZ3RMseEhy0mAX8cixA7xmg/IFgM9 +TFHoHbTUNgEzLZtOYl5Qccp48ZV1XLrzfK1DorEH6tgza0X2rNJ7RU25sq9i687Y +S0Tt6W3CNkOnQed7blDbxfZJOq7gvqiTFy09a5OXv2AxpkmRrLwFWd/+4Whbsji1 +wiwTD+t7gDTGizqINEsJ3lT+2dDp+mAxPKTd4XiTE4aBPVc4LBxHDnMzqFxa1qzG +v/BL+aa3FkahD/zMm6/B70iApFOFeCrng/1Q7DxUsBWWuzS+oVdm8MEUWtHxANC5 +VG91hbzs4jBAig6AY1hGe49oOabkM1IGhp/TIySAaogA4BFS9DNV1TyNZ4Y9PO61 +JZHjzfXOLIdSlluwsBJem4Lj6Xdw8epzANA0CVnEQ5R1Aql0uRlSsAuhcsleCYJC +4gbTjx3PDQLm4BUvsNZ62knVDJPvjAX4nOybumpLAVKg +-----END CERTIFICATE----- +''' diff --git a/examples/dynamic-conf/ldapAuth-tls-conf.yml b/examples/dynamic-conf/ldapAuth-tls-conf.yml new file mode 100644 index 0000000..c89f559 --- /dev/null +++ b/examples/dynamic-conf/ldapAuth-tls-conf.yml @@ -0,0 +1,70 @@ +http: + middlewares: + my-ldapAuth: + plugin: + ldapAuth: + Enabled: true + LogLevel: "DEBUG" + Url: "ldaps://ipa.demo1.freeipa.org" + Port: 636 + BaseDN: "cn=users,cn=accounts,dc=demo1,dc=freeipa,dc=org" + Attribute: "uid" + CertificateAuthority: |- + -----BEGIN CERTIFICATE----- + MIIFWzCCA8OgAwIBAgIBCDANBgkqhkiG9w0BAQsFADA8MRowGAYDVQQKDBFERU1P + MS5GUkVFSVBBLk9SRzEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X + DTIzMDQyMDEzMzYxNFoXDTI1MDQyMDEzMzYxNFowPDEaMBgGA1UECgwRREVNTzEu + RlJFRUlQQS5PUkcxHjAcBgNVBAMMFWlwYS5kZW1vMS5mcmVlaXBhLm9yZzCCASIw + DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMEzBE9i2gqOMM2HKyNnM7Ih5+mv + duVmE5D+5raJtqA1eNZkNrQmSaKwS9cnHGX+2/zSY1FDkZnIhGXySPf0/7fxCuG/ + J9MvRlecGnJTWOCvPIVhkvd5PyTKkClmsk4ojx2IwCU6q2nvy0zvSxhhzd2UpOL6 + y7fNtS3VBYYZjWNEv0K7F+pGtW40MauGDotsP1zQmyVW5J1IszDDlRgTLC6azdBs + +RP0vYCyKkgh1tpWLYfFnQhNVOlja79QcnlKdvnZu4sFdDSvOqext28mBJuCm8ib + HLnQQcxTqg2jMx8AW2zh9F8sMoEsn/mjDHI41oGGsHeZt3j5a8Ab7jtlz8MCAwEA + AaOCAeYwggHiMB8GA1UdIwQYMBaAFKFAgcvZmgX3tnFhcPQ5i4jZ+xE9MEMGCCsG + AQUFBwEBBDcwNTAzBggrBgEFBQcwAYYnaHR0cDovL2lwYS1jYS5kZW1vMS5mcmVl + aXBhLm9yZy9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEF + BQcDAQYIKwYBBQUHAwIwfAYDVR0fBHUwczBxoDmgN4Y1aHR0cDovL2lwYS1jYS5k + ZW1vMS5mcmVlaXBhLm9yZy9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAM + BgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYD + VR0OBBYEFGsje2irExO4AvvLW6jv2oEkrZfSMIGtBgNVHREEgaUwgaKCFWlwYS5k + ZW1vMS5mcmVlaXBhLm9yZ6A8BgorBgEEAYI3FAIDoC4MLGxkYXAvaXBhLmRlbW8x + LmZyZWVpcGEub3JnQERFTU8xLkZSRUVJUEEuT1JHoEsGBisGAQUCAqBBMD+gExsR + REVNTzEuRlJFRUlQQS5PUkehKDAmoAMCAQGhHzAdGwRsZGFwGxVpcGEuZGVtbzEu + ZnJlZWlwYS5vcmcwDQYJKoZIhvcNAQELBQADggGBADO5SovCVFoVJQOKxrePdh5y + VIQ45UQSjmfXT+FlzbzlX47ejpvdqDKDl0yj5JBUKtKxv3Mj6natUQAVnveRcXlo + mjzEOQsozCaWcCrtnIW8AOny78DjxnSdwPqd/TRV4r2/T2cRndd0GCg6LrQxEdTf + VNKJAMAYin6xmopsarpXwVJVd7YweFUMd7Tu5Tvpde1oubnBtb7ZEGixb6AB200g + lHQroWz6s+a/d7BxsyM0DA5bOk728LqroIJ8m/9xIbnACoyeVdmM5BF/1/cUsX4N + RkRJIfcITNB3zr/4WUldKsM/7bfEA5S0GQUjTd4njt5r7d8j2r6V88maN9ANgXZ4 + Vf1RbjmTOw4OovwGXtRu8DkQ4kSqnyd1COelH48EfGxtOYbzqNNgnip+95mmMoFr + 3BkxKP8G/lQ3kGOYqBIQ+1ICtvx29Smllo87RkJ3KltHy7RKVMZry7inLTqCNBAA + uIdew6R5uJhBBrfjmXGyGjba9wtxDPiPoTa9gGAu7w== + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + MIIEnTCCAwWgAwIBAgIBATANBgkqhkiG9w0BAQsFADA8MRowGAYDVQQKDBFERU1P + MS5GUkVFSVBBLk9SRzEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X + DTIzMDQyMDEzMzM1NFoXDTQzMDQyMDEzMzM1NFowPDEaMBgGA1UECgwRREVNTzEu + RlJFRUlQQS5PUkcxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCAaIw + DQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALLzV665748bW3Da/ZVTZ4BVHrCW + RuuT+7bgT6CZOUMri8F+KuQ6sT+o3hQuyrp4qWn0sU3bO9TCXjkQ4B8uo8ZR3RvR + +2FXENtUQukI4PTXXoKjqJkGrgWVyISfkvNZvsl/bOEtVJ6nh3DBLhYM0HEENccL + 0b1SALdntQwGFJfWkRD0FbjBo7CPxePm7L2VViDMY0cYeUdgETcqc9Zw90gUEqTt + keHqPmBkiOUVk09f3qtdoukRqAvx3nKhUu7vHEf+DJJoQtr3ilUXZQZ/6lKkYl9k + mdwjt+9YeCaKV0s7RI4G+25xo1ZSB3IfMMGISGf/0mOyg4LgWyuuDF/ip5+gI46b + Ol85DrhJAfeYoFbjx+zsoY9mn0kiMBnxg+NkvJitsb5EFexXtqfLLeGjFTu2a9rw + bB6mM3GKmMszwif/i9uO/NeK1LlmN6g1vy07HtjQWh2LUa9AbeIp6s1UUcruCGem + FSzLRmcOY4wi0gGm8Vwg9MRtS6sUe7bfM7uPXwIDAQABo4GpMIGmMB8GA1UdIwQY + MBaAFKFAgcvZmgX3tnFhcPQ5i4jZ+xE9MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0P + AQH/BAQDAgHGMB0GA1UdDgQWBBShQIHL2ZoF97ZxYXD0OYuI2fsRPTBDBggrBgEF + BQcBAQQ3MDUwMwYIKwYBBQUHMAGGJ2h0dHA6Ly9pcGEtY2EuZGVtbzEuZnJlZWlw + YS5vcmcvY2Evb2NzcDANBgkqhkiG9w0BAQsFAAOCAYEAH0du998ux4CkH/W9/2l0 + GnnHE5GbBBcGd4zEIxxoe0kYm7MKJjXL9gDRZ3RMseEhy0mAX8cixA7xmg/IFgM9 + TFHoHbTUNgEzLZtOYl5Qccp48ZV1XLrzfK1DorEH6tgza0X2rNJ7RU25sq9i687Y + S0Tt6W3CNkOnQed7blDbxfZJOq7gvqiTFy09a5OXv2AxpkmRrLwFWd/+4Whbsji1 + wiwTD+t7gDTGizqINEsJ3lT+2dDp+mAxPKTd4XiTE4aBPVc4LBxHDnMzqFxa1qzG + v/BL+aa3FkahD/zMm6/B70iApFOFeCrng/1Q7DxUsBWWuzS+oVdm8MEUWtHxANC5 + VG91hbzs4jBAig6AY1hGe49oOabkM1IGhp/TIySAaogA4BFS9DNV1TyNZ4Y9PO61 + JZHjzfXOLIdSlluwsBJem4Lj6Xdw8epzANA0CVnEQ5R1Aql0uRlSsAuhcsleCYJC + 4gbTjx3PDQLm4BUvsNZ62knVDJPvjAX4nOybumpLAVKg + -----END CERTIFICATE----- diff --git a/ldapauth.go b/ldapauth.go index 977271c..2fb3e6e 100644 --- a/ldapauth.go +++ b/ldapauth.go @@ -200,7 +200,7 @@ func (la *LdapAuth) ServeHTTP(rw http.ResponseWriter, req *http.Request) { certPool.AppendCertsFromPEM([]byte(la.config.CertificateAuthority)) } - conn, err := Connect(la.config.URL, la.config.Port, la.config.UseTLS, la.config.StartTLS, la.config.InsecureSkipVerify, certPool) + conn, err := Connect(la.config.URL, la.config.Port, la.config.StartTLS, la.config.InsecureSkipVerify, certPool) if err != nil { LoggerERROR.Printf("%s", err) RequireAuth(rw, req, la.config, err) @@ -419,11 +419,11 @@ func RequireAuth(w http.ResponseWriter, req *http.Request, config *Config, err . } // Connect return a LDAP Connection. -func Connect(addr string, port uint16, useTLS bool, startTLS bool, skipVerify bool, ca *x509.CertPool) (*ldap.Conn, error) { +func Connect(addr string, port uint16, startTLS bool, skipVerify bool, ca *x509.CertPool) (*ldap.Conn, error) { var conn *ldap.Conn = nil var err error = nil - u, err := url.Parse(addr) + u, err := url.Parse(addr) if err != nil { return nil, err } @@ -433,28 +433,25 @@ func Connect(addr string, port uint16, useTLS bool, startTLS bool, skipVerify bo // we assume that error is due to missing port. host = u.Host } - LoggerDEBUG.Printf("Host: %s ", host) - address := net.JoinHostPort(host, strconv.FormatUint(uint64(port), 10)) + address := u.Scheme + "://" + net.JoinHostPort(host, strconv.FormatUint(uint64(port), 10)) + LoggerDEBUG.Printf("Connect Address: '%s'", address) - LoggerDEBUG.Printf("Connect Address: %s ", address) + tlsCfg := &tls.Config{ + InsecureSkipVerify: skipVerify, + ServerName: host, + RootCAs: ca, + } - if useTLS { - tlsCfg := &tls.Config{ - InsecureSkipVerify: skipVerify, - ServerName: host, - RootCAs: ca, - } - if startTLS { - conn, err = dial("tcp", address) - if err == nil { - err = conn.StartTLS(tlsCfg) - } - } else { - conn, err = dialTLS("tcp", address, tlsCfg) + if u.Scheme == "ldap" && startTLS { + conn, err = ldap.DialURL(address) + if err == nil { + err = conn.StartTLS(tlsCfg) } + } else if u.Scheme == "ldaps" { + conn, err = ldap.DialURL(address, ldap.DialWithTLSConfig(tlsCfg)) } else { - conn, err = dial("tcp", address) + conn, err = ldap.DialURL(address) } if err != nil { @@ -462,29 +459,6 @@ func Connect(addr string, port uint16, useTLS bool, startTLS bool, skipVerify bo } return conn, nil - -} - -// dial applies connects to the given address on the given network using net.Dial. -func dial(network, addr string) (*ldap.Conn, error) { - c, err := net.Dial(network, addr) - if err != nil { - return nil, err - } - conn := ldap.NewConn(c, false) - conn.Start() - return conn, nil -} - -// dialTLS connects to the given address on the given network using tls.Dial. -func dialTLS(network, addr string, config *tls.Config) (*ldap.Conn, error) { - c, err := tls.Dial(network, addr, config) - if err != nil { - return nil, err - } - conn := ldap.NewConn(c, true) - conn.Start() - return conn, nil } // SearchMode make search to LDAP and return results. diff --git a/readme.md b/readme.md index 13f6822..0aa2e66 100644 --- a/readme.md +++ b/readme.md @@ -179,15 +179,10 @@ Typically, with docker you can use a secret named `my_cache_key_label`. The environment variable will be used if both options are set. -##### `useTLS` -_Optional, Default: `false`_ - -Set to true if LDAP server should use an encrypted TLS connection, either with STARTTLS or LDAPS. - ##### `startTLS` _Optional, Default: `false`_ -If set to true, instruct `ldapAuth` to issue a `StartTLS` request when initializing the connection with the LDAP server. This is not used if the `useTLS` option is set to `false`. +If set to true, instruct `ldapAuth` to issue a `StartTLS` request when initializing the connection with the LDAP server. ##### `certificateAuthority` _Optional, Default: `""`_ @@ -216,7 +211,7 @@ Example: ##### `insecureSkipVerify` _Optional, Default: `false`_ -When `useTLS` is enabled, the connection to the LDAP server is verified to be secure. This option allows `ldapAuth` to proceed and operate even for server connections otherwise considered insecure. +When connecting to a `ldaps` server or `startTLS` is enabled, the connection to the LDAP server is verified to be secure. This option allows `ldapAuth` to proceed and operate even for server connections otherwise considered insecure. ##### `attribute`