sources/ldap: add configuration for LDAP Source ciphers

closes #3110

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2022-07-01 19:53:49 +02:00
parent 23273f53cc
commit 1c64616ebd
4 changed files with 23 additions and 4 deletions

View File

@ -1,3 +1,4 @@
# update website/docs/installation/configuration.md
# This is the default configuration file # This is the default configuration file
postgresql: postgresql:
host: localhost host: localhost
@ -57,6 +58,10 @@ outposts:
container_image_base: ghcr.io/goauthentik/%(type)s:%(version)s container_image_base: ghcr.io/goauthentik/%(type)s:%(version)s
discover: true discover: true
ldap:
tls:
ciphers: null
cookie_domain: null cookie_domain: null
disable_update_check: false disable_update_check: false
disable_startup_analytics: false disable_startup_analytics: false

View File

@ -8,6 +8,7 @@ from rest_framework.serializers import Serializer
from authentik.core.models import Group, PropertyMapping, Source from authentik.core.models import Group, PropertyMapping, Source
from authentik.crypto.models import CertificateKeyPair from authentik.crypto.models import CertificateKeyPair
from authentik.lib.config import CONFIG
from authentik.lib.models import DomainlessURLValidator from authentik.lib.models import DomainlessURLValidator
LDAP_TIMEOUT = 15 LDAP_TIMEOUT = 15
@ -109,13 +110,16 @@ class LDAPSource(Source):
def server(self) -> Server: def server(self) -> Server:
"""Get LDAP Server/ServerPool""" """Get LDAP Server/ServerPool"""
servers = [] servers = []
tls = Tls() tls_kwargs = {}
if self.peer_certificate: if self.peer_certificate:
tls = Tls(ca_certs_data=self.peer_certificate.certificate_data, validate=CERT_REQUIRED) tls_kwargs["ca_certs_data"] = self.peer_certificate.certificate_data
tls_kwargs["validate"] = CERT_REQUIRED
if ciphers := CONFIG.y("ldap.tls.ciphers", None):
tls_kwargs["ciphers"] = ciphers.strip()
kwargs = { kwargs = {
"get_info": ALL, "get_info": ALL,
"connect_timeout": LDAP_TIMEOUT, "connect_timeout": LDAP_TIMEOUT,
"tls": tls, "tls": Tls(**tls_kwargs),
} }
if "," in self.server_uri: if "," in self.server_uri:
for server in self.server_uri.split(","): for server in self.server_uri.split(","):

View File

@ -211,6 +211,16 @@ The setting can be used as follows:
AUTHENTIK_FOOTER_LINKS='[{"name": "Link Name","href":"https://goauthentik.io"}]' AUTHENTIK_FOOTER_LINKS='[{"name": "Link Name","href":"https://goauthentik.io"}]'
``` ```
### AUTHENTIK_LDAP**TLS**CIPHERS:
:::info
Requires authentik 2022.7
:::
Allows configuration of TLS Cliphers for LDAP connections used by LDAP sources. Setting applies to all sources.
Defaults to `null`.
## Debugging ## Debugging
To check if your config has been applied correctly, you can run the following command to output the full config: To check if your config has been applied correctly, you can run the following command to output the full config:

View File

@ -75,6 +75,6 @@ return True
Requires authentik 2022.7 Requires authentik 2022.7
::: :::
When a client does not request any scopes, authentik will treat the request as if all configured scopes were requrested. Depending on the configured authorization flow, consent still needs to be given, and all scopes are listed there. When a client does not request any scopes, authentik will treat the request as if all configured scopes were requested. Depending on the configured authorization flow, consent still needs to be given, and all scopes are listed there.
This does _not_ apply to special scopes, as those are not configurable in the provider. This does _not_ apply to special scopes, as those are not configurable in the provider.