From ff13b4bb4692536cbdb310112a2201b254e930bf Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Wed, 28 Dec 2022 19:15:29 +0100
Subject: [PATCH] outposts/ldap: use configured certificate for LDAPS when all
 providers' certificates are identical

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 internal/outpost/ldap/instance.go | 1 +
 internal/outpost/ldap/ldap_tls.go | 8 ++++++++
 internal/outpost/ldap/refresh.go  | 4 ++--
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/internal/outpost/ldap/instance.go b/internal/outpost/ldap/instance.go
index 4ab8ab9a5..1d98ef1df 100644
--- a/internal/outpost/ldap/instance.go
+++ b/internal/outpost/ldap/instance.go
@@ -34,6 +34,7 @@ type ProviderInstance struct {
 
 	tlsServerName       *string
 	cert                *tls.Certificate
+	certUUID            string
 	outpostName         string
 	outpostPk           int32
 	searchAllowedGroups []*strfmt.UUID
diff --git a/internal/outpost/ldap/ldap_tls.go b/internal/outpost/ldap/ldap_tls.go
index 764ec086a..e46a28090 100644
--- a/internal/outpost/ldap/ldap_tls.go
+++ b/internal/outpost/ldap/ldap_tls.go
@@ -15,6 +15,7 @@ func (ls *LDAPServer) getCertificates(info *tls.ClientHelloInfo) (*tls.Certifica
 			return ls.providers[0].cert, nil
 		}
 	}
+	allIdenticalCerts := true
 	for _, provider := range ls.providers {
 		if provider.tlsServerName == &info.ServerName {
 			if provider.cert == nil {
@@ -23,6 +24,13 @@ func (ls *LDAPServer) getCertificates(info *tls.ClientHelloInfo) (*tls.Certifica
 			}
 			return provider.cert, nil
 		}
+		if provider.certUUID != ls.providers[0].certUUID {
+			allIdenticalCerts = false
+		}
+	}
+	if allIdenticalCerts {
+		ls.log.WithField("server-name", info.ServerName).Debug("all providers have the same keypair, using keypair")
+		return ls.providers[0].cert, nil
 	}
 	ls.log.WithField("server-name", info.ServerName).Debug("Fallback to default cert")
 	return ls.defaultCert, nil
diff --git a/internal/outpost/ldap/refresh.go b/internal/outpost/ldap/refresh.go
index 57fc60e3f..34067a876 100644
--- a/internal/outpost/ldap/refresh.go
+++ b/internal/outpost/ldap/refresh.go
@@ -70,13 +70,13 @@ func (ls *LDAPServer) Refresh() error {
 			outpostName:         ls.ac.Outpost.Name,
 			outpostPk:           provider.Pk,
 		}
-		if provider.Certificate.Get() != nil {
-			kp := provider.Certificate.Get()
+		if kp := provider.Certificate.Get(); kp != nil {
 			err := ls.cs.AddKeypair(*kp)
 			if err != nil {
 				ls.log.WithError(err).Warning("Failed to initially fetch certificate")
 			}
 			providers[idx].cert = ls.cs.Get(*kp)
+			providers[idx].certUUID = *kp
 		}
 		if *provider.SearchMode.Ptr() == api.LDAPAPIACCESSMODE_CACHED {
 			providers[idx].searcher = memorysearch.NewMemorySearcher(providers[idx])