]>
git.proxmox.com Git - pmg-api.git/blob - PMG/RuleDB/LDAP.pm
1 package PMG
:: RuleDB
:: LDAP
;
7 use PVE
:: Exception
qw(raise_param_exc) ;
10 use PMG
:: RuleDB
:: Object
;
14 use base
qw(PMG::RuleDB::Object) ;
29 my ( $type, $ldapgroup, $profile, $ogroup ) = @_ ;
31 my $class = ref ( $type ) || $type ;
33 my $self = $class -> SUPER :: new
( $class -> otype (), $ogroup );
35 $self ->{ ldapgroup
} = $ldapgroup // '' ;
36 $self ->{ profile
} = $profile // '' ;
42 my ( $type, $ruledb, $id, $ogroup, $value ) = @_ ;
44 my $class = ref ( $type ) || $type ;
46 defined ( $value ) || die "undefined value: ERROR" ;
49 if ( $value =~ m/^([^:]*):(.*)$/ ) {
50 $obj = $class -> new ( $2, $1, $ogroup );
51 $obj ->{ digest
} = Digest
:: SHA
:: sha1_hex
( $id, $2, $1, $ogroup );
53 $obj = $class -> new ( $value, '' , $ogroup );
54 $obj ->{ digest
} = Digest
:: SHA
:: sha1_hex
( $id, $value, '#' , $ogroup );
63 my ( $self, $ruledb ) = @_ ;
65 defined ( $self ->{ ogroup
}) || die "undefined ogroup: ERROR" ;
66 defined ( $self ->{ ldapgroup
}) || die "undefined ldap group: ERROR" ;
67 defined ( $self ->{ profile
}) || die "undefined ldap profile: ERROR" ;
69 my $grp = $self ->{ ldapgroup
};
70 my $profile = $self ->{ profile
};
72 my $confdata = " $profile : $grp " ;
74 if ( defined ( $self ->{ id
})) {
78 "UPDATE Object SET Value = ? WHERE ID = ?" ,
79 undef , $confdata, $self ->{ id
});
84 my $sth = $ruledb ->{ dbh
}-> prepare (
85 "INSERT INTO Object (Objectgroup_ID, ObjectType, Value) " .
88 $sth -> execute ( $self ->{ ogroup
}, $self -> otype , $confdata );
90 $self ->{ id
} = PMG
:: Utils
:: lastid
( $ruledb ->{ dbh
}, 'object_id_seq' );
97 my ( $ldap, $addr, $group, $profile ) = @_ ;
100 return $ldap -> mail_exists ( $addr, $profile );
101 } elsif ( $group eq '-' ) {
102 return ! $ldap -> mail_exists ( $addr, $profile );
104 return $ldap -> user_in_group ( $addr, $group, $profile );
106 # fail if we have a real $group without $profile
112 my ( $self, $addr, $ip, $ldap ) = @_ ;
116 return test_ldap
( $ldap, $addr, $self ->{ ldapgroup
}, $self ->{ profile
});
124 my $profile = $self ->{ profile
};
125 my $group = $self ->{ ldapgroup
};
128 $desc = "Existing LDAP address" ;
130 $desc .= ", profile ' $profile '" ;
132 $desc .= ", any profile" ;
134 } elsif ( $group eq '-' ) {
135 $desc = "Unknown LDAP address" ;
137 $desc .= ", profile ' $profile '" ;
139 $desc .= ", any profile" ;
142 $desc = "LDAP group ' $group ', profile ' $profile '" ;
144 $desc = "LDAP group without profile - fail always" ;
155 description
=> "Operational mode. You can either match 'any' user, match when no such user exists with 'none', or match when the user is member of a specific group." ,
157 enum
=> [ 'any' , 'none' , 'group' ],
160 description
=> "Profile ID." ,
161 type
=> 'string' , format
=> 'pve-configid' ,
165 description
=> "LDAP Group DN" ,
177 my $group = $self ->{ ldapgroup
};
178 my $profile = $self ->{ profile
},
183 $data ->{ mode
} = 'any' ;
184 } elsif ( $group eq '-' ) {
185 $data ->{ mode
} = 'none' ;
187 $data ->{ mode
} = 'group' ;
188 $data ->{ group
} = $group ;
191 $data ->{ profile
} = $profile if $profile ne '' ;
197 my ( $self, $param ) = @_ ;
199 my $mode = $param ->{ mode
};
201 if ( defined ( my $profile = $param ->{ profile
})) {
202 my $cfg = PVE
:: INotify
:: read_file
( "pmg-ldap.conf" );
203 my $config = $cfg ->{ ids
}->{ $profile };
204 die "LDAP profile ' $profile ' does not exist \n " if ! $config ;
206 if ( defined ( my $group = $param ->{ group
})) {
207 my $ldapcache = PMG
:: LDAPCache-
> new (
208 id
=> $profile, syncmode
=> 1 , %$config );
210 die "LDAP group ' $group ' does not exist \n "
211 if ! $ldapcache -> group_exists ( $group );
215 if ( $mode eq 'any' ) {
216 raise_param_exc
({ group
=> "parameter not allwed with mode ' $mode '" })
217 if defined ( $param ->{ group
});
218 $self ->{ ldapgroup
} = '' ;
219 $self ->{ profile
} = $param ->{ profile
} // '' ;
220 } elsif ( $mode eq 'none' ) {
221 raise_param_exc
({ group
=> "parameter not allwed with mode ' $mode '" })
222 if defined ( $param ->{ group
});
223 $self ->{ ldapgroup
} = '-' ;
224 $self ->{ profile
} = $param ->{ profile
} // '' ;
225 } elsif ( $mode eq 'group' ) {
226 raise_param_exc
({ group
=> "parameter is required with mode ' $mode '" })
227 if ! defined ( $param ->{ group
});
228 $self ->{ ldapgroup
} = $param ->{ group
};
229 raise_param_exc
({ profile
=> "parameter is required with mode ' $mode '" })
230 if ! defined ( $param ->{ profile
});
231 $self ->{ profile
} = $param ->{ profile
};
233 die "internal error" ; # just to me sure
241 =head1 PMG::RuleDB::LDAP
243 A WHO object to check LDAP groups
249 An LDAP group (ignore case).
253 The LDAP profile name
257 $obj = PMG::RuleDB::LDAP>new ('groupname', 'profile_name');