]>
Commit | Line | Data |
---|---|---|
5bb4e06a DM |
1 | package PVE::Auth::AD; |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | use PVE::Auth::Plugin; | |
d9e93d2e | 6 | use PVE::LDAP; |
5bb4e06a DM |
7 | |
8 | use base qw(PVE::Auth::Plugin); | |
9 | ||
10 | sub type { | |
11 | return 'ad'; | |
12 | } | |
13 | ||
14 | sub properties { | |
15 | return { | |
8bdbfd4d DC |
16 | server1 => { |
17 | description => "Server IP address (or DNS name)", | |
5bb4e06a | 18 | type => 'string', |
8b600c4d | 19 | format => 'address', |
5bb4e06a DM |
20 | maxLength => 256, |
21 | }, | |
8bdbfd4d | 22 | server2 => { |
5bb4e06a DM |
23 | description => "Fallback Server IP address (or DNS name)", |
24 | type => 'string', | |
25 | optional => 1, | |
8b600c4d | 26 | format => 'address', |
5bb4e06a DM |
27 | maxLength => 256, |
28 | }, | |
8bdbfd4d | 29 | secure => { |
5bb4e06a | 30 | description => "Use secure LDAPS protocol.", |
8bdbfd4d | 31 | type => 'boolean', |
5bb4e06a | 32 | optional => 1, |
5bb4e06a | 33 | }, |
07dd90d7 | 34 | sslversion => { |
3b7eaef1 | 35 | description => "LDAPS TLS/SSL version. It's not recommended to use version older than 1.2!", |
07dd90d7 | 36 | type => 'string', |
3b7eaef1 | 37 | enum => [qw(tlsv1 tlsv1_1 tlsv1_2 tlsv1_3)], |
07dd90d7 AD |
38 | optional => 1, |
39 | }, | |
8bdbfd4d | 40 | default => { |
5bb4e06a | 41 | description => "Use this as default realm", |
8bdbfd4d | 42 | type => 'boolean', |
5bb4e06a DM |
43 | optional => 1, |
44 | }, | |
8bdbfd4d | 45 | comment => { |
5bb4e06a | 46 | description => "Description.", |
8bdbfd4d | 47 | type => 'string', |
5bb4e06a DM |
48 | optional => 1, |
49 | maxLength => 4096, | |
50 | }, | |
51 | port => { | |
52 | description => "Server port.", | |
53 | type => 'integer', | |
54 | minimum => 1, | |
55 | maximum => 65535, | |
56 | optional => 1, | |
57 | }, | |
58 | domain => { | |
59 | description => "AD domain name", | |
60 | type => 'string', | |
61 | pattern => '\S+', | |
62 | optional => 1, | |
63 | maxLength => 256, | |
64 | }, | |
8bdbfd4d | 65 | tfa => PVE::JSONSchema::get_standard_option('tfa'), |
5bb4e06a DM |
66 | }; |
67 | } | |
68 | ||
69 | sub options { | |
70 | return { | |
71 | server1 => {}, | |
72 | server2 => { optional => 1 }, | |
73 | domain => {}, | |
74 | port => { optional => 1 }, | |
75 | secure => { optional => 1 }, | |
07dd90d7 | 76 | sslversion => { optional => 1 }, |
5bb4e06a DM |
77 | default => { optional => 1 },, |
78 | comment => { optional => 1 }, | |
96f8ebd6 | 79 | tfa => { optional => 1 }, |
23e0cf85 DC |
80 | verify => { optional => 1 }, |
81 | capath => { optional => 1 }, | |
82 | cert => { optional => 1 }, | |
83 | certkey => { optional => 1 }, | |
5bb4e06a DM |
84 | }; |
85 | } | |
86 | ||
d9e93d2e DC |
87 | sub authenticate_user { |
88 | my ($class, $config, $realm, $username, $password) = @_; | |
89 | ||
90 | my $servers = [$config->{server1}]; | |
91 | push @$servers, $config->{server2} if $config->{server2}; | |
5bb4e06a DM |
92 | |
93 | my $default_port = $config->{secure} ? 636: 389; | |
d9e93d2e | 94 | my $port = $config->{port} // $default_port; |
5bb4e06a | 95 | my $scheme = $config->{secure} ? 'ldaps' : 'ldap'; |
5bb4e06a | 96 | |
23e0cf85 DC |
97 | my %ad_args; |
98 | if ($config->{verify}) { | |
99 | $ad_args{verify} = 'require'; | |
d9e93d2e DC |
100 | $ad_args{clientcert} = $config->{cert} if $config->{cert}; |
101 | $ad_args{clientkey} = $config->{certkey} if $config->{certkey}; | |
23e0cf85 DC |
102 | if (defined(my $capath = $config->{capath})) { |
103 | if (-d $capath) { | |
104 | $ad_args{capath} = $capath; | |
105 | } else { | |
106 | $ad_args{cafile} = $capath; | |
107 | } | |
108 | } | |
109 | } elsif (defined($config->{verify})) { | |
110 | $ad_args{verify} = 'none'; | |
111 | } | |
112 | ||
07dd90d7 | 113 | if ($config->{secure}) { |
d9e93d2e | 114 | $ad_args{sslversion} = $config->{sslversion} // 'tlsv1_2'; |
07dd90d7 AD |
115 | } |
116 | ||
d9e93d2e | 117 | my $ldap = PVE::LDAP::ldap_connect($servers, $scheme, $port, \%ad_args); |
23e0cf85 DC |
118 | |
119 | $username = "$username\@$config->{domain}" | |
5bb4e06a DM |
120 | if $username !~ m/@/ && $config->{domain}; |
121 | ||
d9e93d2e | 122 | PVE::LDAP::auth_user_dn($ldap, $username, $password); |
5bb4e06a DM |
123 | |
124 | $ldap->unbind(); | |
5bb4e06a DM |
125 | return 1; |
126 | } | |
127 | ||
128 | 1; |