use strict;
use warnings;
use Authen::PAM;
-use PVE::Tools;
+use PVE::Tools;
use PVE::JSONSchema qw(get_standard_option);
+use PVE::Exception qw(raise raise_perm_exc);
use PMG::UserConfig;
+use PMG::LDAPConfig;
+use PMG::LDAPSet;
sub normalize_path {
my $path = shift;
die "invalid pam user (only root allowed)\n" if $ruid ne 'root';
authenticate_pam_user($ruid, $password);
return $username;
- }
-
- if ($realm eq 'pmg') {
+ } elsif ($realm eq 'pmg') {
my $usercfg = PMG::UserConfig->new();
- $usercfg->authenticate_user($ruid, $password);
+ $usercfg->authenticate_user($username, $password);
return $username;
- }
+ } elsif ($realm eq 'quarantine') {
+ my $ldap_cfg = PMG::LDAPConfig->new();
+ my $ldap = PMG::LDAPSet->new_from_ldap_cfg($ldap_cfg, 1);
+
+ if (my $ldapinfo = $ldap->account_info($ruid, $password)) {
+ my $pmail = $ldapinfo->{pmail};
+ return $pmail . '@quarantine';
+ } else {
+ die "ldap login failed\n";
+ }
+ }
die "no such realm '$realm'\n";
}
-sub domain_set_password {
- my ($realm, $ruid, $password) = @_;
+sub set_user_password {
+ my ($username, $password) = @_;
- die "no auth domain specified" if !$realm;
+ my ($ruid, $realm);
+
+ ($username, $ruid, $realm) = PMG::Utils::verify_username($username);
if ($realm eq 'pam') {
die "invalid pam user (only root allowed)\n" if $ruid ne 'root';
my $cmd = ['usermod'];
- my $epw = PMG::Utils::encrypt_pw($password);
+ my $epw = PVE::Tools::encrypt_pw($password);
push @$cmd, '-p', $epw, $ruid;
- run_command($cmd, errmsg => "change password for '$ruid' failed");
+ PVE::Tools::run_command($cmd, errmsg => "change password for '$ruid' failed");
} elsif ($realm eq 'pmg') {
- PMG::UserConfig->set_password($ruid, $password);
+ PMG::UserConfig->set_user_password($username, $password);
} else {
die "no such realm '$realm'\n";
}
}
# test if user exists and is enabled
+# returns: role
sub check_user_enabled {
- my ($username, $noerr) = @_;
+ my ($usercfg, $username, $noerr) = @_;
+
+ my ($ruid, $realm);
- my ($userid, $ruid, $realm) = PMG::Utils::verify_username($username, 1);
+ ($username, $ruid, $realm) = PMG::Utils::verify_username($username, 1);
if ($realm && $ruid) {
if ($realm eq 'pam') {
- return 1 if $ruid eq 'root';
+ return 'root' if $ruid eq 'root';
} elsif ($realm eq 'pmg') {
my $usercfg = PMG::UserConfig->new();
- my $data = $usercfg->check_user_exist($ruid, $noerr);
- return 1 if $data && $data->{enable};
+ my $data = $usercfg->lookup_user_data($username, $noerr);
+ return $data->{role} if $data && $data->{enable};
+ } elsif ($realm eq 'quarantine') {
+ return 'quser';
}
}
- die "user '$username' is disabled\n" if !$noerr;
+ raise_perm_exc("user '$username' is disabled") if !$noerr;
return undef;
}