Implement TLS support

williamdes · williamdes · commit 3c91048b9800 · 2022-07-31T03:40:50.000+02:00
diff --git a/docker/docker-compose.test.yml b/docker/docker-compose.test.yml
@@ -7,6 +7,8 @@ services:
         restart: on-failure:5
         mem_limit: 256M
         mem_reservation: 100M
+        #volumes:
+        #  - ./tests/data/db.sqlite:/data/db.sqlite
         healthcheck:
             test: 'ldapwhoami -D "cn=$${LDAP_READONLY_USER_USERNAME}" -w "$${LDAP_READONLY_USER_PASSWORD}"'
             start_period: 5s
@@ -16,7 +18,7 @@ services:
         environment:
             # 256 to enable debug
             # See: https://www.openldap.org/doc/admin24/slapdconf2.html
-            LDAP_LOG_LEVEL: 0
+            LDAP_LOG_LEVEL: 1
             LDAP_OPENLDAP_GID: 0
             LDAP_OPENLDAP_UID: 0
             LDAP_BASE_DN: "dc=example,dc=org"
@@ -26,6 +28,20 @@ services:
             LDAP_MONITOR_PASSWORD: "{SSHA}1h+K1VIdptHytwoqDd+z+ozORIKmGvG3"
             LDAP_READONLY_USER_USERNAME: monitor
             LDAP_READONLY_USER_PASSWORD: monitor
+            # SSL setting
+            LDAP_TLS_CA_CRT_FILENAME: "/data/ca.pem"
+            LDAP_TLS_CRT_FILENAME: "/data/server-cert.pem"
+            LDAP_TLS_KEY_FILENAME: "/data/server-key.pem"
+            #LDAP_TLS_CA_CRT_FILENAME: "ca.cer"
+            LDAP_TLS_CIPHER_SUITE: "HIGH:MEDIUM:-SSLv2"
+            # never | allow | try | demand
+            LDAP_TLS_VERIFY_CLIENT: "try"
+            # Add ldaps:/// to SSL listen
+            LDAP_LISTEN_URLS: "ldap:/// ldapi:/// ldaps:///"
+        volumes:
+          - ./tests/data/ca.pem:/data/ca.pem:ro
+          - ./tests/data/server-cert.pem:/data/server-cert.pem:ro
+          - ./tests/data/server-key.pem:/data/server-key.pem:ro
 
     sut:
         depends_on:
@@ -34,4 +50,8 @@ services:
         build: .
         volumes:
           - ./tests/:/tests:ro
+          - ./tests/data/ca.pem:/data/ca.pem:ro
         entrypoint: /tests/run.sh
+        environment:
+            LDAPTLS_CACERT: /data/ca.pem
+            LDAPTLS_REQCERT: hard
diff --git a/docker/docker-entrypoint.sh b/docker/docker-entrypoint.sh
@@ -23,8 +23,28 @@ sed -i "s|{{ LDAP_CONFIG_PASSWORD }}|${LDAP_CONFIG_PASSWORD}|" /etc/openldap/sla
 sed -i "s|{{ LDAP_ADMIN_PASSWORD }}|${LDAP_ADMIN_PASSWORD}|" /etc/openldap/slapd.conf
 sed -i "s|{{ LDAP_MONITOR_PASSWORD }}|${LDAP_MONITOR_PASSWORD}|" /etc/openldap/slapd.conf
 
+if [ "${LDAP_TLS_CA_CRT_FILENAME:-}" != "" ]; then
+    sed -i "s|#TLSCACertificateFile {{ LDAP_TLS_CA_CRT_FILENAME }}|TLSCACertificateFile ${LDAP_TLS_CA_CRT_FILENAME}|" /etc/openldap/slapd.conf
+fi
+
+if [ "${LDAP_TLS_CRT_FILENAME:-}" != "" ]; then
+    sed -i "s|#TLSCertificateFile {{ LDAP_TLS_CRT_FILENAME }}|TLSCertificateFile ${LDAP_TLS_CRT_FILENAME}|" /etc/openldap/slapd.conf
+fi
+
+if [ "${LDAP_TLS_KEY_FILENAME:-}" != "" ]; then
+    sed -i "s|#TLSCertificateKeyFile {{ LDAP_TLS_KEY_FILENAME }}|TLSCertificateKeyFile ${LDAP_TLS_KEY_FILENAME}|" /etc/openldap/slapd.conf
+fi
+
+if [ "${LDAP_TLS_VERIFY_CLIENT:-}" != "" ]; then
+    sed -i "s|#TLSVerifyClient never|TLSVerifyClient ${LDAP_TLS_VERIFY_CLIENT}|" /etc/openldap/slapd.conf
+fi
+
+if [ "${LDAP_TLS_CIPHER_SUITE:-}" != "" ]; then
+    sed -i "s|TLSCipherSuite DEFAULT|TLSCipherSuite ${LDAP_TLS_CIPHER_SUITE}|" /etc/openldap/slapd.conf
+fi
+
 echo 'Checking if replacement worked'
-set -x
+
 grep -q -F "ldap_bind_dn: cn=admin,${LDAP_BASE_DN}" /etc/saslauthd.conf
 grep -q -F "ldap_search_base: ${LDAP_AUTH_BASE_DN}" /etc/saslauthd.conf
 grep -q -F "ldap_bind_pw: ${LDAP_ADMIN_PASSWORD}" /etc/saslauthd.conf
@@ -33,8 +53,27 @@ grep -q -F "suffix		\"${LDAP_BASE_DN}\"" /etc/openldap/slapd.conf
 grep -q -F "${LDAP_CONFIG_PASSWORD}" /etc/openldap/slapd.conf
 grep -q -F "${LDAP_ADMIN_PASSWORD}" /etc/openldap/slapd.conf
 grep -q -F "${LDAP_MONITOR_PASSWORD}" /etc/openldap/slapd.conf
-set +x
+
+
+if [ "${LDAP_TLS_CA_CRT_FILENAME:-}" != "" ]; then
+    grep -q -F "TLSCACertificateFile ${LDAP_TLS_CA_CRT_FILENAME}" /etc/openldap/slapd.conf
+fi
+
+if [ "${LDAP_TLS_CRT_FILENAME:-}" != "" ]; then
+    grep -q -F "TLSCertificateFile ${LDAP_TLS_CRT_FILENAME}" /etc/openldap/slapd.conf
+fi
+
+if [ "${LDAP_TLS_KEY_FILENAME:-}" != "" ]; then
+    grep -q -F "TLSCertificateKeyFile ${LDAP_TLS_KEY_FILENAME}" /etc/openldap/slapd.conf
+fi
+
+if [ "${LDAP_TLS_VERIFY_CLIENT:-}" != "" ]; then
+    grep -q -F "TLSVerifyClient ${LDAP_TLS_VERIFY_CLIENT}" /etc/openldap/slapd.conf
+fi
+
+if [ "${LDAP_TLS_CIPHER_SUITE:-}" != "" ]; then
+    grep -q -F "TLSCipherSuite ${LDAP_TLS_CIPHER_SUITE}" /etc/openldap/slapd.conf
+fi
 
 echo 'Starting...'
 horust --unsuccessful-exit-finished-failed
-ldap_bind_pw: {{ LDAP_ADMIN_PASSWORD }}
diff --git a/docker/horust/services/ldap.toml b/docker/horust/services/ldap.toml
@@ -1,4 +1,4 @@
-command = "slapd -h 'ldap:/// ldapi:///' -d${LDAP_LOG_LEVEL} -u${LDAP_OPENLDAP_UID} -g${LDAP_OPENLDAP_GID}"
+command = "slapd -h \"${LDAP_LISTEN_URLS:-ldap:/// ldapi:///}\" -d${LDAP_LOG_LEVEL} -u${LDAP_OPENLDAP_UID} -g${LDAP_OPENLDAP_GID}"
 start-delay = "2s"
 stdout = "STDOUT"
 stderr = "STDERR"
diff --git a/docker/slapd.conf b/docker/slapd.conf
@@ -37,6 +37,12 @@ sasl-secprops   noanonymous,noactive,noplain
 #sasl-auxprops   ldapdb
 password-hash   {SSHA} {CRYPT}
 
+#TLSCipherSuite DEFAULT
+#TLSVerifyClient never
+#TLSCACertificateFile {{ LDAP_TLS_CA_CRT_FILENAME }}
+#TLSCertificateFile {{ LDAP_TLS_CRT_FILENAME }}
+#TLSCertificateKeyFile {{ LDAP_TLS_KEY_FILENAME }}
+
 #######################################################################
 # config database definitions
 #######################################################################
diff --git a/docker/tests/README.md b/docker/tests/README.md
@@ -0,0 +1,34 @@
+# Testing the image
+
+## Run the tests
+
+```sh
+make test
+```
+
+### Re-Build the test certificate
+
+Source: [MariaDB docs](https://mariadb.com/docs/security/data-in-transit-encryption/create-self-signed-certificates-keys-openssl/)
+
+```sh
+openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 \
+    -subj "/C=FR/OU=Testing/O=Datacenters Network" \
+    -keyout ca.key  -out ca.pem
+
+openssl req -new -newkey rsa:4096 -nodes \
+    -subj "/emailAddress=williamdes+sudo-bot-test-cert@wdes.fr/C=FR/OU=Testing/O=Datacenters Network/CN=openldap" \
+    -keyout server-key.pem  -out server-req.pem
+
+openssl x509 -req -days 365 -set_serial 01 \
+   -in server-req.pem \
+   -out server-cert.pem \
+   -CA ca.pem \
+   -CAkey ca.key
+
+# Cleanup
+rm server-req.pem
+# Could be needed
+# chmod 777 server-cert.pem server-key.pem ca.pem
+# Verify
+openssl verify -verbose -x509_strict -CAfile ca.pem server-cert.pem
+```
diff --git a/docker/tests/run.sh b/docker/tests/run.sh
@@ -84,6 +84,10 @@ echo -e "\tUsing simple auth"
 ldapwhoami -H ldap://openldap -D "mail=edwin@warz.eu,o=warz.eu,ou=people,dc=example,dc=org" -w 'oHHGf7YyJSihb6ifSwNWZPtEGzijjp8'
 
 echo 'Login as email 5'
+echo -e "\tUsing secure STARTTLS auth"
+ldapwhoami -ZZ -H ldap://openldap -D "mail=elana@caldin.eu,o=caldin.eu,ou=people,dc=example,dc=org" -w 'bandedetsylish'
+echo -e "\tUsing secure SSL auth"
+ldapwhoami -H ldaps://openldap -D "mail=elana@caldin.eu,o=caldin.eu,ou=people,dc=example,dc=org" -w 'bandedetsylish'
 echo -e "\tUsing simple auth"
 ldapwhoami -H ldap://openldap -D "mail=elana@caldin.eu,o=caldin.eu,ou=people,dc=example,dc=org" -w 'bandedetsylish'
 echo -e "\tUsing SASL auth"

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-command = "slapd -h 'ldap:/// ldapi:///' -d${LDAP_LOG_LEVEL} -u${LDAP_OPENLDAP_UID} -g${LDAP_OPENLDAP_GID}"`
	`1`	`+command = "slapd -h \"${LDAP_LISTEN_URLS:-ldap:/// ldapi:///}\" -d${LDAP_LOG_LEVEL} -u${LDAP_OPENLDAP_UID} -g${LDAP_OPENLDAP_GID}"`
`2`	`2`	`start-delay = "2s"`
`3`	`3`	`stdout = "STDOUT"`
`4`	`4`	`stderr = "STDERR"`