use PVE::Tools;
use PVE::JSONSchema qw(get_standard_option);
+use PVE::Exception qw(raise raise_perm_exc);
use PMG::UserConfig;
+use PMG::LDAPConfig;
+use PMG::LDAPSet;
sub normalize_path {
my $path = shift;
die "invalid pam user (only root allowed)\n" if $ruid ne 'root';
authenticate_pam_user($ruid, $password);
return $username;
- }
-
- if ($realm eq 'pmg') {
+ } elsif ($realm eq 'pmg') {
my $usercfg = PMG::UserConfig->new();
$usercfg->authenticate_user($username, $password);
return $username;
- }
+ } elsif ($realm eq 'quarantine') {
+ my $ldap_cfg = PMG::LDAPConfig->new();
+ my $ldap = PMG::LDAPSet->new_from_ldap_cfg($ldap_cfg, 1);
+
+ if (my $ldapinfo = $ldap->account_info($ruid, $password)) {
+ my $pmail = $ldapinfo->{pmail};
+ return $pmail . '@quarantine';
+ } else {
+ die "ldap login failed\n";
+ }
+ }
die "no such realm '$realm'\n";
}
push @$cmd, '-p', $epw, $ruid;
- run_command($cmd, errmsg => "change password for '$ruid' failed");
+ PVE::Tools::run_command($cmd, errmsg => "change password for '$ruid' failed");
} elsif ($realm eq 'pmg') {
PMG::UserConfig->set_user_password($username, $password);
}
# test if user exists and is enabled
+# returns: role
sub check_user_enabled {
- my ($username, $noerr) = @_;
+ my ($usercfg, $username, $noerr) = @_;
my ($ruid, $realm);
if ($realm && $ruid) {
if ($realm eq 'pam') {
- return 1 if $ruid eq 'root';
+ return 'root' if $ruid eq 'root';
} elsif ($realm eq 'pmg') {
my $usercfg = PMG::UserConfig->new();
my $data = $usercfg->lookup_user_data($username, $noerr);
- return 1 if $data && $data->{enable};
+ return $data->{role} if $data && $data->{enable};
+ } elsif ($realm eq 'quarantine') {
+ return 'quser';
}
}
- die "user '$username' is disabled\n" if !$noerr;
+ raise_perm_exc("user '$username' is disabled") if !$noerr;
return undef;
}