caddy_client_tls_ldap_validator

package module

v0.0.0-...-7f9b171 Latest Latest Go to latest Published: Jan 17, 2025 License: MIT Imports: 13 Imported by: 0

README ¶

Caddy Client Certificate LDAP Validator Plugin

This caddy plugin enables client certificate validation based on LDAP queries.

Features

Custom search filters
Success caching (eg. certificate was found)
Failure caching (eg. certificate was not found)
Caddyfile compatibility

Getting started

Installation

You first need to build a new caddy executable with this plugin. The easiest way is to do this with xcaddy.

Install xcaddy :

go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest

After xcaddy installation you can build caddy with this plugin by executing:

xcaddy build latest --with github.com/thestaticturtle/caddy-client-tls-ldap-validator

Configuration examples

These examples will connect to an Active Directory server at ad.example.lan as cn=example_account and will search the userCertificate attribute of user objects in ou=People while making sure they aren't disabled. THe result of the search will be cached for 5m (300sec) for a success or failure

"client_authentication": {
    "ca": {
        "pem_files": ["/etc/caddy/keys/root.crt"], "provider": "file"
    },
    "verifiers": [
        {
            "verifier": "ldap_validator",
            "server": "ldap://ad.example.lan:389",
            "bind_user": "cn=example_account,cn=Users,dc=example,dc=lan",
            "bind_password": "example_password",
            "search_base": "ou=People,dc=example,dc=lan",
            "search_filters": "(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))",
            "attributes": {
                "user_certificate": "userCertificate"
            },
            "success_cache": 300,
            "failure_cache": 300
        }
    ],
    "mode": "require_and_verify"
}

client_auth {
	mode require_and_verify
	trust_pool file {
		pem_file /etc/caddy/keys/root.crt
	}
	verifier ldap_validator {
		server "ldap://ad.example.lan:389"
		bind_user "cn=example_account,cn=Users,dc=example,dc=lan"
		bind_password "example_password"
		search_base "ou=People,dc=example,dc=lan"
		search_filters "(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
		attributes {
			user_certificate "userCertificate"
		}
		success_cache 300
		failure_cache 300
	}
}

Todos:

Verify if the ldap library auto-reconnects in case the connection ot the ldap server is lost

Documentation ¶

Index ¶

func EncodeToString(src []byte) string
func GetMD5Hash(data []byte) string
type LDAPCertificateValidator
type LDAPCertificateValidatorLDAPAttributes

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func EncodeToString ¶

func EncodeToString(src []byte) string

func GetMD5Hash ¶

func GetMD5Hash(data []byte) string

Types ¶

type LDAPCertificateValidator ¶

type LDAPCertificateValidator struct {
	Server               string                                 `json:"server,omitempty"`
	BindUser             string                                 `json:"bind_user,omitempty"`
	BindPassword         string                                 `json:"bind_password,omitempty"`
	SearchBase           string                                 `json:"search_base,omitempty"`
	SearchFilters        string                                 `json:"search_filters,omitempty"`
	Attributes           LDAPCertificateValidatorLDAPAttributes `json:"attributes,omitempty"`
	SuccessCacheDuration int                                    `json:"success_cache,omitempty"`
	FailureCacheDuration int                                    `json:"failure_cache,omitempty"`
	// contains filtered or unexported fields
}

func (LDAPCertificateValidator) CaddyModule ¶

func (LDAPCertificateValidator) CaddyModule() caddy.ModuleInfo

func (*LDAPCertificateValidator) GetUserCertificate ¶

func (v *LDAPCertificateValidator) GetUserCertificate(rawCerts [][]byte) (*x509.Certificate, error)

func (*LDAPCertificateValidator) Provision ¶

func (v *LDAPCertificateValidator) Provision(ctx caddy.Context) error

func (*LDAPCertificateValidator) SearchLDAPForCertificate ¶

func (v *LDAPCertificateValidator) SearchLDAPForCertificate(certificate *x509.Certificate) (*ldap.Entry, error)

func (*LDAPCertificateValidator) UnmarshalCaddyfile ¶

func (v *LDAPCertificateValidator) UnmarshalCaddyfile(d *caddyfile.Dispenser) error

func (*LDAPCertificateValidator) VerifyClientCertificate ¶

func (v *LDAPCertificateValidator) VerifyClientCertificate(rawCerts [][]byte, _ [][]*x509.Certificate) error

type LDAPCertificateValidatorLDAPAttributes ¶

type LDAPCertificateValidatorLDAPAttributes struct {
	UserCertificate string `json:"user_certificate,omitempty"`
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL