]>
git.proxmox.com Git - pve-access-control.git/blob - PVE/Auth/AD.pm
88b2098355bd3d1bf9cfb32be6ea257083b891d1
8 use base
qw(PVE::Auth::LDAP);
17 description
=> "Server IP address (or DNS name)",
23 description
=> "Fallback Server IP address (or DNS name)",
30 description
=> "Use secure LDAPS protocol. DEPRECATED: use 'mode' instead.",
35 description
=> "LDAPS TLS/SSL version. It's not recommended to use version older than 1.2!",
37 enum
=> [qw(tlsv1 tlsv1_1 tlsv1_2 tlsv1_3)],
41 description
=> "Use this as default realm",
46 description
=> "Description.",
52 description
=> "Server port.",
59 description
=> "AD domain name",
65 tfa
=> PVE
::JSONSchema
::get_standard_option
('tfa'),
72 server2
=> { optional
=> 1 },
74 port
=> { optional
=> 1 },
75 secure
=> { optional
=> 1 },
76 sslversion
=> { optional
=> 1 },
77 default => { optional
=> 1 },,
78 comment
=> { optional
=> 1 },
79 tfa
=> { optional
=> 1 },
80 verify
=> { optional
=> 1 },
81 capath
=> { optional
=> 1 },
82 cert
=> { optional
=> 1 },
83 certkey
=> { optional
=> 1 },
84 base_dn
=> { optional
=> 1 },
85 bind_dn
=> { optional
=> 1 },
86 password
=> { optional
=> 1 },
87 user_attr
=> { optional
=> 1 },
88 filter
=> { optional
=> 1 },
89 sync_attributes
=> { optional
=> 1 },
90 user_classes
=> { optional
=> 1 },
91 group_dn
=> { optional
=> 1 },
92 group_name_attr
=> { optional
=> 1 },
93 group_filter
=> { optional
=> 1 },
94 group_classes
=> { optional
=> 1 },
95 'sync-defaults-options' => { optional
=> 1 },
96 mode
=> { optional
=> 1 },
97 'case-sensitive' => { optional
=> 1 },
102 my ($class, $config, $realm) = @_;
104 $config->{user_attr
} //= 'sAMAccountName';
106 return $class->SUPER::get_users
($config, $realm);
109 sub authenticate_user
{
110 my ($class, $config, $realm, $username, $password) = @_;
112 my $servers = [$config->{server1
}];
113 push @$servers, $config->{server2
} if $config->{server2
};
115 my ($scheme, $port) = $class->get_scheme_and_port($config);
118 if ($config->{verify
}) {
119 $ad_args{verify
} = 'require';
120 $ad_args{clientcert
} = $config->{cert
} if $config->{cert
};
121 $ad_args{clientkey
} = $config->{certkey
} if $config->{certkey
};
122 if (defined(my $capath = $config->{capath
})) {
124 $ad_args{capath
} = $capath;
126 $ad_args{cafile
} = $capath;
129 } elsif (defined($config->{verify
})) {
130 $ad_args{verify
} = 'none';
133 if ($scheme ne 'ldap') {
134 $ad_args{sslversion
} = $config->{sslversion
} // 'tlsv1_2';
137 my $ldap = PVE
::LDAP
::ldap_connect
($servers, $scheme, $port, \
%ad_args);
139 $username = "$username\@$config->{domain}"
140 if $username !~ m/@/ && $config->{domain
};
142 PVE
::LDAP
::auth_user_dn
($ldap, $username, $password);