use strict;
use warnings;
use PVE::Auth::Plugin;
-use Net::LDAP;
-use Net::IP;
+use PVE::LDAP;
use base qw(PVE::Auth::Plugin);
description => "Use secure LDAPS protocol.",
type => 'boolean',
optional => 1,
-
},
sslversion => {
description => "LDAPS TLS/SSL version. It's not recommended to use version older than 1.2!",
};
}
-my $authenticate_user_ad = sub {
- my ($config, $server, $username, $password) = @_;
+sub authenticate_user {
+ my ($class, $config, $realm, $username, $password) = @_;
+
+ my $servers = [$config->{server1}];
+ push @$servers, $config->{server2} if $config->{server2};
my $default_port = $config->{secure} ? 636: 389;
- my $port = $config->{port} ? $config->{port} : $default_port;
+ my $port = $config->{port} // $default_port;
my $scheme = $config->{secure} ? 'ldaps' : 'ldap';
- $server = "[$server]" if Net::IP::ip_is_ipv6($server);
- my $conn_string = "$scheme://${server}:$port";
my %ad_args;
if ($config->{verify}) {
$ad_args{verify} = 'require';
- if (defined(my $cert = $config->{cert})) {
- $ad_args{clientcert} = $cert;
- }
- if (defined(my $key = $config->{certkey})) {
- $ad_args{clientkey} = $key;
- }
+ $ad_args{clientcert} = $config->{cert} if $config->{cert};
+ $ad_args{clientkey} = $config->{certkey} if $config->{certkey};
if (defined(my $capath = $config->{capath})) {
if (-d $capath) {
$ad_args{capath} = $capath;
}
if ($config->{secure}) {
- $ad_args{sslversion} = $config->{sslversion} || 'tlsv1_2';
+ $ad_args{sslversion} = $config->{sslversion} // 'tlsv1_2';
}
- my $ldap = Net::LDAP->new($conn_string, %ad_args) || die "$@\n";
+ my $ldap = PVE::LDAP::ldap_connect($servers, $scheme, $port, \%ad_args);
$username = "$username\@$config->{domain}"
if $username !~ m/@/ && $config->{domain};
- my $res = $ldap->bind($username, password => $password);
-
- my $code = $res->code();
- my $err = $res->error;
+ PVE::LDAP::auth_user_dn($ldap, $username, $password);
$ldap->unbind();
-
- die "$err\n" if ($code);
-};
-
-sub authenticate_user {
- my ($class, $config, $realm, $username, $password) = @_;
-
- eval { &$authenticate_user_ad($config, $config->{server1}, $username, $password); };
- my $err = $@;
- return 1 if !$err;
- die $err if !$config->{server2};
- &$authenticate_user_ad($config, $config->{server2}, $username, $password);
return 1;
}
use PVE::Tools;
use PVE::Auth::Plugin;
-use Net::LDAP;
-use Net::IP;
+use PVE::LDAP;
use base qw(PVE::Auth::Plugin);
sub type {
};
}
-my $authenticate_user_ldap = sub {
- my ($config, $server, $username, $password, $realm) = @_;
+sub authenticate_user {
+ my ($class, $config, $realm, $username, $password) = @_;
+
+ my $servers = [$config->{server1}];
+ push @$servers, $config->{server2} if $config->{server2};
my $default_port = $config->{secure} ? 636: 389;
- my $port = $config->{port} ? $config->{port} : $default_port;
+ my $port = $config->{port} // $default_port;
my $scheme = $config->{secure} ? 'ldaps' : 'ldap';
- $server = "[$server]" if Net::IP::ip_is_ipv6($server);
- my $conn_string = "$scheme://${server}:$port";
my %ldap_args;
if ($config->{verify}) {
$ldap_args{verify} = 'require';
- if (defined(my $cert = $config->{cert})) {
- $ldap_args{clientcert} = $cert;
- }
- if (defined(my $key = $config->{certkey})) {
- $ldap_args{clientkey} = $key;
- }
+ $ldap_args{clientcert} = $config->{cert} if $config->{cert};
+ $ldap_args{clientkey} = $config->{certkey} if $config->{certkey};
if (defined(my $capath = $config->{capath})) {
if (-d $capath) {
$ldap_args{capath} = $capath;
$ldap_args{sslversion} = $config->{sslversion} || 'tlsv1_2';
}
- my $ldap = Net::LDAP->new($conn_string, %ldap_args) || die "$@\n";
+ my $ldap = PVE::LDAP::ldap_connect($servers, $scheme, $port, \%ldap_args);
+
+ my $bind_dn;
+ my $bind_pass;
- if (my $bind_dn = $config->{bind_dn}) {
- my $bind_pass = PVE::Tools::file_read_firstline("/etc/pve/priv/ldap/${realm}.pw");
+ if ($config->{bind_dn}) {
+ $bind_dn = $config->{bind_dn};
+ $bind_pass = PVE::Tools::file_read_firstline("/etc/pve/priv/ldap/${realm}.pw");
die "missing password for realm $realm\n" if !defined($bind_pass);
- my $res = $ldap->bind($bind_dn, password => $bind_pass);
- my $code = $res->code();
- my $err = $res->error;
- die "failed to authenticate to ldap service: $err\n" if ($code);
}
- my $search = $config->{user_attr} . "=" . $username;
- my $result = $ldap->search( base => "$config->{base_dn}",
- scope => "sub",
- filter => "$search",
- attrs => ['dn']
- );
- die "no entries returned\n" if !$result->entries;
- my @entries = $result->entries;
- my $res = $ldap->bind($entries[0]->dn, password => $password);
-
- my $code = $res->code();
- my $err = $res->error;
+ PVE::LDAP::ldap_bind($ldap, $bind_dn, $bind_pass);
+ my $user_dn = PVE::LDAP::get_user_dn($ldap, $username, $config->{user_attr}, $config->{base_dn});
+ PVE::LDAP::auth_user_dn($ldap, $user_dn, $password);
$ldap->unbind();
-
- die "$err\n" if ($code);
-};
-
-sub authenticate_user {
- my ($class, $config, $realm, $username, $password) = @_;
-
- eval { &$authenticate_user_ldap($config, $config->{server1}, $username, $password, $realm); };
- my $err = $@;
- return 1 if !$err;
- die $err if !$config->{server2};
- &$authenticate_user_ldap($config, $config->{server2}, $username, $password, $realm);
+ return 1;
}
1;
projects / pve-access-control.git / commitdiff