]>
Commit | Line | Data |
---|---|---|
5bb4e06a DM |
1 | package PVE::Auth::LDAP; |
2 | ||
3 | use strict; | |
7c410d63 DM |
4 | use warnings; |
5 | ||
b5040b42 | 6 | use PVE::Tools; |
5bb4e06a | 7 | use PVE::Auth::Plugin; |
d9e93d2e | 8 | use PVE::LDAP; |
5bb4e06a DM |
9 | use base qw(PVE::Auth::Plugin); |
10 | ||
11 | sub type { | |
12 | return 'ldap'; | |
13 | } | |
14 | ||
15 | sub properties { | |
16 | return { | |
17 | base_dn => { | |
18 | description => "LDAP base domain name", | |
19 | type => 'string', | |
20 | pattern => '\w+=[^,]+(,\s*\w+=[^,]+)*', | |
21 | optional => 1, | |
22 | maxLength => 256, | |
23 | }, | |
24 | user_attr => { | |
25 | description => "LDAP user attribute name", | |
26 | type => 'string', | |
27 | pattern => '\S{2,}', | |
28 | optional => 1, | |
29 | maxLength => 256, | |
30 | }, | |
b5040b42 WB |
31 | bind_dn => { |
32 | description => "LDAP bind domain name", | |
33 | type => 'string', | |
34 | pattern => '\w+=[^,]+(,\s*\w+=[^,]+)*', | |
35 | optional => 1, | |
36 | maxLength => 256, | |
37 | }, | |
e03c2aef WB |
38 | verify => { |
39 | description => "Verify the server's SSL certificate", | |
40 | type => 'boolean', | |
41 | optional => 1, | |
42 | default => 0, | |
43 | }, | |
44 | capath => { | |
45 | description => "Path to the CA certificate store", | |
46 | type => 'string', | |
47 | optional => 1, | |
48 | default => '/etc/ssl/certs', | |
49 | }, | |
50 | cert => { | |
51 | description => "Path to the client certificate", | |
52 | type => 'string', | |
53 | optional => 1, | |
54 | }, | |
55 | certkey => { | |
56 | description => "Path to the client certificate key", | |
57 | type => 'string', | |
58 | optional => 1, | |
59 | }, | |
5bb4e06a DM |
60 | }; |
61 | } | |
62 | ||
63 | sub options { | |
64 | return { | |
65 | server1 => {}, | |
66 | server2 => { optional => 1 }, | |
67 | base_dn => {}, | |
b5040b42 | 68 | bind_dn => { optional => 1 }, |
5bb4e06a DM |
69 | user_attr => {}, |
70 | port => { optional => 1 }, | |
71 | secure => { optional => 1 }, | |
07dd90d7 | 72 | sslversion => { optional => 1 }, |
5bb4e06a DM |
73 | default => { optional => 1 }, |
74 | comment => { optional => 1 }, | |
96f8ebd6 | 75 | tfa => { optional => 1 }, |
e03c2aef WB |
76 | verify => { optional => 1 }, |
77 | capath => { optional => 1 }, | |
78 | cert => { optional => 1 }, | |
79 | certkey => { optional => 1 }, | |
5bb4e06a DM |
80 | }; |
81 | } | |
82 | ||
30aad017 DC |
83 | sub connect_and_bind { |
84 | my ($class, $config, $realm) = @_; | |
d9e93d2e DC |
85 | |
86 | my $servers = [$config->{server1}]; | |
87 | push @$servers, $config->{server2} if $config->{server2}; | |
5bb4e06a DM |
88 | |
89 | my $default_port = $config->{secure} ? 636: 389; | |
d9e93d2e | 90 | my $port = $config->{port} // $default_port; |
5bb4e06a | 91 | my $scheme = $config->{secure} ? 'ldaps' : 'ldap'; |
5bb4e06a | 92 | |
e03c2aef WB |
93 | my %ldap_args; |
94 | if ($config->{verify}) { | |
95 | $ldap_args{verify} = 'require'; | |
d9e93d2e DC |
96 | $ldap_args{clientcert} = $config->{cert} if $config->{cert}; |
97 | $ldap_args{clientkey} = $config->{certkey} if $config->{certkey}; | |
e03c2aef WB |
98 | if (defined(my $capath = $config->{capath})) { |
99 | if (-d $capath) { | |
100 | $ldap_args{capath} = $capath; | |
101 | } else { | |
102 | $ldap_args{cafile} = $capath; | |
103 | } | |
104 | } | |
105 | } else { | |
106 | $ldap_args{verify} = 'none'; | |
107 | } | |
108 | ||
07dd90d7 | 109 | if ($config->{secure}) { |
3b7eaef1 | 110 | $ldap_args{sslversion} = $config->{sslversion} || 'tlsv1_2'; |
07dd90d7 AD |
111 | } |
112 | ||
d9e93d2e DC |
113 | my $ldap = PVE::LDAP::ldap_connect($servers, $scheme, $port, \%ldap_args); |
114 | ||
115 | my $bind_dn; | |
116 | my $bind_pass; | |
b5040b42 | 117 | |
d9e93d2e DC |
118 | if ($config->{bind_dn}) { |
119 | $bind_dn = $config->{bind_dn}; | |
120 | $bind_pass = PVE::Tools::file_read_firstline("/etc/pve/priv/ldap/${realm}.pw"); | |
b5040b42 | 121 | die "missing password for realm $realm\n" if !defined($bind_pass); |
b5040b42 WB |
122 | } |
123 | ||
d9e93d2e | 124 | PVE::LDAP::ldap_bind($ldap, $bind_dn, $bind_pass); |
30aad017 DC |
125 | |
126 | if (!$config->{base_dn}) { | |
127 | my $root = $ldap->root_dse(attrs => [ 'defaultNamingContext' ]); | |
128 | $config->{base_dn} = $root->get_value('defaultNamingContext'); | |
129 | } | |
130 | ||
131 | return $ldap; | |
132 | } | |
133 | ||
134 | sub authenticate_user { | |
135 | my ($class, $config, $realm, $username, $password) = @_; | |
136 | ||
137 | my $ldap = $class->connect_and_bind($config, $realm); | |
138 | ||
d9e93d2e DC |
139 | my $user_dn = PVE::LDAP::get_user_dn($ldap, $username, $config->{user_attr}, $config->{base_dn}); |
140 | PVE::LDAP::auth_user_dn($ldap, $user_dn, $password); | |
5bb4e06a DM |
141 | |
142 | $ldap->unbind(); | |
d9e93d2e | 143 | return 1; |
5bb4e06a DM |
144 | } |
145 | ||
146 | 1; |