define LDAP API access permission

diff --git a/PMG/API2/LDAP.pm b/PMG/API2/LDAP.pm
index 72013d32848190cc874d159651c4fc9e75c28e38..fdf6a5696ce8fdf90996b2212069402e0cb9508f 100644 (file)
--- a/PMG/API2/LDAP.pm
+++ b/PMG/API2/LDAP.pm
@@ -24,7 +24,7 @@ __PACKAGE__->register_method ({
     method => 'GET',
     description => "List configured LDAP profiles.",
     proxyto => 'master',
-    protected => 1,
+    permissions => { check => [ 'admin' ] },
     parameters => {
        additionalProperties => 0,
        properties => {},
@@ -99,6 +99,7 @@ __PACKAGE__->register_method ({
     path => '',
     method => 'POST',
     proxyto => 'master',
+    permissions => { check => [ 'admin' ] },
     protected => 1,
     description => "Add LDAP profile.",
     parameters => PMG::LDAPConfig->createSchema(1),
@@ -140,6 +141,9 @@ __PACKAGE__->register_method ({
     path => '{profile}',
     method => 'GET',
     description => "Directory index",
+    permissions => {
+       user => 'all',
+    },
     parameters => {
        additionalProperties => 0,
        properties => {
@@ -176,7 +180,7 @@ __PACKAGE__->register_method ({
     method => 'GET',
     description => "Get LDAP profile configuration.",
     proxyto => 'master',
-    protected => 1,
+    permissions => { check => [ 'admin' ] },
     parameters => {
        additionalProperties => 0,
        properties => {
@@ -207,6 +211,7 @@ __PACKAGE__->register_method ({
     path => '{profile}/config',
     method => 'PUT',
     description => "Update LDAP profile settings.",
+    permissions => { check => [ 'admin' ] },
     protected => 1,
     proxyto => 'master',
     parameters => PMG::LDAPConfig->updateSchema(),
@@ -257,6 +262,7 @@ __PACKAGE__->register_method ({
     path => '{profile}/sync',
     method => 'POST',
     description => "Synchronice LDAP users to local database.",
+    permissions => { check => [ 'admin' ] },
     protected => 1,
     proxyto => 'master',
     parameters => {
@@ -296,6 +302,7 @@ __PACKAGE__->register_method ({
     path => '{profile}',
     method => 'DELETE',
     description => "Delete an LDAP profile",
+    permissions => { check => [ 'admin' ] },
     protected => 1,
     proxyto => 'master',
     parameters => {
@@ -338,6 +345,7 @@ __PACKAGE__->register_method ({
     path => '{profile}/users',
     method => 'GET',
     description => "List LDAP users.",
+    permissions => { check => [ 'admin' ] },
     protected => 1,
     proxyto => 'master',
     parameters => {
@@ -386,6 +394,7 @@ __PACKAGE__->register_method ({
     path => '{profile}/users/{email}',
     method => 'GET',
     description => "Get all email addresses for the specified user.",
+    permissions => { check => [ 'admin' ] },
     protected => 1,
     proxyto => 'master',
     parameters => {
@@ -443,6 +452,7 @@ __PACKAGE__->register_method ({
     path => '{profile}/groups',
     method => 'GET',
     description => "List LDAP groups.",
+    permissions => { check => [ 'admin' ] },
     protected => 1,
     proxyto => 'master',
     parameters => {

diff --git a/PMG/LDAPConfig.pm b/PMG/LDAPConfig.pm
index 59c23df95b90c482f506cd2e8e54486786c61bea..3e92fc4c9a0134f32809ab5da21e552db68a41ae 100644 (file)
--- a/PMG/LDAPConfig.pm
+++ b/PMG/LDAPConfig.pm
@@ -205,7 +205,7 @@ sub read_pmg_ldap_conf {
 
     local $/ = undef; # slurp mode
 
-    my $raw = <$fh>;
+    my $raw = defined($fh) ? <$fh> : '';
 
     return __PACKAGE__->parse_config($filename, $raw);
 }
@@ -215,14 +215,18 @@ sub write_pmg_ldap_conf {
 
     my $raw = __PACKAGE__->write_config($filename, $cfg);
 
-    chmod(0600, $fh);
+    my $gid = getgrnam('www-data');
+    chown(0, $gid, $fh);
+    chmod(0640, $fh);
 
     PVE::Tools::safe_print($filename, $fh, $raw);
 }
 
 PVE::INotify::register_file($inotify_file_id, $config_filename,
                            \&read_pmg_ldap_conf,
-                           \&write_pmg_ldap_conf);
+                           \&write_pmg_ldap_conf,
+                           undef,
+                           always_call_parser => 1);
 
 
 1;