feat(ldap): removed ssl_server_name and added some validation to ldap config, #1450

conf/ldap.toml

@@ -10,8 +10,6 @@ port = 389
 use_ssl = false
 # set to true if you want to skip ssl cert validation
 ssl_skip_verify = false
-# if cert validation is enabled, provide ldap cert server name
-ssl_server_name = ""
 
 # Search user bind dn
 bind_dn = "cn=admin,dc=grafana,dc=org"

docs/sources/installation/ldap.md

@@ -29,8 +29,6 @@ port = 389
 use_ssl = false
 # set to true if you want to skip ssl cert validation
 ssl_skip_verify = false
-# if cert validation is enabled, provide ldap cert server name
-ssl_server_name = ""
 
 # Search user bind dn
 bind_dn = "cn=admin,dc=grafana,dc=org"

pkg/login/ldap.go

@@ -28,7 +28,7 @@ func (a *ldapAuther) Dial() error {
 	if a.server.UseSSL {
 		tlsCfg := &tls.Config{
 			InsecureSkipVerify: a.server.SkipVerifySSL,
-			ServerName:         a.server.CertServerName,
+			ServerName:         a.server.Host,
 		}
 		a.conn, err = ldap.DialTLS("tcp", address, tlsCfg)
 	} else {

pkg/login/settings.go

@@ -1,6 +1,8 @@
 package login
 
 import (
+	"fmt"
+
 	"github.com/BurntSushi/toml"
 	"github.com/grafana/grafana/pkg/log"
 	m "github.com/grafana/grafana/pkg/models"
@@ -13,14 +15,13 @@ type LdapConfig struct {
 }
 
 type LdapServerConf struct {
-	Host           string           `toml:"host"`
-	Port           int              `toml:"port"`
-	UseSSL         bool             `toml:"use_ssl"`
-	SkipVerifySSL  bool             `toml:"ssl_skip_verify"`
-	CertServerName string           `toml:"ssl_server_name"`
-	BindDN         string           `toml:"bind_dn"`
-	BindPassword   string           `toml:"bind_password"`
-	Attr           LdapAttributeMap `toml:"attributes"`
+	Host          string           `toml:"host"`
+	Port          int              `toml:"port"`
+	UseSSL        bool             `toml:"use_ssl"`
+	SkipVerifySSL bool             `toml:"ssl_skip_verify"`
+	BindDN        string           `toml:"bind_dn"`
+	BindPassword  string           `toml:"bind_password"`
+	Attr          LdapAttributeMap `toml:"attributes"`
 
 	SearchFilter  string   `toml:"search_filter"`
 	SearchBaseDNs []string `toml:"search_base_dns"`
@@ -56,8 +57,17 @@ func loadLdapConfig() {
 		log.Fatal(3, "Failed to load ldap config file: %s", err)
 	}
 
+	if len(ldapCfg.Servers) == 0 {
+		log.Fatal(3, "ldap enabled but no ldap servers defined in config file: %s", setting.LdapConfigFile)
+	}
+
 	// set default org id
 	for _, server := range ldapCfg.Servers {
+		assertNotEmptyCfg(server.Host, "host")
+		assertNotEmptyCfg(server.BindDN, "bind_dn")
+		assertNotEmptyCfg(server.SearchFilter, "search_filter")
+		assertNotEmptyCfg(server.SearchBaseDNs, "search_base_dns")
+
 		for _, groupMap := range server.LdapGroups {
 			if groupMap.OrgId == 0 {
 				groupMap.OrgId = 1
@@ -65,3 +75,18 @@ func loadLdapConfig() {
 		}
 	}
 }
+
+func assertNotEmptyCfg(val interface{}, propName string) {
+	switch v := val.(type) {
+	case string:
+		if v == "" {
+			log.Fatal(3, "LDAP config file is missing option: %s", propName)
+		}
+	case []string:
+		if len(v) == 0 {
+			log.Fatal(3, "LDAP config file is missing option: %s", propName)
+		}
+	default:
+		fmt.Println("unknown")
+	}
+}