From 5bea54eaaa404f7eef95d798cd87a5c52fae3294 Mon Sep 17 00:00:00 2001
From: Emil Flink <emil.flink@bublar.com>
Date: Fri, 3 Aug 2018 12:00:20 +0200
Subject: [PATCH] Support client certificates for LDAP servers

---
 conf/ldap.toml                    |  3 +++
 docs/sources/installation/ldap.md |  3 +++
 pkg/login/ldap.go                 | 10 ++++++++++
 pkg/login/ldap_settings.go        |  2 ++
 4 files changed, 18 insertions(+)

diff --git a/conf/ldap.toml b/conf/ldap.toml
index a74b2b6cc2c..9a7088ed823 100644
--- a/conf/ldap.toml
+++ b/conf/ldap.toml
@@ -15,6 +15,9 @@ start_tls = false
 ssl_skip_verify = false
 # set to the path to your root CA certificate or leave unset to use system defaults
 # root_ca_cert = "/path/to/certificate.crt"
+# Authentication against LDAP servers requiring client certificates
+# client_cert = "/path/to/client.crt"
+# client_key = "/path/to/client.key"
 
 # Search user bind dn
 bind_dn = "cn=admin,dc=grafana,dc=org"
diff --git a/docs/sources/installation/ldap.md b/docs/sources/installation/ldap.md
index 9a381b9e467..b555eaf06e0 100644
--- a/docs/sources/installation/ldap.md
+++ b/docs/sources/installation/ldap.md
@@ -40,6 +40,9 @@ start_tls = false
 ssl_skip_verify = false
 # set to the path to your root CA certificate or leave unset to use system defaults
 # root_ca_cert = "/path/to/certificate.crt"
+# Authentication against LDAP servers requiring client certificates
+# client_cert = "/path/to/client.crt"
+# client_key = "/path/to/client.key"
 
 # Search user bind dn
 bind_dn = "cn=admin,dc=grafana,dc=org"
diff --git a/pkg/login/ldap.go b/pkg/login/ldap.go
index 9e4918f0290..053778e8deb 100644
--- a/pkg/login/ldap.go
+++ b/pkg/login/ldap.go
@@ -59,6 +59,13 @@ func (a *ldapAuther) Dial() error {
 			}
 		}
 	}
+	var clientCert tls.Certificate
+	if a.server.ClientCert != "" && a.server.ClientKey != "" {
+		clientCert, err = tls.LoadX509KeyPair(a.server.ClientCert, a.server.ClientKey)
+		if err != nil {
+			return err
+		}
+	}
 	for _, host := range strings.Split(a.server.Host, " ") {
 		address := fmt.Sprintf("%s:%d", host, a.server.Port)
 		if a.server.UseSSL {
@@ -67,6 +74,9 @@ func (a *ldapAuther) Dial() error {
 				ServerName:         host,
 				RootCAs:            certPool,
 			}
+			if len(clientCert.Certificate) > 0 {
+				tlsCfg.Certificates = append(tlsCfg.Certificates, clientCert)
+			}
 			if a.server.StartTLS {
 				a.conn, err = ldap.Dial("tcp", address)
 				if err == nil {
diff --git a/pkg/login/ldap_settings.go b/pkg/login/ldap_settings.go
index c4f5982b237..7ebfbc79ba8 100644
--- a/pkg/login/ldap_settings.go
+++ b/pkg/login/ldap_settings.go
@@ -21,6 +21,8 @@ type LdapServerConf struct {
 	StartTLS      bool             `toml:"start_tls"`
 	SkipVerifySSL bool             `toml:"ssl_skip_verify"`
 	RootCACert    string           `toml:"root_ca_cert"`
+	ClientCert    string           `toml:"client_cert"`
+	ClientKey     string           `toml:"client_key"`
 	BindDN        string           `toml:"bind_dn"`
 	BindPassword  string           `toml:"bind_password"`
 	Attr          LdapAttributeMap `toml:"attributes"`