projects / pve-access-control.git / blame
| Commit | Line | Data |
|---|---|---|
| 5bb4e06a DM |
1 | package PVE::Auth::LDAP; |
| 2 | ||
| 3 | use strict; | |
| 7c410d63 DM |
4 | use warnings; |
| 5 | ||
| 5bb4e06a DM |
6 | use PVE::Auth::Plugin; |
| 7 | use Net::LDAP; | |
| 8 | use base qw(PVE::Auth::Plugin); | |
| 9 | ||
| 10 | sub type { | |
| 11 | return 'ldap'; | |
| 12 | } | |
| 13 | ||
| 14 | sub properties { | |
| 15 | return { | |
| 16 | base_dn => { | |
| 17 | description => "LDAP base domain name", | |
| 18 | type => 'string', | |
| 19 | pattern => '\w+=[^,]+(,\s*\w+=[^,]+)*', | |
| 20 | optional => 1, | |
| 21 | maxLength => 256, | |
| 22 | }, | |
| 23 | user_attr => { | |
| 24 | description => "LDAP user attribute name", | |
| 25 | type => 'string', | |
| 26 | pattern => '\S{2,}', | |
| 27 | optional => 1, | |
| 28 | maxLength => 256, | |
| 29 | }, | |
| 30 | }; | |
| 31 | } | |
| 32 | ||
| 33 | sub options { | |
| 34 | return { | |
| 35 | server1 => {}, | |
| 36 | server2 => { optional => 1 }, | |
| 37 | base_dn => {}, | |
| 38 | user_attr => {}, | |
| 39 | port => { optional => 1 }, | |
| 40 | secure => { optional => 1 }, | |
| 41 | default => { optional => 1 }, | |
| 42 | comment => { optional => 1 }, | |
| 96f8ebd6 | 43 | tfa => { optional => 1 }, |
| 5bb4e06a DM |
44 | }; |
| 45 | } | |
| 46 | ||
| 47 | my $authenticate_user_ldap = sub { | |
| 48 | my ($config, $server, $username, $password) = @_; | |
| 49 | ||
| 50 | my $default_port = $config->{secure} ? 636: 389; | |
| 51 | my $port = $config->{port} ? $config->{port} : $default_port; | |
| 52 | my $scheme = $config->{secure} ? 'ldaps' : 'ldap'; | |
| 53 | my $conn_string = "$scheme://${server}:$port"; | |
| 54 | ||
| 55 | my $ldap = Net::LDAP->new($conn_string, verify => 'none') || die "$@\n"; | |
| 56 | my $search = $config->{user_attr} . "=" . $username; | |
| 57 | my $result = $ldap->search( base => "$config->{base_dn}", | |
| 58 | scope => "sub", | |
| 59 | filter => "$search", | |
| 60 | attrs => ['dn'] | |
| 61 | ); | |
| 62 | die "no entries returned\n" if !$result->entries; | |
| 63 | my @entries = $result->entries; | |
| 64 | my $res = $ldap->bind($entries[0]->dn, password => $password); | |
| 65 | ||
| 66 | my $code = $res->code(); | |
| 67 | my $err = $res->error; | |
| 68 | ||
| 69 | $ldap->unbind(); | |
| 70 | ||
| 71 | die "$err\n" if ($code); | |
| 72 | }; | |
| 73 | ||
| 74 | sub authenticate_user { | |
| 75 | my ($class, $config, $realm, $username, $password) = @_; | |
| 76 | ||
| 77 | eval { &$authenticate_user_ldap($config, $config->{server1}, $username, $password); }; | |
| 78 | my $err = $@; | |
| 79 | return 1 if !$err; | |
| 80 | die $err if !$config->{server2}; | |
| 81 | &$authenticate_user_ldap($config, $config->{server2}, $username, $password); | |
| 82 | } | |
| 83 | ||
| 84 | 1; |