]>
git.proxmox.com Git - pve-access-control.git/blob - PVE/Auth/LDAP.pm
1 package PVE
::Auth
::LDAP
;
10 use base
qw(PVE::Auth::Plugin);
19 description
=> "LDAP base domain name",
21 pattern
=> '\w+=[^,]+(,\s*\w+=[^,]+)*',
26 description
=> "LDAP user attribute name",
33 description
=> "LDAP bind domain name",
35 pattern
=> '\w+=[^,]+(,\s*\w+=[^,]+)*',
45 server2
=> { optional
=> 1 },
47 bind_dn
=> { optional
=> 1 },
49 port
=> { optional
=> 1 },
50 secure
=> { optional
=> 1 },
51 default => { optional
=> 1 },
52 comment
=> { optional
=> 1 },
53 tfa
=> { optional
=> 1 },
57 my $authenticate_user_ldap = sub {
58 my ($config, $server, $username, $password, $realm) = @_;
60 my $default_port = $config->{secure
} ?
636: 389;
61 my $port = $config->{port
} ?
$config->{port
} : $default_port;
62 my $scheme = $config->{secure
} ?
'ldaps' : 'ldap';
63 $server = "[$server]" if Net
::IP
::ip_is_ipv6
($server);
64 my $conn_string = "$scheme://${server}:$port";
66 my $ldap = Net
::LDAP-
>new($conn_string, verify
=> 'none') || die "$@\n";
68 if (my $bind_dn = $config->{bind_dn
}) {
69 my $bind_pass = PVE
::Tools
::file_read_firstline
("/etc/pve/priv/ldap/${realm}.pw");
70 die "missing password for realm $realm\n" if !defined($bind_pass);
71 my $res = $ldap->bind($bind_dn, password
=> $bind_pass);
72 my $code = $res->code();
73 my $err = $res->error;
74 die "failed to authenticate to ldap service: $err\n" if ($code);
77 my $search = $config->{user_attr
} . "=" . $username;
78 my $result = $ldap->search( base
=> "$config->{base_dn}",
83 die "no entries returned\n" if !$result->entries;
84 my @entries = $result->entries;
85 my $res = $ldap->bind($entries[0]->dn, password
=> $password);
87 my $code = $res->code();
88 my $err = $res->error;
92 die "$err\n" if ($code);
95 sub authenticate_user
{
96 my ($class, $config, $realm, $username, $password) = @_;
98 eval { &$authenticate_user_ldap($config, $config->{server1
}, $username, $password, $realm); };
101 die $err if !$config->{server2
};
102 &$authenticate_user_ldap($config, $config->{server2
}, $username, $password);