7 年之前 · 4cebf38ff2
--- a/conf/ldap.toml
+++ b/conf/ldap.toml
@@ -15,6 +15,9 @@ start_tls = false
 
				 ssl_skip_verify = false
			
 
				 # set to the path to your root CA certificate or leave unset to use system defaults
			
 
				 # root_ca_cert = "/path/to/certificate.crt"
			
 
				+# Authentication against LDAP servers requiring client certificates
			
 
				+# client_cert = "/path/to/client.crt"
			
 
				+# client_key = "/path/to/client.key"
			
 
				 
			
 
				 # Search user bind dn
			
 
				 bind_dn = "cn=admin,dc=grafana,dc=org"
			
--- a/docs/sources/installation/ldap.md
+++ b/docs/sources/installation/ldap.md
@@ -40,6 +40,9 @@ start_tls = false
 
				 ssl_skip_verify = false
			
 
				 # set to the path to your root CA certificate or leave unset to use system defaults
			
 
				 # root_ca_cert = "/path/to/certificate.crt"
			
 
				+# Authentication against LDAP servers requiring client certificates
			
 
				+# client_cert = "/path/to/client.crt"
			
 
				+# client_key = "/path/to/client.key"
			
 
				 
			
 
				 # Search user bind dn
			
 
				 bind_dn = "cn=admin,dc=grafana,dc=org"
			
--- a/pkg/login/ldap.go
+++ b/pkg/login/ldap.go
@@ -59,6 +59,13 @@ func (a *ldapAuther) Dial() error {
 
				 			}
			
 
				 		}
			
 
				 	}
			
 
				+	var clientCert tls.Certificate
			
 
				+	if a.server.ClientCert != "" && a.server.ClientKey != "" {
			
 
				+		clientCert, err = tls.LoadX509KeyPair(a.server.ClientCert, a.server.ClientKey)
			
 
				+		if err != nil {
			
 
				+			return err
			
 
				+		}
			
 
				+	}
			
 
				 	for _, host := range strings.Split(a.server.Host, " ") {
			
 
				 		address := fmt.Sprintf("%s:%d", host, a.server.Port)
			
 
				 		if a.server.UseSSL {
			
@@ -67,6 +74,9 @@ func (a *ldapAuther) Dial() error {
 
				 				ServerName:         host,
			
 
				 				RootCAs:            certPool,
			
 
				 			}
			
 
				+			if len(clientCert.Certificate) > 0 {
			
 
				+				tlsCfg.Certificates = append(tlsCfg.Certificates, clientCert)
			
 
				+			}
			
 
				 			if a.server.StartTLS {
			
 
				 				a.conn, err = ldap.Dial("tcp", address)
			
 
				 				if err == nil {
			
--- a/pkg/login/ldap_settings.go
+++ b/pkg/login/ldap_settings.go
@@ -21,6 +21,8 @@ type LdapServerConf struct {
 
				 	StartTLS      bool             `toml:"start_tls"`
			
 
				 	SkipVerifySSL bool             `toml:"ssl_skip_verify"`
			
 
				 	RootCACert    string           `toml:"root_ca_cert"`
			
 
				+	ClientCert    string           `toml:"client_cert"`
			
 
				+	ClientKey     string           `toml:"client_key"`
			
 
				 	BindDN        string           `toml:"bind_dn"`
			
 
				 	BindPassword  string           `toml:"bind_password"`
			
 
				 	Attr          LdapAttributeMap `toml:"attributes"`