feat(ldap): add option to load ldap from file

Signed-off-by: Laurentiu Niculae <[email protected]>

Author: laurentiuNiculae

examples/config-ldap-credentials.json

@@ -0,0 +1,4 @@
+{
+    "bindDN":"cn=ldap-searcher,ou=Users,dc=example,dc=org",
+    "bindPassword":"ldap-searcher-password"
+}

examples/config-ldap.json

@@ -13,6 +13,7 @@
       },
       "auth": {
         "ldap": {
+          "credentialsFile": "",
           "address": "ldap.example.org",
           "port": 389,
           "startTLS": false,

pkg/api/authn.go

@@ -266,9 +266,9 @@ func (amw *AuthnMiddleware) tryAuthnHandlers(ctlr *Controller) mux.MiddlewareFun
 			UseSSL:             !ldapConfig.Insecure,
 			SkipTLS:            !ldapConfig.StartTLS,
 			Base:               ldapConfig.BaseDN,
-			BindDN:             ldapConfig.BindDN,
+			BindDN:             ldapConfig.BindDN(),
+			BindPassword:       ldapConfig.BindPassword(),
 			UserGroupAttribute: ldapConfig.UserGroupAttribute, // from config
-			BindPassword:       ldapConfig.BindPassword,
 			UserFilter:         fmt.Sprintf("(%s=%%s)", ldapConfig.UserAttribute),
 			InsecureSkipVerify: ldapConfig.SkipVerify,
 			ServerName:         ldapConfig.Address,

pkg/api/config/config.go

@@ -121,21 +121,48 @@ type SchedulerConfig struct {
 	NumWorkers int
 }
 
+type LDAPCredentials struct {
+	BindDN       string
+	BindPassword string
+}
+
 type LDAPConfig struct {
+	CredentialsFile    string
+	Unauthenticated    bool
 	Port               int
 	Insecure           bool
 	StartTLS           bool // if !Insecure, then StartTLS or LDAPs
 	SkipVerify         bool
 	SubtreeSearch      bool
 	Address            string
-	BindDN             string
+	bindDN             string `json:"-"`
+	bindPassword       string `json:"-"`
 	UserGroupAttribute string
-	BindPassword       string
 	BaseDN             string
 	UserAttribute      string
 	CACert             string
 }
 
+func (ldapConf *LDAPConfig) BindDN() string {
+	return ldapConf.bindDN
+}
+
+func (ldapConf *LDAPConfig) SetBindDN(bindDN string) *LDAPConfig {
+	ldapConf.bindDN = bindDN
+
+	return ldapConf
+}
+
+func (ldapConf *LDAPConfig) BindPassword() string {
+	return ldapConf.bindPassword
+}
+
+func (ldapConf *LDAPConfig) SetBindPassword(bindPassword string) *LDAPConfig {
+	ldapConf.bindPassword = bindPassword
+
+	return ldapConf
+}
+
 type LogConfig struct {
 	Level  string
 	Output string
@@ -266,14 +293,14 @@ func (c *Config) Sanitize() *Config {
 		panic(err)
 	}
 
-	if c.HTTP.Auth != nil && c.HTTP.Auth.LDAP != nil && c.HTTP.Auth.LDAP.BindPassword != "" {
+	if c.HTTP.Auth != nil && c.HTTP.Auth.LDAP != nil && c.HTTP.Auth.LDAP.bindPassword != "" {
 		sanitizedConfig.HTTP.Auth.LDAP = &LDAPConfig{}
 
 		if err := DeepCopy(c.HTTP.Auth.LDAP, sanitizedConfig.HTTP.Auth.LDAP); err != nil {
 			panic(err)
 		}
 
-		sanitizedConfig.HTTP.Auth.LDAP.BindPassword = "******"
+		sanitizedConfig.HTTP.Auth.LDAP.bindPassword = "******"
 	}
 
 	return sanitizedConfig

pkg/api/config/config_test.go

@@ -69,11 +69,11 @@ func TestConfig(t *testing.T) {
 	Convey("Test DeepCopy() & Sanitize()", t, func() {
 		conf := config.New()
 		So(conf, ShouldNotBeNil)
-		authConfig := &config.AuthConfig{LDAP: &config.LDAPConfig{BindPassword: "oina"}}
+		authConfig := &config.AuthConfig{LDAP: (&config.LDAPConfig{}).SetBindPassword("oina")}
 		conf.HTTP.Auth = authConfig
 		So(func() { conf.Sanitize() }, ShouldNotPanic)
 		conf = conf.Sanitize()
-		So(conf.HTTP.Auth.LDAP.BindPassword, ShouldEqual, "******")
+		So(conf.HTTP.Auth.LDAP.BindPassword(), ShouldEqual, "******")
 
 		// negative
 		obj := make(chan int)