sources/ldap: add configuration for LDAP Source ciphers
closes #3110 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
23273f53cc
commit
1c64616ebd
|
@ -1,3 +1,4 @@
|
||||||
|
# update website/docs/installation/configuration.md
|
||||||
# This is the default configuration file
|
# This is the default configuration file
|
||||||
postgresql:
|
postgresql:
|
||||||
host: localhost
|
host: localhost
|
||||||
|
@ -57,6 +58,10 @@ outposts:
|
||||||
container_image_base: ghcr.io/goauthentik/%(type)s:%(version)s
|
container_image_base: ghcr.io/goauthentik/%(type)s:%(version)s
|
||||||
discover: true
|
discover: true
|
||||||
|
|
||||||
|
ldap:
|
||||||
|
tls:
|
||||||
|
ciphers: null
|
||||||
|
|
||||||
cookie_domain: null
|
cookie_domain: null
|
||||||
disable_update_check: false
|
disable_update_check: false
|
||||||
disable_startup_analytics: false
|
disable_startup_analytics: false
|
||||||
|
|
|
@ -8,6 +8,7 @@ from rest_framework.serializers import Serializer
|
||||||
|
|
||||||
from authentik.core.models import Group, PropertyMapping, Source
|
from authentik.core.models import Group, PropertyMapping, Source
|
||||||
from authentik.crypto.models import CertificateKeyPair
|
from authentik.crypto.models import CertificateKeyPair
|
||||||
|
from authentik.lib.config import CONFIG
|
||||||
from authentik.lib.models import DomainlessURLValidator
|
from authentik.lib.models import DomainlessURLValidator
|
||||||
|
|
||||||
LDAP_TIMEOUT = 15
|
LDAP_TIMEOUT = 15
|
||||||
|
@ -109,13 +110,16 @@ class LDAPSource(Source):
|
||||||
def server(self) -> Server:
|
def server(self) -> Server:
|
||||||
"""Get LDAP Server/ServerPool"""
|
"""Get LDAP Server/ServerPool"""
|
||||||
servers = []
|
servers = []
|
||||||
tls = Tls()
|
tls_kwargs = {}
|
||||||
if self.peer_certificate:
|
if self.peer_certificate:
|
||||||
tls = Tls(ca_certs_data=self.peer_certificate.certificate_data, validate=CERT_REQUIRED)
|
tls_kwargs["ca_certs_data"] = self.peer_certificate.certificate_data
|
||||||
|
tls_kwargs["validate"] = CERT_REQUIRED
|
||||||
|
if ciphers := CONFIG.y("ldap.tls.ciphers", None):
|
||||||
|
tls_kwargs["ciphers"] = ciphers.strip()
|
||||||
kwargs = {
|
kwargs = {
|
||||||
"get_info": ALL,
|
"get_info": ALL,
|
||||||
"connect_timeout": LDAP_TIMEOUT,
|
"connect_timeout": LDAP_TIMEOUT,
|
||||||
"tls": tls,
|
"tls": Tls(**tls_kwargs),
|
||||||
}
|
}
|
||||||
if "," in self.server_uri:
|
if "," in self.server_uri:
|
||||||
for server in self.server_uri.split(","):
|
for server in self.server_uri.split(","):
|
||||||
|
|
|
@ -211,6 +211,16 @@ The setting can be used as follows:
|
||||||
AUTHENTIK_FOOTER_LINKS='[{"name": "Link Name","href":"https://goauthentik.io"}]'
|
AUTHENTIK_FOOTER_LINKS='[{"name": "Link Name","href":"https://goauthentik.io"}]'
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### AUTHENTIK_LDAP**TLS**CIPHERS:
|
||||||
|
|
||||||
|
:::info
|
||||||
|
Requires authentik 2022.7
|
||||||
|
:::
|
||||||
|
|
||||||
|
Allows configuration of TLS Cliphers for LDAP connections used by LDAP sources. Setting applies to all sources.
|
||||||
|
|
||||||
|
Defaults to `null`.
|
||||||
|
|
||||||
## Debugging
|
## Debugging
|
||||||
|
|
||||||
To check if your config has been applied correctly, you can run the following command to output the full config:
|
To check if your config has been applied correctly, you can run the following command to output the full config:
|
||||||
|
|
|
@ -75,6 +75,6 @@ return True
|
||||||
Requires authentik 2022.7
|
Requires authentik 2022.7
|
||||||
:::
|
:::
|
||||||
|
|
||||||
When a client does not request any scopes, authentik will treat the request as if all configured scopes were requrested. Depending on the configured authorization flow, consent still needs to be given, and all scopes are listed there.
|
When a client does not request any scopes, authentik will treat the request as if all configured scopes were requested. Depending on the configured authorization flow, consent still needs to be given, and all scopes are listed there.
|
||||||
|
|
||||||
This does _not_ apply to special scopes, as those are not configurable in the provider.
|
This does _not_ apply to special scopes, as those are not configurable in the provider.
|
||||||
|
|
Reference in New Issue