]>
Commit | Line | Data |
---|---|---|
a6e3ac60 DM |
1 | package PMG::LDAPConfig; |
2 | ||
3 | use strict; | |
4 | use warnings; | |
49a16f65 | 5 | use MIME::Base64; |
a6e3ac60 DM |
6 | use Data::Dumper; |
7 | ||
8 | use PVE::Tools; | |
9 | use PVE::JSONSchema qw(get_standard_option); | |
10 | use PVE::INotify; | |
11 | use PVE::SectionConfig; | |
12 | ||
13 | use base qw(PVE::SectionConfig); | |
14 | ||
ca0c8b88 DM |
15 | PVE::JSONSchema::register_format('ldap-simple-attr', \&verify_ldap_simple_attr); |
16 | sub verify_ldap_simple_attr { | |
17 | my ($attr, $noerr) = @_; | |
18 | ||
19 | if ($attr =~ m/^[a-zA-Z0-9]+$/) { | |
20 | return $attr; | |
21 | } | |
22 | ||
23 | die "value '$attr' does not look like a simple ldap attribute name\n" if !$noerr; | |
24 | ||
25 | return undef; | |
26 | } | |
27 | ||
7d90f962 DM |
28 | my $inotify_file_id = 'pmg-ldap.conf'; |
29 | my $config_filename = '/etc/pmg/ldap.conf'; | |
30 | ||
a6e3ac60 DM |
31 | my $defaultData = { |
32 | propertyList => { | |
33 | type => { description => "Section type." }, | |
c2ef4490 | 34 | profile => { |
2aeda4ac | 35 | description => "Profile ID.", |
a6e3ac60 DM |
36 | type => 'string', format => 'pve-configid', |
37 | }, | |
2fdba966 DM |
38 | }, |
39 | }; | |
40 | ||
ca0c8b88 | 41 | |
2fdba966 DM |
42 | sub properties { |
43 | return { | |
1c4fa5b1 DM |
44 | disable => { |
45 | description => "Flag to disable/deactivate the entry.", | |
46 | type => 'boolean', | |
47 | optional => 1, | |
48 | }, | |
bfed5777 DM |
49 | comment => { |
50 | description => "Description.", | |
51 | type => 'string', | |
52 | optional => 1, | |
53 | maxLength => 4096, | |
54 | }, | |
a6e3ac60 | 55 | mode => { |
443665c7 | 56 | description => "LDAP protocol mode ('ldap', 'ldaps' or 'ldap+starttls').", |
a6e3ac60 | 57 | type => 'string', |
443665c7 | 58 | enum => ['ldap', 'ldaps', 'ldap+starttls'], |
a6e3ac60 DM |
59 | default => 'ldap', |
60 | }, | |
6ad43a10 | 61 | verify => { |
443665c7 | 62 | description => "Verify server certificate. Only useful with ldaps or ldap+starttls.", |
6ad43a10 DC |
63 | type => 'boolean', |
64 | default => 0, | |
65 | optional => 1, | |
66 | }, | |
67 | cafile => { | |
68 | description => "Path to CA file. Only useful with option 'verify'", | |
69 | type => 'string', | |
70 | optional => 1, | |
71 | }, | |
49a16f65 DM |
72 | server1 => { |
73 | description => "Server address.", | |
74 | type => 'string', format => 'address', | |
bfed5777 | 75 | maxLength => 256, |
49a16f65 DM |
76 | }, |
77 | server2 => { | |
78 | description => "Fallback server address. Userd when the first server is not available.", | |
79 | type => 'string', format => 'address', | |
bfed5777 | 80 | maxLength => 256, |
49a16f65 DM |
81 | }, |
82 | port => { | |
83 | description => "Specify the port to connect to.", | |
84 | type => 'integer', | |
85 | minimum => 1, | |
86 | maximum => 65535, | |
87 | }, | |
88 | binddn => { | |
89 | description => "Bind domain name.", | |
90 | type => 'string', | |
91 | }, | |
92 | bindpw => { | |
93 | description => "Bind password.", | |
94 | type => 'string', | |
95 | }, | |
96 | basedn => { | |
97 | description => "Base domain name.", | |
98 | type => 'string', | |
99 | }, | |
100 | groupbasedn => { | |
101 | description => "Base domain name for groups.", | |
102 | type => 'string', | |
103 | }, | |
104 | filter => { | |
105 | description => "LDAP filter.", | |
106 | type => 'string', | |
107 | }, | |
108 | accountattr => { | |
109 | description => "Account attribute name name.", | |
ca0c8b88 | 110 | type => 'string', format => 'ldap-simple-attr-list', |
23b1d0f8 | 111 | default => 'sAMAccountName, uid', |
49a16f65 DM |
112 | }, |
113 | mailattr => { | |
114 | description => "List of mail attribute names.", | |
ca0c8b88 | 115 | type => 'string', format => 'ldap-simple-attr-list', |
7fc9e381 | 116 | default => "mail, userPrincipalName, proxyAddresses, othermailbox, mailAlternativeAddress", |
49a16f65 | 117 | }, |
b14970ad DC |
118 | groupclass => { |
119 | description => "List of objectclasses for groups.", | |
ca0c8b88 | 120 | type => 'string', format => 'ldap-simple-attr-list', |
b14970ad DC |
121 | default => "group, univentionGroup, ipausergroup", |
122 | }, | |
2fdba966 DM |
123 | }; |
124 | } | |
a6e3ac60 DM |
125 | |
126 | sub options { | |
127 | return { | |
ff4776b6 | 128 | disable => { optional => 1 }, |
bfed5777 | 129 | comment => { optional => 1 }, |
49a16f65 DM |
130 | server1 => { optional => 0 }, |
131 | server2 => { optional => 1 }, | |
132 | port => { optional => 1 }, | |
a6e3ac60 | 133 | mode => { optional => 1 }, |
49a16f65 DM |
134 | binddn => { optional => 1 }, |
135 | bindpw => { optional => 1 }, | |
136 | basedn => { optional => 1 }, | |
137 | groupbasedn => { optional => 1 }, | |
138 | filter => { optional => 1 }, | |
139 | accountattr => { optional => 1 }, | |
140 | mailattr => { optional => 1 }, | |
b14970ad | 141 | groupclass => { optional => 1 }, |
6ad43a10 DC |
142 | verify => { optional => 1 }, |
143 | cafile => { optional => 1 }, | |
a6e3ac60 DM |
144 | }; |
145 | } | |
146 | ||
147 | sub type { | |
148 | return 'ldap'; | |
149 | } | |
150 | ||
151 | sub private { | |
152 | return $defaultData; | |
153 | } | |
154 | ||
05b856e3 DM |
155 | sub parse_section_header { |
156 | my ($class, $line) = @_; | |
157 | ||
158 | if ($line =~ m/^(\S+):\s*(\S+)\s*$/) { | |
c2ef4490 | 159 | my ($type, $profileId) = ($1, $2); |
05b856e3 | 160 | my $errmsg = undef; # set if you want to skip whole section |
c2ef4490 | 161 | eval { PVE::JSONSchema::pve_verify_configid($profileId); }; |
05b856e3 DM |
162 | $errmsg = $@ if $@; |
163 | my $config = {}; # to return additional attributes | |
c2ef4490 | 164 | return ($type, $profileId, $errmsg, $config); |
05b856e3 DM |
165 | } |
166 | return undef; | |
167 | } | |
168 | ||
bfed5777 DM |
169 | sub parse_config { |
170 | my ($class, $filename, $raw) = @_; | |
171 | ||
172 | my $cfg = $class->SUPER::parse_config($filename, $raw); | |
173 | ||
c2ef4490 DM |
174 | foreach my $profile (keys %{$cfg->{ids}}) { |
175 | my $data = $cfg->{ids}->{$profile}; | |
bfed5777 DM |
176 | |
177 | $data->{comment} = PVE::Tools::decode_text($data->{comment}) | |
178 | if defined($data->{comment}); | |
179 | ||
180 | $data->{bindpw} = decode_base64($data->{bindpw}) | |
181 | if defined($data->{bindpw}); | |
182 | } | |
183 | ||
184 | return $cfg; | |
185 | } | |
186 | ||
187 | sub write_config { | |
188 | my ($class, $filename, $cfg) = @_; | |
189 | ||
c2ef4490 DM |
190 | foreach my $profile (keys %{$cfg->{ids}}) { |
191 | my $data = $cfg->{ids}->{$profile}; | |
bfed5777 DM |
192 | |
193 | $data->{comment} = PVE::Tools::encode_text($data->{comment}) | |
194 | if defined($data->{comment}); | |
195 | ||
196 | $data->{bindpw} = encode_base64($data->{bindpw}, '') | |
197 | if defined($data->{bindpw}); | |
198 | } | |
199 | ||
200 | $class->SUPER::write_config($filename, $cfg); | |
201 | } | |
202 | ||
7d90f962 DM |
203 | sub new { |
204 | my ($type) = @_; | |
205 | ||
206 | my $class = ref($type) || $type; | |
207 | ||
208 | my $cfg = PVE::INotify::read_file($inotify_file_id); | |
209 | ||
210 | return bless $cfg, $class; | |
211 | } | |
212 | ||
213 | sub write { | |
214 | my ($self) = @_; | |
215 | ||
216 | PVE::INotify::write_file($inotify_file_id, $self); | |
217 | } | |
218 | ||
e1c64277 DM |
219 | my $lockfile = "/var/lock/pmgldapconfig.lck"; |
220 | ||
221 | sub lock_config { | |
222 | my ($code, $errmsg) = @_; | |
223 | ||
224 | my $p = PVE::Tools::lock_file($lockfile, undef, $code); | |
225 | if (my $err = $@) { | |
226 | $errmsg ? die "$errmsg: $err" : die $err; | |
227 | } | |
228 | } | |
229 | ||
49a16f65 | 230 | |
a6e3ac60 DM |
231 | __PACKAGE__->register(); |
232 | __PACKAGE__->init(); | |
233 | ||
234 | sub read_pmg_ldap_conf { | |
235 | my ($filename, $fh) = @_; | |
236 | ||
237 | local $/ = undef; # slurp mode | |
238 | ||
bdbc2bc5 | 239 | my $raw = defined($fh) ? <$fh> : ''; |
a6e3ac60 DM |
240 | |
241 | return __PACKAGE__->parse_config($filename, $raw); | |
242 | } | |
243 | ||
244 | sub write_pmg_ldap_conf { | |
245 | my ($filename, $fh, $cfg) = @_; | |
246 | ||
247 | my $raw = __PACKAGE__->write_config($filename, $cfg); | |
248 | ||
bdbc2bc5 DM |
249 | my $gid = getgrnam('www-data'); |
250 | chown(0, $gid, $fh); | |
251 | chmod(0640, $fh); | |
d5121ced | 252 | |
a6e3ac60 DM |
253 | PVE::Tools::safe_print($filename, $fh, $raw); |
254 | } | |
255 | ||
7d90f962 | 256 | PVE::INotify::register_file($inotify_file_id, $config_filename, |
a6e3ac60 | 257 | \&read_pmg_ldap_conf, |
bdbc2bc5 DM |
258 | \&write_pmg_ldap_conf, |
259 | undef, | |
260 | always_call_parser => 1); | |
a6e3ac60 DM |
261 | |
262 | ||
263 | 1; |