--- /dev/null
+package PVE::Auth::AD;
+
+use strict;
+use warnings;
+use PVE::Auth::LDAP;
+use PVE::LDAP;
+
+use base qw(PVE::Auth::LDAP);
+
+sub type {
+ return 'ad';
+}
+
+sub properties {
+ return {
+ server1 => {
+ description => "Server IP address (or DNS name)",
+ type => 'string',
+ format => 'address',
+ maxLength => 256,
+ },
+ server2 => {
+ description => "Fallback Server IP address (or DNS name)",
+ type => 'string',
+ optional => 1,
+ format => 'address',
+ maxLength => 256,
+ },
+ secure => {
+ description => "Use secure LDAPS protocol. DEPRECATED: use 'mode' instead.",
+ type => 'boolean',
+ optional => 1,
+ },
+ sslversion => {
+ description => "LDAPS TLS/SSL version. It's not recommended to use version older than 1.2!",
+ type => 'string',
+ enum => [qw(tlsv1 tlsv1_1 tlsv1_2 tlsv1_3)],
+ optional => 1,
+ },
+ default => {
+ description => "Use this as default realm",
+ type => 'boolean',
+ optional => 1,
+ },
+ comment => {
+ description => "Description.",
+ type => 'string',
+ optional => 1,
+ maxLength => 4096,
+ },
+ port => {
+ description => "Server port.",
+ type => 'integer',
+ minimum => 1,
+ maximum => 65535,
+ optional => 1,
+ },
+ domain => {
+ description => "AD domain name",
+ type => 'string',
+ pattern => '\S+',
+ optional => 1,
+ maxLength => 256,
+ },
+ tfa => PVE::JSONSchema::get_standard_option('tfa'),
+ };
+}
+
+sub options {
+ return {
+ server1 => {},
+ server2 => { optional => 1 },
+ domain => {},
+ port => { optional => 1 },
+ secure => { optional => 1 },
+ sslversion => { optional => 1 },
+ default => { optional => 1 },,
+ comment => { optional => 1 },
+ tfa => { optional => 1 },
+ verify => { optional => 1 },
+ capath => { optional => 1 },
+ cert => { optional => 1 },
+ certkey => { optional => 1 },
+ base_dn => { optional => 1 },
+ bind_dn => { optional => 1 },
+ password => { optional => 1 },
+ user_attr => { optional => 1 },
+ filter => { optional => 1 },
+ sync_attributes => { optional => 1 },
+ user_classes => { optional => 1 },
+ group_dn => { optional => 1 },
+ group_name_attr => { optional => 1 },
+ group_filter => { optional => 1 },
+ group_classes => { optional => 1 },
+ 'sync-defaults-options' => { optional => 1 },
+ mode => { optional => 1 },
+ 'case-sensitive' => { optional => 1 },
+ };
+}
+
+sub get_users {
+ my ($class, $config, $realm) = @_;
+
+ $config->{user_attr} //= 'sAMAccountName';
+
+ return $class->SUPER::get_users($config, $realm);
+}
+
+sub authenticate_user {
+ my ($class, $config, $realm, $username, $password) = @_;
+
+ my $servers = [$config->{server1}];
+ push @$servers, $config->{server2} if $config->{server2};
+
+ my ($scheme, $port) = $class->get_scheme_and_port($config);
+
+ my %ad_args;
+ if ($config->{verify}) {
+ $ad_args{verify} = 'require';
+ $ad_args{clientcert} = $config->{cert} if $config->{cert};
+ $ad_args{clientkey} = $config->{certkey} if $config->{certkey};
+ if (defined(my $capath = $config->{capath})) {
+ if (-d $capath) {
+ $ad_args{capath} = $capath;
+ } else {
+ $ad_args{cafile} = $capath;
+ }
+ }
+ } elsif (defined($config->{verify})) {
+ $ad_args{verify} = 'none';
+ }
+
+ if ($scheme ne 'ldap') {
+ $ad_args{sslversion} = $config->{sslversion} // 'tlsv1_2';
+ }
+
+ my $ldap = PVE::LDAP::ldap_connect($servers, $scheme, $port, \%ad_args);
+
+ $username = "$username\@$config->{domain}"
+ if $username !~ m/@/ && $config->{domain};
+
+ PVE::LDAP::auth_user_dn($ldap, $username, $password);
+
+ $ldap->unbind();
+ return 1;
+}
+
+1;