]> git.proxmox.com Git - pmg-api.git/blob - PMG/LDAPConfig.pm
projects / pmg-api.git / blob
? search:


9c12dbb0cfcf2cae05d660b94ffb681f06501d9d
[pmg-api.git] / PMG / LDAPConfig.pm
1 package PMG::LDAPConfig;
2
3 use strict;
4 use warnings;
5 use MIME::Base64;
6 use Data::Dumper;
7
8 use PVE::Tools;
9 use PVE::JSONSchema qw(get_standard_option);
10 use PVE::INotify;
11 use PVE::SectionConfig;
12
13 use base qw(PVE::SectionConfig);
14
15 my $inotify_file_id = 'pmg-ldap.conf';
16 my $config_filename = '/etc/pmg/ldap.conf';
17
18 my $defaultData = {
19 propertyList => {
20 type => { description => "Section type." },
21 profile => {
22 description => "Profile ID.",
23 type => 'string', format => 'pve-configid',
24 },
25 },
26 };
27
28 sub properties {
29 return {
30 disable => {
31 description => "Flag to disable/deactivate the entry.",
32 type => 'boolean',
33 optional => 1,
34 },
35 comment => {
36 description => "Description.",
37 type => 'string',
38 optional => 1,
39 maxLength => 4096,
40 },
41 mode => {
42 description => "LDAP protocol mode ('ldap' or 'ldaps').",
43 type => 'string',
44 enum => ['ldap', 'ldaps'],
45 default => 'ldap',
46 },
47 server1 => {
48 description => "Server address.",
49 type => 'string', format => 'address',
50 maxLength => 256,
51 },
52 server2 => {
53 description => "Fallback server address. Userd when the first server is not available.",
54 type => 'string', format => 'address',
55 maxLength => 256,
56 },
57 port => {
58 description => "Specify the port to connect to.",
59 type => 'integer',
60 minimum => 1,
61 maximum => 65535,
62 },
63 binddn => {
64 description => "Bind domain name.",
65 type => 'string',
66 },
67 bindpw => {
68 description => "Bind password.",
69 type => 'string',
70 },
71 basedn => {
72 description => "Base domain name.",
73 type => 'string',
74 },
75 groupbasedn => {
76 description => "Base domain name for groups.",
77 type => 'string',
78 },
79 filter => {
80 description => "LDAP filter.",
81 type => 'string',
82 },
83 accountattr => {
84 description => "Account attribute name name.",
85 type => 'string', format => 'string-list',
86 pattern => '[a-zA-Z0-9]+',
87 default => 'sAMAccountName, uid',
88 },
89 mailattr => {
90 description => "List of mail attribute names.",
91 type => 'string', format => 'string-list',
92 pattern => '[a-zA-Z0-9]+',
93 default => "mail, userPrincipalName, proxyAddresses, othermailbox",
94 },
95 };
96 }
97
98 sub options {
99 return {
100 disable => { optional => 1 },
101 comment => { optional => 1 },
102 server1 => { optional => 0 },
103 server2 => { optional => 1 },
104 port => { optional => 1 },
105 mode => { optional => 1 },
106 binddn => { optional => 1 },
107 bindpw => { optional => 1 },
108 basedn => { optional => 1 },
109 groupbasedn => { optional => 1 },
110 filter => { optional => 1 },
111 accountattr => { optional => 1 },
112 mailattr => { optional => 1 },
113 };
114 }
115
116 sub type {
117 return 'ldap';
118 }
119
120 sub private {
121 return $defaultData;
122 }
123
124 sub parse_section_header {
125 my ($class, $line) = @_;
126
127 if ($line =~ m/^(\S+):\s*(\S+)\s*$/) {
128 my ($type, $profileId) = ($1, $2);
129 my $errmsg = undef; # set if you want to skip whole section
130 eval { PVE::JSONSchema::pve_verify_configid($profileId); };
131 $errmsg = $@ if $@;
132 my $config = {}; # to return additional attributes
133 return ($type, $profileId, $errmsg, $config);
134 }
135 return undef;
136 }
137
138 sub parse_config {
139 my ($class, $filename, $raw) = @_;
140
141 my $cfg = $class->SUPER::parse_config($filename, $raw);
142
143 foreach my $profile (keys %{$cfg->{ids}}) {
144 my $data = $cfg->{ids}->{$profile};
145
146 $data->{comment} = PVE::Tools::decode_text($data->{comment})
147 if defined($data->{comment});
148
149 $data->{bindpw} = decode_base64($data->{bindpw})
150 if defined($data->{bindpw});
151 }
152
153 return $cfg;
154 }
155
156 sub write_config {
157 my ($class, $filename, $cfg) = @_;
158
159 foreach my $profile (keys %{$cfg->{ids}}) {
160 my $data = $cfg->{ids}->{$profile};
161
162 $data->{comment} = PVE::Tools::encode_text($data->{comment})
163 if defined($data->{comment});
164
165 $data->{bindpw} = encode_base64($data->{bindpw}, '')
166 if defined($data->{bindpw});
167 }
168
169 $class->SUPER::write_config($filename, $cfg);
170 }
171
172 sub new {
173 my ($type) = @_;
174
175 my $class = ref($type) || $type;
176
177 my $cfg = PVE::INotify::read_file($inotify_file_id);
178
179 return bless $cfg, $class;
180 }
181
182 sub write {
183 my ($self) = @_;
184
185 PVE::INotify::write_file($inotify_file_id, $self);
186 }
187
188 my $lockfile = "/var/lock/pmgldapconfig.lck";
189
190 sub lock_config {
191 my ($code, $errmsg) = @_;
192
193 my $p = PVE::Tools::lock_file($lockfile, undef, $code);
194 if (my $err = $@) {
195 $errmsg ? die "$errmsg: $err" : die $err;
196 }
197 }
198
199
200 __PACKAGE__->register();
201 __PACKAGE__->init();
202
203 sub read_pmg_ldap_conf {
204 my ($filename, $fh) = @_;
205
206 local $/ = undef; # slurp mode
207
208 my $raw = defined($fh) ? <$fh> : '';
209
210 return __PACKAGE__->parse_config($filename, $raw);
211 }
212
213 sub write_pmg_ldap_conf {
214 my ($filename, $fh, $cfg) = @_;
215
216 my $raw = __PACKAGE__->write_config($filename, $cfg);
217
218 my $gid = getgrnam('www-data');
219 chown(0, $gid, $fh);
220 chmod(0640, $fh);
221
222 PVE::Tools::safe_print($filename, $fh, $raw);
223 }
224
225 PVE::INotify::register_file($inotify_file_id, $config_filename,
226 \&read_pmg_ldap_conf,
227 \&write_pmg_ldap_conf,
228 undef,
229 always_call_parser => 1);
230
231
232 1;
PMG API