X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=PMG%2FLDAPConfig.pm;h=9e4fd9e7e4a90083843f384644604eb0b8098fdf;hb=2473cb81ec3085bcd4c2f21be12a2c905f44cd21;hp=c75c1c14b7e72e62192feaf426a8f5cc29062fd5;hpb=2aeda4acdc09eaff5a8dd7a98e2b7e0eb930f3e2;p=pmg-api.git diff --git a/PMG/LDAPConfig.pm b/PMG/LDAPConfig.pm index c75c1c1..9e4fd9e 100644 --- a/PMG/LDAPConfig.pm +++ b/PMG/LDAPConfig.pm @@ -12,6 +12,22 @@ use PVE::SectionConfig; use base qw(PVE::SectionConfig); +PVE::JSONSchema::register_format('ldap-simple-attr', \&verify_ldap_simple_attr); +sub verify_ldap_simple_attr { + my ($attr, $noerr) = @_; + + if ($attr =~ m/^[a-zA-Z0-9]+$/) { + return $attr; + } + + die "value '$attr' does not look like a simple ldap attribute name\n" if !$noerr; + + return undef; +} + +my $inotify_file_id = 'pmg-ldap.conf'; +my $config_filename = '/etc/pmg/ldap.conf'; + my $defaultData = { propertyList => { type => { description => "Section type." }, @@ -22,6 +38,7 @@ my $defaultData = { }, }; + sub properties { return { disable => { @@ -36,11 +53,22 @@ sub properties { maxLength => 4096, }, mode => { - description => "LDAP protocol mode ('ldap' or 'ldaps').", + description => "LDAP protocol mode ('ldap', 'ldaps' or 'ldap+starttls').", type => 'string', - enum => ['ldap', 'ldaps'], + enum => ['ldap', 'ldaps', 'ldap+starttls'], default => 'ldap', }, + verify => { + description => "Verify server certificate. Only useful with ldaps or ldap+starttls.", + type => 'boolean', + default => 0, + optional => 1, + }, + cafile => { + description => "Path to CA file. Only useful with option 'verify'", + type => 'string', + optional => 1, + }, server1 => { description => "Server address.", type => 'string', format => 'address', @@ -79,15 +107,18 @@ sub properties { }, accountattr => { description => "Account attribute name name.", - type => 'string', - pattern => '[a-zA-Z0-9]+', - default => 'sAMAccountName', + type => 'string', format => 'ldap-simple-attr-list', + default => 'sAMAccountName, uid', }, mailattr => { description => "List of mail attribute names.", - type => 'string', format => 'string-list', - pattern => '[a-zA-Z0-9]+', - default => "mail, userPrincipalName, proxyAddresses, othermailbox", + type => 'string', format => 'ldap-simple-attr-list', + default => "mail, userPrincipalName, proxyAddresses, othermailbox, mailAlternativeAddress", + }, + groupclass => { + description => "List of objectclasses for groups.", + type => 'string', format => 'ldap-simple-attr-list', + default => "group, univentionGroup, ipausergroup", }, }; } @@ -107,6 +138,9 @@ sub options { filter => { optional => 1 }, accountattr => { optional => 1 }, mailattr => { optional => 1 }, + groupclass => { optional => 1 }, + verify => { optional => 1 }, + cafile => { optional => 1 }, }; } @@ -166,6 +200,22 @@ sub write_config { $class->SUPER::write_config($filename, $cfg); } +sub new { + my ($type) = @_; + + my $class = ref($type) || $type; + + my $cfg = PVE::INotify::read_file($inotify_file_id); + + return bless $cfg, $class; +} + +sub write { + my ($self) = @_; + + PVE::INotify::write_file($inotify_file_id, $self); +} + my $lockfile = "/var/lock/pmgldapconfig.lck"; sub lock_config { @@ -186,7 +236,7 @@ sub read_pmg_ldap_conf { local $/ = undef; # slurp mode - my $raw = <$fh>; + my $raw = defined($fh) ? <$fh> : ''; return __PACKAGE__->parse_config($filename, $raw); } @@ -196,14 +246,18 @@ sub write_pmg_ldap_conf { my $raw = __PACKAGE__->write_config($filename, $cfg); - chmod(0600, $fh); + my $gid = getgrnam('www-data'); + chown(0, $gid, $fh); + chmod(0640, $fh); PVE::Tools::safe_print($filename, $fh, $raw); } -PVE::INotify::register_file('pmg-ldap.conf', "/etc/pmg/ldap.conf", +PVE::INotify::register_file($inotify_file_id, $config_filename, \&read_pmg_ldap_conf, - \&write_pmg_ldap_conf); + \&write_pmg_ldap_conf, + undef, + always_call_parser => 1); 1;