package PVE::Auth::LDAP;
use strict;
+use warnings;
+
+use PVE::Tools;
use PVE::Auth::Plugin;
use Net::LDAP;
+use Net::IP;
use base qw(PVE::Auth::Plugin);
sub type {
optional => 1,
maxLength => 256,
},
+ bind_dn => {
+ description => "LDAP bind domain name",
+ type => 'string',
+ pattern => '\w+=[^,]+(,\s*\w+=[^,]+)*',
+ optional => 1,
+ maxLength => 256,
+ },
};
}
server1 => {},
server2 => { optional => 1 },
base_dn => {},
+ bind_dn => { optional => 1 },
user_attr => {},
port => { optional => 1 },
secure => { optional => 1 },
default => { optional => 1 },
comment => { optional => 1 },
+ tfa => { optional => 1 },
};
}
my $authenticate_user_ldap = sub {
- my ($config, $server, $username, $password) = @_;
+ my ($config, $server, $username, $password, $realm) = @_;
my $default_port = $config->{secure} ? 636: 389;
my $port = $config->{port} ? $config->{port} : $default_port;
my $scheme = $config->{secure} ? 'ldaps' : 'ldap';
+ $server = "[$server]" if Net::IP::ip_is_ipv6($server);
my $conn_string = "$scheme://${server}:$port";
my $ldap = Net::LDAP->new($conn_string, verify => 'none') || die "$@\n";
+
+ if (my $bind_dn = $config->{bind_dn}) {
+ my $bind_pass = PVE::Tools::file_read_firstline("/etc/pve/priv/ldap/${realm}.pw");
+ die "missing password for realm $realm\n" if !defined($bind_pass);
+ my $res = $ldap->bind($bind_dn, password => $bind_pass);
+ my $code = $res->code();
+ my $err = $res->error;
+ die "failed to authenticate to ldap service: $err\n" if ($code);
+ }
+
my $search = $config->{user_attr} . "=" . $username;
my $result = $ldap->search( base => "$config->{base_dn}",
scope => "sub",
sub authenticate_user {
my ($class, $config, $realm, $username, $password) = @_;
- eval { &$authenticate_user_ldap($config, $config->{server1}, $username, $password); };
+ eval { &$authenticate_user_ldap($config, $config->{server1}, $username, $password, $realm); };
my $err = $@;
return 1 if !$err;
die $err if !$config->{server2};