Support used self-signed certificates LDAP.

[liweiv]

support used self-signed certificates LDAP. #1277

[srenatus]

❓ Wouldn't this mostly match the RootCA? I'm not sure I understand the usecase where it differs. Can you please elaborate?

[liweiv]

If ldap server setting verify client cert is true, only setting RootCA cannot work.

[srenatus]

[nit] Can we make that // Path (with a space)?

[srenatus]

@veily Thanks for your contribution 😃

[srenatus]

Thanks for renaming that, I was quite confused 😉

[srenatus]

Can we remove the "self-signed" there? I don't think it is necessary to have self-signed cert here.

[liweiv]

Sorry, I am not clear enough. The self-signed certificate is not dex. The ldap server uses a self-signed certificate (RootCA, server cert) and opens the certificate for the client. In this case, if dex Ability to authenticate client certificates through the ldap server, should use client certificates generated by the Ldap server RootCA

[liweiv]

http://www.openldap.org/doc/admin24/tls.html

16.1.2. Client Certificates
The DN of a client certificate can be used directly as an authentication DN.
...

[liweiv]

without the client certificates, dex all requests to ldap server will be rejected.

[liweiv]

Used for LDAP server that used self-signed certificates (RootCA, server cert) and setting TLS verify client. In this case, dex should use the client certificates generated by the Ldap server RootCA.
Without the client certificates, dex all requests to ldap server will be rejected.

http://www.openldap.org/doc/admin24/tls.html

16.1.2. Client Certificates
The DN of a client certificate can be used directly as an authentication DN.
...

[srenatus]

One last nitpick -- then I'd be ok with merging this.

I think this would benefit from having a test case added. The existing ldap connector tests start their own slapd instance (that's openldap's server), and test different connection methods. I suppose the one added here (using a client cert) could be a good addition.

However, I don't think this has to block this PR. If you feel like the extra tests are too much, we can create an issue for that, an tackle it later.

[srenatus]

[nit] Can we please make that

fmt.Errorf("ldap: load client cert failed: %v", err)

just to be in line with the updated comment (thanks, btw), and the other error printouts above?

[srenatus]

LGTM. We can expand our tests in a follow-up.

[ericchiang]

FYI there are commits that aren't attributed to the author of this PR. Please squash.

[srenatus]

@veily If you need help squashing commits, let me know! Once squashed, and having only you as author, we'll get this in 🎉

[liweiv]

@srenatus Okay, How squash ? In addition, I used different git username during the completion of this PR, this is my mistake.

[srenatus]

Ah, I see. Could you please squash and do a force push onto your branch (the one from this pr)? We could then merge it using the normal "merge" button on github. Just to be in line with how we normally merge things.

[srenatus]

Update Sorry I was on mobile and hadn't read your reply properly. This is what you'd do in your checkout:

$ git checkout master # just to be sure
$ git rebase -i origin/master # this will open an editor, where you replace the 'pick' with 'squash' in all lines except the first one
$ git commit --amend --no-edit --reset-author # ensure the commit author matches your github settings
$ git push --force YOUR_REMOTE_NAME master

Note that the last line's YOUR_REMOTE_NAME needs to match your remote's name in your local checkout. You can find that in git remote -v, the lines with [email protected]:veily/dex.

[liweiv]

@srenatus Thanks, I has squashed commits under your guidance.

[srenatus]

Thank you! :)