add LDAP StartTLS support (#9472)

2025-11-08 21:24:55 -05:00 · 2020-05-08 00:08:33 +02:00
parent 518ef670da
commit 0674c0075e
2 changed files with 28 additions and 2 deletions
--- a/cmd/config/identity/ldap/config.go
+++ b/cmd/config/identity/ldap/config.go
@@ -58,6 +58,7 @@ type Config struct {
 	stsExpiryDuration time.Duration // contains converted value
 	tlsSkipVerify     bool          // allows skipping TLS verification
 	serverInsecure    bool          // allows plain text connection to LDAP Server
+	serverStartTLS    bool          // allows plain text connection to LDAP Server
 	rootCAs           *x509.CertPool
 }

@@ -73,11 +74,13 @@ const (
 	GroupSearchBaseDN    = "group_search_base_dn"
 	TLSSkipVerify        = "tls_skip_verify"
 	ServerInsecure       = "server_insecure"
+	ServerStartTLS       = "server_starttls"

 	EnvServerAddr           = "MINIO_IDENTITY_LDAP_SERVER_ADDR"
 	EnvSTSExpiry            = "MINIO_IDENTITY_LDAP_STS_EXPIRY"
 	EnvTLSSkipVerify        = "MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY"
 	EnvServerInsecure       = "MINIO_IDENTITY_LDAP_SERVER_INSECURE"
+	EnvServerStartTLS       = "MINIO_IDENTITY_LDAP_SERVER_STARTTLS"
 	EnvUsernameFormat       = "MINIO_IDENTITY_LDAP_USERNAME_FORMAT"
 	EnvUsernameSearchFilter = "MINIO_IDENTITY_LDAP_USERNAME_SEARCH_FILTER"
 	EnvUsernameSearchBaseDN = "MINIO_IDENTITY_LDAP_USERNAME_SEARCH_BASE_DN"
@@ -129,6 +132,10 @@ var (
 			Key:   ServerInsecure,
 			Value: config.EnableOff,
 		},
+		config.KV{
+			Key:   ServerStartTLS,
+			Value: config.EnableOff,
+		},
 	}
 )

@@ -257,6 +264,18 @@ func (l *Config) Connect() (ldapConn *ldap.Conn, err error) {
 		return ldap.Dial("tcp", l.ServerAddr)
 	}

+	if l.serverStartTLS {
+		conn, err := ldap.Dial("tcp", l.ServerAddr)
+		if err != nil {
+			return nil, err
+		}
+		err = conn.StartTLS(&tls.Config{
+			InsecureSkipVerify: l.tlsSkipVerify,
+			RootCAs:            l.rootCAs,
+		})
+		return conn, err
+	}
+
 	return ldap.DialTLS("tcp", l.ServerAddr, &tls.Config{
 		InsecureSkipVerify: l.tlsSkipVerify,
 		RootCAs:            l.rootCAs,
@@ -303,6 +322,12 @@ func Lookup(kvs config.KVS, rootCAs *x509.CertPool) (l Config, err error) {
 			return l, err
 		}
 	}
+	if v := env.Get(EnvServerStartTLS, kvs.Get(ServerStartTLS)); v != "" {
+		l.serverStartTLS, err = config.ParseBool(v)
+		if err != nil {
+			return l, err
+		}
+	}
 	if v := env.Get(EnvTLSSkipVerify, kvs.Get(TLSSkipVerify)); v != "" {
 		l.tlsSkipVerify, err = config.ParseBool(v)
 		if err != nil {