ldap: Add mTLS authentication support to LDAP backend

plaes · plaes · commit 7ac0ec38cec5 · 2025-12-26T21:03:59.000+02:00
diff --git a/internal/bootstrap/service_bootstrap.go b/internal/bootstrap/service_bootstrap.go
@@ -37,6 +37,8 @@ func (app *BootstrapApp) initServices() (Services, error) {
 		BaseDN:       app.config.Ldap.BaseDN,
 		Insecure:     app.config.Ldap.Insecure,
 		SearchFilter: app.config.Ldap.SearchFilter,
+		AuthCert:     app.config.Ldap.AuthCert,
+		AuthKey:      app.config.Ldap.AuthKey,
 	})
 
 	err = ldapService.Init()
diff --git a/internal/config/config.go b/internal/config/config.go
@@ -66,6 +66,8 @@ type LdapConfig struct {
 	BaseDN       string `description:"Base DN for LDAP searches." yaml:"baseDn"`
 	Insecure     bool   `description:"Allow insecure LDAP connections." yaml:"insecure"`
 	SearchFilter string `description:"LDAP search filter." yaml:"searchFilter"`
+	AuthCert     string `description:"Certificate for mTLS authentication." yaml:"authCert"`
+	AuthKey      string `description:"Certificate key for mTLS authentication." yaml:"authKey"`
 }
 
 type ExperimentalConfig struct {
diff --git a/internal/service/auth_service.go b/internal/service/auth_service.go
@@ -101,7 +101,7 @@ func (auth *AuthService) VerifyUser(search config.UserSearch, password string) b
 				return false
 			}
 
-			err = auth.ldap.Bind(auth.ldap.Config.BindDN, auth.ldap.Config.BindPassword)
+			err = auth.ldap.BindService()
 			if err != nil {
 				log.Error().Err(err).Msg("Failed to rebind with service account after user authentication")
 				return false
diff --git a/internal/service/ldap_service.go b/internal/service/ldap_service.go
@@ -19,12 +19,15 @@ type LdapServiceConfig struct {
 	BaseDN       string
 	Insecure     bool
 	SearchFilter string
+	AuthCert     string
+	AuthKey      string
 }
 
 type LdapService struct {
 	Config LdapServiceConfig // exported so as the auth service can use it
 	conn   *ldapgo.Conn
 	mutex  sync.RWMutex
+	cert   *tls.Certificate
 }
 
 func NewLdapService(config LdapServiceConfig) *LdapService {
@@ -34,6 +37,15 @@ func NewLdapService(config LdapServiceConfig) *LdapService {
 }
 
 func (ldap *LdapService) Init() error {
+	// Check whether authentication with client certificate is possible
+	if ldap.Config.AuthCert != "" && ldap.Config.AuthKey != "" {
+		cert, err := tls.LoadX509KeyPair(ldap.Config.AuthCert, ldap.Config.AuthKey)
+		if err != nil {
+			return fmt.Errorf("failed to initalize LDAP with mTLS authentication: %w", err)
+		}
+		ldap.cert = &cert
+		log.Info().Msg("Using LDAP with mTLS authentication")
+	}
 	_, err := ldap.connect()
 	if err != nil {
 		return fmt.Errorf("failed to connect to LDAP server: %w", err)
@@ -60,22 +72,41 @@ func (ldap *LdapService) connect() (*ldapgo.Conn, error) {
 	ldap.mutex.Lock()
 	defer ldap.mutex.Unlock()
 
-	conn, err := ldapgo.DialURL(ldap.Config.Address, ldapgo.DialWithTLSConfig(&tls.Config{
-		InsecureSkipVerify: ldap.Config.Insecure,
-		MinVersion:         tls.VersionTLS12,
-	}))
-	if err != nil {
-		return nil, err
-	}
+	if ldap.cert != nil {
+		conn, err := ldapgo.DialURL(ldap.Config.Address, ldapgo.DialWithTLSConfig(&tls.Config{
+			MinVersion:   tls.VersionTLS12,
+			Certificates: []tls.Certificate{*ldap.cert},
+		}))
+		if err != nil {
+			return nil, err
+		}
 
-	err = conn.Bind(ldap.Config.BindDN, ldap.Config.BindPassword)
-	if err != nil {
-		return nil, err
+		err = conn.ExternalBind()
+		if err != nil {
+			log.Error().Err(err).Msg("LDAP mTLS bind failed?")
+			return nil, err
+		}
+		// Set and return the connection
+		ldap.conn = conn
+		return conn, nil
+	} else {
+		conn, err := ldapgo.DialURL(ldap.Config.Address, ldapgo.DialWithTLSConfig(&tls.Config{
+			InsecureSkipVerify: ldap.Config.Insecure,
+			MinVersion:         tls.VersionTLS12,
+		}))
+		if err != nil {
+			return nil, err
+		}
+
+		err = conn.Bind(ldap.Config.BindDN, ldap.Config.BindPassword)
+		if err != nil {
+			return nil, err
+		}
+		// Set and return the connection
+		ldap.conn = conn
+		return conn, nil
 	}
 
-	// Set and return the connection
-	ldap.conn = conn
-	return conn, nil
 }
 
 func (ldap *LdapService) Search(username string) (string, error) {
@@ -107,6 +138,19 @@ func (ldap *LdapService) Search(username string) (string, error) {
 	return userDN, nil
 }
 
+func (ldap *LdapService) BindService() error {
+	ldap.mutex.Lock()
+	defer ldap.mutex.Unlock()
+
+	var err error
+	if ldap.cert != nil {
+		err = ldap.conn.ExternalBind()
+	} else {
+		err = ldap.conn.Bind(ldap.Config.BindDN, ldap.Config.BindPassword)
+	}
+	return err
+}
+
 func (ldap *LdapService) Bind(userDN string, password string) error {
 	ldap.mutex.Lock()
 	defer ldap.mutex.Unlock()

Original file line number	Diff line number	Diff line change
`@@ -66,6 +66,8 @@ type LdapConfig struct {`
`66`	`66`	BaseDN string `description:"Base DN for LDAP searches." yaml:"baseDn"`
`67`	`67`	Insecure bool `description:"Allow insecure LDAP connections." yaml:"insecure"`
`68`	`68`	SearchFilter string `description:"LDAP search filter." yaml:"searchFilter"`
	`69`	+ AuthCert string `description:"Certificate for mTLS authentication." yaml:"authCert"`
	`70`	+ AuthKey string `description:"Certificate key for mTLS authentication." yaml:"authKey"`
`69`	`71`	`}`
`70`	`72`
`71`	`73`	`type ExperimentalConfig struct {`
Original file line number	Diff line number	Diff line change
`@@ -101,7 +101,7 @@ func (auth *AuthService) VerifyUser(search config.UserSearch, password string) b`
`101`	`101`	`return false`
`102`	`102`	`}`
`103`	`103`
`104`		`- err = auth.ldap.Bind(auth.ldap.Config.BindDN, auth.ldap.Config.BindPassword)`
	`104`	`+ err = auth.ldap.BindService()`
`105`	`105`	`if err != nil {`
`106`	`106`	`log.Error().Err(err).Msg("Failed to rebind with service account after user authentication")`
`107`	`107`	`return false`