Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/thestaticturtle/caddy-client-tls-ldap-validator

Caddy plugin to verify client certificates from an LDAP server
https://github.com/thestaticturtle/caddy-client-tls-ldap-validator

caddy caddy-plugin client-certificate ldap

Last synced: about 1 year ago
JSON representation

Caddy plugin to verify client certificates from an LDAP server

Awesome Lists containing this project

README 

          
# Caddy Client Certificate LDAP Validator Plugin



This caddy plugin enables client certificate validation based on LDAP queries.



# Features



* Custom search filters

* Success caching (eg. certificate was found)

* Failure caching (eg. certificate was not found)

* Caddyfile compatibility



# Getting started

## Installation

You first need to build a new caddy executable with this plugin.

The easiest way is to do this with xcaddy.



Install xcaddy :



```go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest```



After xcaddy installation you can build caddy with this plugin by executing:



```xcaddy build latest --with github.com/thestaticturtle/caddy-client-tls-ldap-validator```



## Configuration examples



These examples will connect to an Active Directory server at `ad.example.lan` as `cn=example_account` and will search the `userCertificate` attribute of user objects in `ou=People` while making sure they aren't disabled. THe result of the search will be cached for 5m (300sec) for a success or failure



```json

"client_authentication": {

    "ca": {

        "pem_files": ["/etc/caddy/keys/root.crt"], "provider": "file"

    },

    "verifiers": [

        {

            "verifier": "ldap_validator",

            "server": "ldap://ad.example.lan:389",

            "bind_user": "cn=example_account,cn=Users,dc=example,dc=lan",

            "bind_password": "example_password",

            "search_base": "ou=People,dc=example,dc=lan",

            "search_filters": "(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))",

            "attributes": {

                "user_certificate": "userCertificate"

            },

            "success_cache": 300,

            "failure_cache": 300

        }

    ],

    "mode": "require_and_verify"

}

```



```

client_auth {

	mode require_and_verify

	trust_pool file {

		pem_file /etc/caddy/keys/root.crt

	}

	verifier ldap_validator {

		server "ldap://ad.example.lan:389"

		bind_user "cn=example_account,cn=Users,dc=example,dc=lan"

		bind_password "example_password"

		search_base "ou=People,dc=example,dc=lan"

		search_filters "(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"

		attributes {

			user_certificate "userCertificate"

		}

		success_cache 300

		failure_cache 300

	}

} 

```



## Todos:



* Verify if the ldap library auto-reconnects in case the connection ot the ldap server is lost