[pve-access-control.git] / PVE / Auth / LDAP.pm

package PVE::Auth::LDAP;

use strict;
use warnings;

use PVE::Tools;
use PVE::Auth::Plugin;
use PVE::LDAP;
use base qw(PVE::Auth::Plugin);

sub type {
    return 'ldap';
}

sub properties {
    return {
	base_dn => {
	    description => "LDAP base domain name",
	    type => 'string',
	    pattern => '\w+=[^,]+(,\s*\w+=[^,]+)*',
	    optional => 1,
	    maxLength => 256,
	},
	user_attr => {
	    description => "LDAP user attribute name",
	    type => 'string',
	    pattern => '\S{2,}',
	    optional => 1,
	    maxLength => 256,
	},
	bind_dn => {
	    description => "LDAP bind domain name",
	    type => 'string',
	    pattern => '\w+=[^,]+(,\s*\w+=[^,]+)*',
	    optional => 1,
	    maxLength => 256,
	},
	verify => {
	    description => "Verify the server's SSL certificate",
	    type => 'boolean',
	    optional => 1,
	    default => 0,
	},
	capath => {
	    description => "Path to the CA certificate store",
	    type => 'string',
	    optional => 1,
	    default => '/etc/ssl/certs',
	},
	cert => {
	    description => "Path to the client certificate",
	    type => 'string',
	    optional => 1,
	},
	certkey => {
	    description => "Path to the client certificate key",
	    type => 'string',
	    optional => 1,
	},
    };
}

sub options {
    return {
	server1 => {},
	server2 => { optional => 1 },
	base_dn => {},
	bind_dn => { optional => 1 },
	user_attr => {},
	port => { optional => 1 },
	secure => { optional => 1 },
	sslversion => { optional => 1 },
	default => { optional => 1 },
	comment => { optional => 1 },
	tfa => { optional => 1 },
	verify => { optional => 1 },
	capath => { optional => 1 },
	cert => { optional => 1 },
	certkey => { optional => 1 },
    };
}

sub connect_and_bind {
    my ($class, $config, $realm) = @_;

    my $servers = [$config->{server1}];
    push @$servers, $config->{server2} if $config->{server2};

    my $default_port = $config->{secure} ? 636: 389;
    my $port = $config->{port} // $default_port;
    my $scheme = $config->{secure} ? 'ldaps' : 'ldap';

    my %ldap_args;
    if ($config->{verify}) {
	$ldap_args{verify} = 'require';
	$ldap_args{clientcert} = $config->{cert} if $config->{cert};
	$ldap_args{clientkey} = $config->{certkey} if $config->{certkey};
	if (defined(my $capath = $config->{capath})) {
	    if (-d $capath) {
		$ldap_args{capath} = $capath;
	    } else {
		$ldap_args{cafile} = $capath;
	    }
	}
    } else {
	$ldap_args{verify} = 'none';
    }

    if ($config->{secure}) {
	$ldap_args{sslversion} = $config->{sslversion} || 'tlsv1_2';
    }

    my $ldap = PVE::LDAP::ldap_connect($servers, $scheme, $port, \%ldap_args);

    my $bind_dn;
    my $bind_pass;

    if ($config->{bind_dn}) {
	$bind_dn = $config->{bind_dn};
	$bind_pass = PVE::Tools::file_read_firstline("/etc/pve/priv/ldap/${realm}.pw");
	die "missing password for realm $realm\n" if !defined($bind_pass);
    }

    PVE::LDAP::ldap_bind($ldap, $bind_dn, $bind_pass);

    if (!$config->{base_dn}) {
	my $root = $ldap->root_dse(attrs => [ 'defaultNamingContext' ]);
	$config->{base_dn} = $root->get_value('defaultNamingContext');
    }

    return $ldap;
}

sub authenticate_user {
    my ($class, $config, $realm, $username, $password) = @_;

    my $ldap = $class->connect_and_bind($config, $realm);

    my $user_dn = PVE::LDAP::get_user_dn($ldap, $username, $config->{user_attr}, $config->{base_dn});
    PVE::LDAP::auth_user_dn($ldap, $user_dn, $password);

    $ldap->unbind();
    return 1;
}

1;
Commit	Line	Data
5bb4e06a DM	1	package PVE::Auth::LDAP;
	2
	3	use strict;
7c410d63 DM	4	use warnings;
7c410d63 DM	5
b5040b42	6	use PVE::Tools;
5bb4e06a	7	use PVE::Auth::Plugin;
d9e93d2e	8	use PVE::LDAP;
5bb4e06a DM	9	use base qw(PVE::Auth::Plugin);
	10
	11	sub type {
	12	return 'ldap';
	13	}
	14
	15	sub properties {
	16	return {
	17	base_dn => {
	18	description => "LDAP base domain name",
	19	type => 'string',
	20	pattern => '\w+=[^,]+(,\s\w+=[^,]+)',
	21	optional => 1,
	22	maxLength => 256,
	23	},
	24	user_attr => {
	25	description => "LDAP user attribute name",
	26	type => 'string',
	27	pattern => '\S{2,}',
	28	optional => 1,
	29	maxLength => 256,
	30	},
b5040b42 WB	31	bind_dn => {
	32	description => "LDAP bind domain name",
	33	type => 'string',
	34	pattern => '\w+=[^,]+(,\s\w+=[^,]+)',
	35	optional => 1,
	36	maxLength => 256,
	37	},
e03c2aef WB	38	verify => {
	39	description => "Verify the server's SSL certificate",
	40	type => 'boolean',
	41	optional => 1,
	42	default => 0,
	43	},
	44	capath => {
	45	description => "Path to the CA certificate store",
	46	type => 'string',
	47	optional => 1,
	48	default => '/etc/ssl/certs',
	49	},
	50	cert => {
	51	description => "Path to the client certificate",
	52	type => 'string',
	53	optional => 1,
	54	},
	55	certkey => {
	56	description => "Path to the client certificate key",
	57	type => 'string',
	58	optional => 1,
	59	},
5bb4e06a DM	60	};
	61	}
	62
	63	sub options {
	64	return {
	65	server1 => {},
	66	server2 => { optional => 1 },
	67	base_dn => {},
b5040b42	68	bind_dn => { optional => 1 },
5bb4e06a DM	69	user_attr => {},
	70	port => { optional => 1 },
	71	secure => { optional => 1 },
07dd90d7	72	sslversion => { optional => 1 },
5bb4e06a DM	73	default => { optional => 1 },
5bb4e06a DM	74	comment => { optional => 1 },
96f8ebd6	75	tfa => { optional => 1 },
e03c2aef WB	76	verify => { optional => 1 },
	77	capath => { optional => 1 },
	78	cert => { optional => 1 },
	79	certkey => { optional => 1 },
5bb4e06a DM	80	};
	81	}
	82
30aad017 DC	83	sub connect_and_bind {
30aad017 DC	84	my ($class, $config, $realm) = @_;
d9e93d2e DC	85
	86	my $servers = [$config->{server1}];
	87	push @$servers, $config->{server2} if $config->{server2};
5bb4e06a DM	88
5bb4e06a DM	89	my $default_port = $config->{secure} ? 636: 389;
d9e93d2e	90	my $port = $config->{port} // $default_port;
5bb4e06a	91	my $scheme = $config->{secure} ? 'ldaps' : 'ldap';
5bb4e06a	92
e03c2aef WB	93	my %ldap_args;
	94	if ($config->{verify}) {
	95	$ldap_args{verify} = 'require';
d9e93d2e DC	96	$ldap_args{clientcert} = $config->{cert} if $config->{cert};
d9e93d2e DC	97	$ldap_args{clientkey} = $config->{certkey} if $config->{certkey};
e03c2aef WB	98	if (defined(my $capath = $config->{capath})) {
	99	if (-d $capath) {
	100	$ldap_args{capath} = $capath;
	101	} else {
	102	$ldap_args{cafile} = $capath;
	103	}
	104	}
	105	} else {
	106	$ldap_args{verify} = 'none';
	107	}
	108
07dd90d7	109	if ($config->{secure}) {
3b7eaef1	110	$ldap_args{sslversion} = $config->{sslversion} \|\| 'tlsv1_2';
07dd90d7 AD	111	}
07dd90d7 AD	112
d9e93d2e DC	113	my $ldap = PVE::LDAP::ldap_connect($servers, $scheme, $port, \%ldap_args);
	114
	115	my $bind_dn;
	116	my $bind_pass;
b5040b42	117
d9e93d2e DC	118	if ($config->{bind_dn}) {
	119	$bind_dn = $config->{bind_dn};
	120	$bind_pass = PVE::Tools::file_read_firstline("/etc/pve/priv/ldap/${realm}.pw");
b5040b42	121	die "missing password for realm $realm\n" if !defined($bind_pass);
b5040b42 WB	122	}
b5040b42 WB	123
d9e93d2e	124	PVE::LDAP::ldap_bind($ldap, $bind_dn, $bind_pass);
30aad017 DC	125
	126	if (!$config->{base_dn}) {
	127	my $root = $ldap->root_dse(attrs => [ 'defaultNamingContext' ]);
	128	$config->{base_dn} = $root->get_value('defaultNamingContext');
	129	}
	130
	131	return $ldap;
	132	}
	133
	134	sub authenticate_user {
	135	my ($class, $config, $realm, $username, $password) = @_;
	136
	137	my $ldap = $class->connect_and_bind($config, $realm);
	138
d9e93d2e DC	139	my $user_dn = PVE::LDAP::get_user_dn($ldap, $username, $config->{user_attr}, $config->{base_dn});
d9e93d2e DC	140	PVE::LDAP::auth_user_dn($ldap, $user_dn, $password);
5bb4e06a DM	141
5bb4e06a DM	142	$ldap->unbind();
d9e93d2e	143	return 1;
5bb4e06a DM	144	}
	145
	146	1;