]>
git.proxmox.com Git - pmg-api.git/blob - PMG/API2/LDAP.pm
1 package PMG
::API2
::LDAP
;
8 use PVE
::Tools
qw(extract_param);
9 use HTTP
::Status
qw(:constants);
10 use Storable
qw(dclone);
11 use PVE
::JSONSchema
qw(get_standard_option);
19 use base
qw(PVE::RESTHandler);
21 __PACKAGE__-
>register_method ({
25 description
=> "List configured LDAP profiles.",
27 permissions
=> { check
=> [ 'admin', 'audit' ] },
29 additionalProperties
=> 0,
37 profile
=> { type
=> 'string'},
38 disable
=> { type
=> 'boolean' },
39 server1
=> { type
=> 'string'},
40 server2
=> { type
=> 'string', optional
=> 1},
41 comment
=> { type
=> 'string', optional
=> 1},
42 gcount
=> { type
=> 'integer', optional
=> 1},
43 mcount
=> { type
=> 'integer', optional
=> 1},
44 ucount
=> { type
=> 'integer', optional
=> 1},
45 mode
=> { type
=> 'string'},
48 links
=> [ { rel
=> 'child', href
=> "{profile}" } ],
53 my $ldap_cfg = PMG
::LDAPConfig-
>new();
55 my $ldap_set = PMG
::LDAPSet-
>new_from_ldap_cfg($ldap_cfg, 1);
59 if (defined($ldap_cfg)) {
60 foreach my $profile (keys %{$ldap_cfg->{ids
}}) {
61 my $d = $ldap_cfg->{ids
}->{$profile};
64 disable
=> $d->{disable
} ?
1 : 0,
65 server1
=> $d->{server1
},
66 mode
=> $d->{mode
} // 'ldap',
68 $entry->{server2
} = $d->{server2
} if defined($d->{server2
});
69 $entry->{comment
} = $d->{comment
} if defined($d->{comment
});
71 if (my $d = $ldap_set->{$profile}) {
72 foreach my $k (qw(gcount mcount ucount)) {
74 $entry->{$k} = $v if defined($v);
85 my $forced_ldap_sync = sub {
86 my ($profile, $config) = @_;
88 my $ldapcache = PMG
::LDAPCache-
>new(
89 id
=> $profile, syncmode
=> 2, %$config);
91 die $ldapcache->{errors
} if $ldapcache->{errors
};
93 die "unable to find valid email addresses\n"
94 if !$ldapcache->{mcount
};
97 __PACKAGE__-
>register_method ({
102 permissions
=> { check
=> [ 'admin' ] },
104 description
=> "Add LDAP profile.",
105 parameters
=> PMG
::LDAPConfig-
>createSchema(1),
106 returns
=> { type
=> 'null' },
112 my $cfg = PMG
::LDAPConfig-
>new();
116 my $ids = $cfg->{ids
};
118 my $profile = extract_param
($param, 'profile');
119 my $type = $param->{type
};
121 die "LDAP profile '$profile' already exists\n"
124 my $config = PMG
::LDAPConfig-
>check_config($profile, $param, 1, 1);
126 $ids->{$profile} = $config;
128 $forced_ldap_sync->($profile, $config)
129 if !$config->{disable
};
134 PMG
::LDAPConfig
::lock_config
($code, "add LDAP profile failed");
139 __PACKAGE__-
>register_method ({
140 name
=> 'profile_index',
143 description
=> "Directory index",
148 additionalProperties
=> 0,
151 description
=> "Profile ID.",
152 type
=> 'string', format
=> 'pve-configid',
161 subdir
=> { type
=> 'string'},
164 links
=> [ { rel
=> 'child', href
=> "{subdir}" } ],
170 { subdir
=> 'config' },
171 { subdir
=> 'sync' },
172 { subdir
=> 'users' },
173 { subdir
=> 'groups' },
177 __PACKAGE__-
>register_method ({
178 name
=> 'read_config',
179 path
=> '{profile}/config',
181 description
=> "Get LDAP profile configuration.",
183 permissions
=> { check
=> [ 'admin', 'audit' ] },
185 additionalProperties
=> 0,
188 description
=> "Profile ID.",
189 type
=> 'string', format
=> 'pve-configid',
197 my $cfg = PMG
::LDAPConfig-
>new();
199 my $profile = $param->{profile
};
201 my $data = $cfg->{ids
}->{$profile};
202 die "LDAP profile '$profile' does not exist\n" if !$data;
204 # we do not want to get the password over the api
205 delete $data->{bindpw
};
207 $data->{digest
} = $cfg->{digest
};
212 __PACKAGE__-
>register_method ({
213 name
=> 'update_config',
214 path
=> '{profile}/config',
216 description
=> "Update LDAP profile settings.",
217 permissions
=> { check
=> [ 'admin' ] },
220 parameters
=> PMG
::LDAPConfig-
>updateSchema(),
221 returns
=> { type
=> 'null' },
227 my $cfg = PMG
::LDAPConfig-
>new();
228 my $ids = $cfg->{ids
};
230 my $digest = extract_param
($param, 'digest');
231 PVE
::SectionConfig
::assert_if_modified
($cfg, $digest);
233 my $profile = extract_param
($param, 'profile');
235 die "LDAP profile '$profile' does not exist\n"
236 if !$ids->{$profile};
238 my $delete_str = extract_param
($param, 'delete');
239 die "no options specified\n"
240 if !$delete_str && !scalar(keys %$param);
242 foreach my $opt (PVE
::Tools
::split_list
($delete_str)) {
243 delete $ids->{$profile}->{$opt};
246 my $config = PMG
::LDAPConfig-
>check_config($profile, $param, 0, 1);
248 foreach my $p (keys %$config) {
249 $ids->{$profile}->{$p} = $config->{$p};
252 $forced_ldap_sync->($profile, $config)
253 if !$config->{disable
};
258 PMG
::LDAPConfig
::lock_config
($code, "update LDAP profile failed");
263 __PACKAGE__-
>register_method ({
264 name
=> 'sync_profile',
265 path
=> '{profile}/sync',
267 description
=> "Synchronice LDAP users to local database.",
268 permissions
=> { check
=> [ 'admin' ] },
272 additionalProperties
=> 0,
275 description
=> "Profile ID.",
276 type
=> 'string', format
=> 'pve-configid',
280 returns
=> { type
=> 'null' },
284 my $cfg = PMG
::LDAPConfig-
>new();
285 my $ids = $cfg->{ids
};
287 my $profile = extract_param
($param, 'profile');
289 die "LDAP profile '$profile' does not exist\n"
290 if !$ids->{$profile};
292 my $config = $ids->{$profile};
294 if ($config->{disable
}) {
295 die "LDAP profile '$profile' is disabled\n";
297 $forced_ldap_sync->($profile, $config)
303 __PACKAGE__-
>register_method ({
307 description
=> "Delete an LDAP profile",
308 permissions
=> { check
=> [ 'admin' ] },
312 additionalProperties
=> 0,
315 description
=> "Profile ID.",
316 type
=> 'string', format
=> 'pve-configid',
320 returns
=> { type
=> 'null' },
326 my $cfg = PMG
::LDAPConfig-
>new();
327 my $ids = $cfg->{ids
};
329 my $profile = $param->{profile
};
331 die "LDAP profile '$profile' does not exist\n"
332 if !$ids->{$profile};
334 delete $ids->{$profile};
336 PMG
::LDAPCache-
>delete($profile);
341 PMG
::LDAPConfig
::lock_config
($code, "delete LDAP profile failed");
346 __PACKAGE__-
>register_method ({
347 name
=> 'profile_list_users',
348 path
=> '{profile}/users',
350 description
=> "List LDAP users.",
351 permissions
=> { check
=> [ 'admin', 'audit' ] },
355 additionalProperties
=> 0,
358 description
=> "Profile ID.",
359 type
=> 'string', format
=> 'pve-configid',
368 dn
=> { type
=> 'string'},
369 account
=> { type
=> 'string'},
370 pmail
=> { type
=> 'string'},
373 links
=> [ { rel
=> 'child', href
=> "{pmail}" } ],
378 my $cfg = PMG
::LDAPConfig-
>new();
379 my $ids = $cfg->{ids
};
381 my $profile = $param->{profile
};
383 die "LDAP profile '$profile' does not exist\n"
384 if !$ids->{$profile};
386 my $config = $ids->{$profile};
388 return [] if $config->{disable
};
390 my $ldapcache = PMG
::LDAPCache-
>new(
391 id
=> $profile, syncmode
=> 1, %$config);
393 return $ldapcache->list_users();
396 __PACKAGE__-
>register_method ({
397 name
=> 'address_list',
398 path
=> '{profile}/users/{email}',
400 description
=> "Get all email addresses for the specified user.",
401 permissions
=> { check
=> [ 'admin', 'audit' ] },
405 additionalProperties
=> 0,
408 description
=> "Profile ID.",
409 type
=> 'string', format
=> 'pve-configid',
412 description
=> "Email address.",
413 type
=> 'string', format
=> 'email',
422 primary
=> { type
=> 'boolean'},
423 email
=> { type
=> 'string'},
430 my $cfg = PMG
::LDAPConfig-
>new();
431 my $ids = $cfg->{ids
};
433 my $profile = $param->{profile
};
435 die "LDAP profile '$profile' does not exist\n"
436 if !$ids->{$profile};
438 my $config = $ids->{$profile};
440 die "profile '$profile' is disabled\n" if $config->{disable
};
442 my $ldapcache = PMG
::LDAPCache-
>new(
443 id
=> $profile, syncmode
=> 1, %$config);
445 my $res = $ldapcache->list_addresses($param->{email
});
447 die "unable to find ldap user with email address '$param->{email}'\n"
454 __PACKAGE__-
>register_method ({
455 name
=> 'profile_list_groups',
456 path
=> '{profile}/groups',
458 description
=> "List LDAP groups.",
459 permissions
=> { check
=> [ 'admin', 'audit' ] },
463 additionalProperties
=> 0,
466 description
=> "Profile ID.",
467 type
=> 'string', format
=> 'pve-configid',
476 dn
=> { type
=> 'string'},
477 gid
=> { type
=> 'number' },
480 links
=> [ { rel
=> 'child', href
=> "{gid}" } ],
485 my $cfg = PMG
::LDAPConfig-
>new();
486 my $ids = $cfg->{ids
};
488 my $profile = $param->{profile
};
490 die "LDAP profile '$profile' does not exist\n"
491 if !$ids->{$profile};
493 my $config = $ids->{$profile};
495 return [] if $config->{disable
};
497 my $ldapcache = PMG
::LDAPCache-
>new(
498 id
=> $profile, syncmode
=> 1, %$config);
500 return $ldapcache->list_groups();
503 __PACKAGE__-
>register_method ({
504 name
=> 'profile_list_group_members',
505 path
=> '{profile}/groups/{gid}',
507 description
=> "List LDAP group members.",
508 permissions
=> { check
=> [ 'admin', 'audit' ] },
512 additionalProperties
=> 0,
515 description
=> "Profile ID.",
516 type
=> 'string', format
=> 'pve-configid',
519 description
=> "Group ID",
529 dn
=> { type
=> 'string'},
530 account
=> { type
=> 'string' },
531 pmail
=> { type
=> 'string' },
538 my $cfg = PMG
::LDAPConfig-
>new();
539 my $ids = $cfg->{ids
};
541 my $profile = $param->{profile
};
543 die "LDAP profile '$profile' does not exist\n"
544 if !$ids->{$profile};
546 my $config = $ids->{$profile};
548 return [] if $config->{disable
};
550 my $ldapcache = PMG
::LDAPCache-
>new(
551 id
=> $profile, syncmode
=> 1, %$config);
553 return $ldapcache->list_users($param->{gid
});