Allow raw `tls_options` to be passed in LDAP configuration

We've previously exposed ca_file and ssl_version but there are many
possible options that can be used inside tls_options. Instead of
exposing individual ones, simply expose the entire hash so it can
be passed in and we won't have to add things in the future.

1 files changed, 48 insertions, 8 deletions

diff --git a/doc/administration/auth/ldap.md b/doc/administration/auth/ldap.md
index d5d0d99ac24..01cf7489c09 100644
--- a/doc/administration/auth/ldap.md
+++ b/doc/administration/auth/ldap.md
@@ -136,14 +136,54 @@ main:
   ##
   verify_certificates: true
 
-  ##
-  ## Specifies the SSL version for OpenSSL to use, if the OpenSSL default
-  ## is not appropriate.
-  ##
-  ##   Example: 'TLSv1_1'
-  ##
-  ##
-  ssl_version: ''
+  # OpenSSL::SSL::SSLContext options.
+  tls_options:
+    # Specifies the path to a file containing a PEM-format CA certificate,
+    # e.g. if you need to use an internal CA.
+    #
+    #   Example: '/etc/ca.pem'
+    #
+    ca_file: ''
+
+    # Specifies the SSL version for OpenSSL to use, if the OpenSSL default
+    # is not appropriate.
+    #
+    #   Example: 'TLSv1_1'
+    #
+    ssl_version: ''
+
+    # Specific SSL ciphers to use in communication with LDAP servers.
+    #
+    # Example: 'ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2'
+    ciphers: ''
+
+    # Client certificate
+    #
+    # Example:
+    #   cert: |
+    #     -----BEGIN CERTIFICATE-----
+    #     MIIDbDCCAlSgAwIBAgIGAWkJxLmKMA0GCSqGSIb3DQEBCwUAMHcxFDASBgNVBAoTC0dvb2dsZSBJ
+    #     bmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQDEwtMREFQIENsaWVudDEPMA0GA1UE
+    #     CxMGR1N1aXRlMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTAeFw0xOTAyMjAwNzE4
+    #     rntnF4d+0dd7zP3jrWkbdtoqjLDT/5D7NYRmVCD5vizV98FJ5//PIHbD1gL3a9b2MPAc6k7NV8tl
+    #     ...
+    #     4SbuJPAiJxC1LQ0t39dR6oMCAMab3hXQqhL56LrR6cRBp6Mtlphv7alu9xb/x51y2x+g2zWtsf80
+    #     Jrv/vKMsIh/sAyuogb7hqMtp55ecnKxceg==
+    #     -----END CERTIFICATE -----
+    cert: ''
+
+    # Client private key
+    #   key: |
+    #     -----BEGIN PRIVATE KEY-----
+    #     MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC3DmJtLRmJGY4xU1QtI3yjvxO6
+    #     bNuyE4z1NF6Xn7VSbcAaQtavWQ6GZi5uukMo+W5DHVtEkgDwh92ySZMuJdJogFbNvJvHAayheCdN
+    #     7mCQ2UUT9jGXIbmksUn9QMeJVXTZjgJWJzPXToeUdinx9G7+lpVa62UATEd1gaI3oyL72WmpDy/C
+    #     rntnF4d+0dd7zP3jrWkbdtoqjLDT/5D7NYRmVCD5vizV98FJ5//PIHbD1gL3a9b2MPAc6k7NV8tl
+    #     ...
+    #     +9IhSYX+XIg7BZOVDeYqlPfxRvQh8vy3qjt/KUihmEPioAjLaGiihs1Fk5ctLk9A2hIUyP+sEQv9
+    #     l6RG+a/mW+0rCWn8JAd464Ps9hE=
+    #     -----END PRIVATE KEY-----
+    key: ''
 
   ##
   ## Set a timeout, in seconds, for LDAP queries. This helps avoid blocking