connector/ldap: support the StartTLS flow for secure connections

When connecting to an LDAP server, there are three ways to connect: 1. Insecurely through port 389 (LDAP). 2. Securely through port 696 (LDAPS). 3. Insecurely through port 389 then negotiate TLS (StartTLS). This PR adds support for the 3rd flow, letting dex connect to the standard LDAP port then negotiating TLS through the LDAP protocol itself. See a writeup here: http://www.openldap.org/faq/data/cache/185.html
2017-04-12 14:13:34 -07:00
parent 9b0af83604
commit 74f5eaf47e
8 changed files with 334 additions and 27 deletions
--- a/connector/ldap/gen-certs.sh
+++ b/connector/ldap/gen-certs.sh
@@ -0,0 +1,49 @@
+#!/bin/bash -e
+
+# Stolen from the coreos/matchbox repo.
+
+echo "
+[req]
+req_extensions = v3_req
+distinguished_name = req_distinguished_name
+
+[req_distinguished_name]
+
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.101 = localhost
+" > openssl.config
+
+openssl genrsa -out testdata/ca.key 2048
+openssl genrsa -out testdata/server.key 2048
+
+openssl req \
+    -x509 -new -nodes \
+    -key testdata/ca.key \
+    -days 10000 -out testdata/ca.crt \
+    -subj "/CN=ldap-tests"
+
+openssl req \
+	-new \
+	-key testdata/server.key \
+	-out testdata/server.csr \
+	-subj "/CN=localhost" \
+	-config openssl.config
+
+openssl x509 -req \
+	-in testdata/server.csr \
+	-CA testdata/ca.crt \
+	-CAkey testdata/ca.key \
+	-CAcreateserial \
+	-out testdata/server.crt \
+	-days 10000 \
+	-extensions v3_req \
+	-extfile openssl.config
+
+rm testdata/server.csr
+rm testdata/ca.srl
+rm openssl.config