sources/ldap: add configuration for LDAP Source ciphers

closes #3110 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-07-01 19:53:49 +02:00 · 2022-07-01 19:53:49 +02:00 · 1c64616ebd
parent 23273f53cc
commit 1c64616ebd
4 changed files with 23 additions and 4 deletions
--- a/authentik/lib/default.yml
+++ b/authentik/lib/default.yml
@ -1,3 +1,4 @@
+# update website/docs/installation/configuration.md
 # This is the default configuration file
 postgresql:
  host: localhost
@ -57,6 +58,10 @@ outposts:
  container_image_base: ghcr.io/goauthentik/%(type)s:%(version)s
  discover: true

+ldap:
+  tls:
+    ciphers: null
+
 cookie_domain: null
 disable_update_check: false
 disable_startup_analytics: false
--- a/authentik/sources/ldap/models.py
+++ b/authentik/sources/ldap/models.py
@ -8,6 +8,7 @@ from rest_framework.serializers import Serializer

 from authentik.core.models import Group, PropertyMapping, Source
 from authentik.crypto.models import CertificateKeyPair
+from authentik.lib.config import CONFIG
 from authentik.lib.models import DomainlessURLValidator

 LDAP_TIMEOUT = 15
@ -109,13 +110,16 @@ class LDAPSource(Source):
    def server(self) -> Server:
        """Get LDAP Server/ServerPool"""
        servers = []
-        tls = Tls()
+        tls_kwargs = {}
        if self.peer_certificate:
-            tls = Tls(ca_certs_data=self.peer_certificate.certificate_data, validate=CERT_REQUIRED)
+            tls_kwargs["ca_certs_data"] = self.peer_certificate.certificate_data
+            tls_kwargs["validate"] = CERT_REQUIRED
+        if ciphers := CONFIG.y("ldap.tls.ciphers", None):
+            tls_kwargs["ciphers"] = ciphers.strip()
        kwargs = {
            "get_info": ALL,
            "connect_timeout": LDAP_TIMEOUT,
-            "tls": tls,
+            "tls": Tls(**tls_kwargs),
        }
        if "," in self.server_uri:
            for server in self.server_uri.split(","):
--- a/website/docs/installation/configuration.md
+++ b/website/docs/installation/configuration.md
@ -211,6 +211,16 @@ The setting can be used as follows:
 AUTHENTIK_FOOTER_LINKS='[{"name": "Link Name","href":"https://goauthentik.io"}]'
 ```

+### AUTHENTIK_LDAP**TLS**CIPHERS:
+
+:::info
+Requires authentik 2022.7
+:::
+
+Allows configuration of TLS Cliphers for LDAP connections used by LDAP sources. Setting applies to all sources.
+
+Defaults to `null`.
+
 ## Debugging

 To check if your config has been applied correctly, you can run the following command to output the full config:
--- a/website/docs/providers/oauth2/index.md
+++ b/website/docs/providers/oauth2/index.md
@ -75,6 +75,6 @@ return True
 Requires authentik 2022.7
 :::

-When a client does not request any scopes, authentik will treat the request as if all configured scopes were requrested. Depending on the configured authorization flow, consent still needs to be given, and all scopes are listed there.
+When a client does not request any scopes, authentik will treat the request as if all configured scopes were requested. Depending on the configured authorization flow, consent still needs to be given, and all scopes are listed there.

 This does _not_ apply to special scopes, as those are not configurable in the provider.