LDAP plugin: rename flag ldap-cacert to ldap-ca-cert-file, new flag ldap-insecure-skip-verify

everesio · everesio · commit d1f92e45b6e9 · 2020-10-12T01:04:16.000+02:00
diff --git a/cmd/plugin-auth-ldap/README.md b/cmd/plugin-auth-ldap/README.md
@@ -13,7 +13,7 @@ build/kafka-proxy server \
             --auth-local-enable  \
             --auth-local-command=build/auth-ldap  \
             --auth-local-param=--url=ldap://localhost:389  \
-            --auth-local-param=--ldap-cacerts=/certs/ldap/pem  \
+            --auth-local-param=--ldap-ca-cert-file=/certs/ldap/ca-cert-file.pem  \
             --auth-local-param=--start-tls=false \
             --auth-local-param=--search-ldap \
             --auth-local-param=--bind-dn=cn=admin,dc=example,dc=org  \
@@ -25,8 +25,8 @@ build/kafka-proxy server \
 Setting the flag `--search-ldap` will search the user dn in LDAP, even if `--bind-dn` is not given. This is for LDAP
 installations that don't need a bind before allowing readonly actions.(and therefore don't have a readony user)
 
-If `--ldap-cacerts` is set, a (chain of) certificates in PEM format needed to verify the LDAP server's identity
-is read from the file given. If the flag ist not set, TLS verification will be skipped
+If `--ldap-ca-cert-file` is set, a (chain of) certificates in PEM format needed to verify the LDAP server's identity
+is read from the file given. If the flag ist not set, TLS verification can be skipped if `ldap-insecure-skip-verify` flag is true.
  
 
 
diff --git a/cmd/plugin-auth-ldap/main.go b/cmd/plugin-auth-ldap/main.go
@@ -194,12 +194,13 @@ func (pa LdapAuthenticator) DialLDAP() (*ldap.Conn, error) {
 }
 
 type pluginMeta struct {
-	url       string
-	cacert    string
-	startTLS  bool
-	upnDomain string
-	userDN    string
-	userAttr  string
+	url                string
+	caCertFile         string
+	insecureSkipVerify bool
+	startTLS           bool
+	upnDomain          string
+	userDN             string
+	userAttr           string
 
 	searchLDAP     bool
 	bindDN         string
@@ -212,7 +213,8 @@ func (f *pluginMeta) flagSet() *flag.FlagSet {
 	fs := flag.NewFlagSet("auth plugin settings", flag.ContinueOnError)
 
 	fs.StringVar(&f.url, "url", "", "LDAP URL to connect to (eg: ldaps://127.0.0.1:636). Multiple URLs can be specified by concatenating them with commas.")
-	fs.StringVar(&f.cacert, "ldap-cacert", "", "X509 CA certificate (PEM) to verify peer against")
+	fs.StringVar(&f.caCertFile, "ldap-ca-cert-file", "", "X509 CA certificate (PEM) to verify peer against")
+	fs.BoolVar(&f.insecureSkipVerify, "ldap-insecure-skip-verify", false, "It controls whether a client verifies the server's certificate chain and host name")
 	fs.BoolVar(&f.startTLS, "start-tls", true, "Issue a StartTLS command after establishing unencrypted connection (optional)")
 	fs.StringVar(&f.upnDomain, "upn-domain", "", "Enables userPrincipalDomain login with [username]@UPNDomain (optional)")
 	fs.StringVar(&f.userDN, "user-dn", "", "LDAP domain to use for users (eg: cn=users,dc=example,dc=org)")
@@ -283,7 +285,7 @@ func main() {
 		os.Exit(1)
 	}
 
-	tlsConfig, err := getTlsConfig(pluginMeta.cacert)
+	tlsConfig, err := getTlsConfig(pluginMeta.caCertFile, pluginMeta.insecureSkipVerify)
 	if err != nil {
 		logrus.Errorf("error %v getting TLS config", err)
 		os.Exit(1)
@@ -311,9 +313,9 @@ func main() {
 	})
 }
 
-func getTlsConfig(caCertFile string) (*tls.Config, error) {
+func getTlsConfig(caCertFile string, insecureSkipVerify bool) (*tls.Config, error) {
 	if caCertFile == "" {
-		return &tls.Config{InsecureSkipVerify: true}, nil
+		return &tls.Config{InsecureSkipVerify: insecureSkipVerify}, nil
 	} else {
 		certData, err := ioutil.ReadFile(caCertFile)
 		if err != nil {
