diff --git a/authentik/lib/default.yml b/authentik/lib/default.yml index 053e3caa2..948600922 100644 --- a/authentik/lib/default.yml +++ b/authentik/lib/default.yml @@ -1,3 +1,4 @@ +# update website/docs/installation/configuration.md # This is the default configuration file postgresql: host: localhost @@ -57,6 +58,10 @@ outposts: container_image_base: ghcr.io/goauthentik/%(type)s:%(version)s discover: true +ldap: + tls: + ciphers: null + cookie_domain: null disable_update_check: false disable_startup_analytics: false diff --git a/authentik/sources/ldap/models.py b/authentik/sources/ldap/models.py index 99540da05..a6cb1a283 100644 --- a/authentik/sources/ldap/models.py +++ b/authentik/sources/ldap/models.py @@ -8,6 +8,7 @@ from rest_framework.serializers import Serializer from authentik.core.models import Group, PropertyMapping, Source from authentik.crypto.models import CertificateKeyPair +from authentik.lib.config import CONFIG from authentik.lib.models import DomainlessURLValidator LDAP_TIMEOUT = 15 @@ -109,13 +110,16 @@ class LDAPSource(Source): def server(self) -> Server: """Get LDAP Server/ServerPool""" servers = [] - tls = Tls() + tls_kwargs = {} if self.peer_certificate: - tls = Tls(ca_certs_data=self.peer_certificate.certificate_data, validate=CERT_REQUIRED) + tls_kwargs["ca_certs_data"] = self.peer_certificate.certificate_data + tls_kwargs["validate"] = CERT_REQUIRED + if ciphers := CONFIG.y("ldap.tls.ciphers", None): + tls_kwargs["ciphers"] = ciphers.strip() kwargs = { "get_info": ALL, "connect_timeout": LDAP_TIMEOUT, - "tls": tls, + "tls": Tls(**tls_kwargs), } if "," in self.server_uri: for server in self.server_uri.split(","): diff --git a/website/docs/installation/configuration.md b/website/docs/installation/configuration.md index da6fe8253..9273fbd4e 100644 --- a/website/docs/installation/configuration.md +++ b/website/docs/installation/configuration.md @@ -211,6 +211,16 @@ The setting can be used as follows: AUTHENTIK_FOOTER_LINKS='[{"name": "Link Name","href":"https://goauthentik.io"}]' ``` +### AUTHENTIK_LDAP**TLS**CIPHERS: + +:::info +Requires authentik 2022.7 +::: + +Allows configuration of TLS Cliphers for LDAP connections used by LDAP sources. Setting applies to all sources. + +Defaults to `null`. + ## Debugging To check if your config has been applied correctly, you can run the following command to output the full config: diff --git a/website/docs/providers/oauth2/index.md b/website/docs/providers/oauth2/index.md index cfd012aa3..0eba63765 100644 --- a/website/docs/providers/oauth2/index.md +++ b/website/docs/providers/oauth2/index.md @@ -75,6 +75,6 @@ return True Requires authentik 2022.7 ::: -When a client does not request any scopes, authentik will treat the request as if all configured scopes were requrested. Depending on the configured authorization flow, consent still needs to be given, and all scopes are listed there. +When a client does not request any scopes, authentik will treat the request as if all configured scopes were requested. Depending on the configured authorization flow, consent still needs to be given, and all scopes are listed there. This does _not_ apply to special scopes, as those are not configurable in the provider.