]> git.proxmox.com Git - pmg-api.git/commitdiff
projects / pmg-api.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: cfb648f)
fix #1946: add verify and cafile options for ldap
authorDominik Csapak <d.csapak@proxmox.com>
Wed, 13 Mar 2019 14:17:07 +0000 (15:17 +0100)
committerDietmar Maurer <dietmar@proxmox.com>
Thu, 14 Mar 2019 06:24:46 +0000 (07:24 +0100)
so that users can force the verification, either with the system
installed certificates or with a single explicit file

this also fixes #1944, since the option was 'scheme' not 'schema'

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
PMG/LDAPCache.pm patch | blob | blame | history
PMG/LDAPConfig.pm patch | blob | blame | history

diff --git a/PMG/LDAPCache.pm b/PMG/LDAPCache.pm
index 0d3601915acb281d2462a764e98cb7297c4a57ad..ca4aec98022304842545d3980d3687208a6bc03c 100755 (executable)
--- a/PMG/LDAPCache.pm
+++ b/PMG/LDAPCache.pm
@@ -75,6 +75,8 @@ sub new {
     $self->{port} = $args{port};
     $self->{groupbasedn} = $args{groupbasedn};
     $self->{filter} = $args{filter};
+    $self->{verify} = $args{verify};
+    $self->{cafile} = $args{cafile};
 
     if ($args{syncmode} == 1) {
        # read local data only
@@ -349,7 +351,17 @@ sub ldap_connect {
     my $opts = { timeout => 10, onerror => 'die' };
 
     $opts->{port} = $self->{port} if $self->{port};
-    $opts->{schema} = $self->{mode};
+    if ($self->{mode} eq 'ldaps') {
+       $opts->{scheme} = 'ldaps';
+       $opts->{verify} = 'require' if $self->{verify};
+       if ($self->{cafile}) {
+           $opts->{cafile} = $self->{cafile};
+       } else {
+           $opts->{capath} = '/etc/ssl/certs/';
+       }
+    } else {
+       $opts->{scheme} = 'ldap';
+    }
 
     return Net::LDAP->new($hosts, %$opts);
 }
diff --git a/PMG/LDAPConfig.pm b/PMG/LDAPConfig.pm
index 9445205c6d18ad097141c5b7167d47f550c1ad09..022749cad142fda2f2688a4eb18024492556a5a7 100644 (file)
--- a/PMG/LDAPConfig.pm
+++ b/PMG/LDAPConfig.pm
@@ -58,6 +58,17 @@ sub properties {
            enum => ['ldap', 'ldaps'],
            default => 'ldap',
        },
+       verify => {
+           description => "Verify server certificate. Only useful with ldaps.",
+           type => 'boolean',
+           default => 0,
+           optional => 1,
+       },
+       cafile => {
+           description => "Path to CA file. Only useful with option 'verify'",
+           type => 'string',
+           optional => 1,
+       },
        server1 => {
            description => "Server address.",
            type => 'string', format => 'address',
@@ -128,6 +139,8 @@ sub options {
        accountattr => { optional => 1 },
        mailattr => { optional => 1 },
        groupclass => { optional => 1 },
+       verify => { optional => 1 },
+       cafile => { optional => 1 },
     };
 }
 
PMG API