[pve-access-control.git] / PVE / Auth / LDAP.pm

package PVE::Auth::LDAP;

use strict;
use warnings;

use PVE::Tools;
use PVE::Auth::Plugin;
use Net::LDAP;
use Net::IP;
use base qw(PVE::Auth::Plugin);

sub type {
    return 'ldap';
}

sub properties {
    return {
	base_dn => {
	    description => "LDAP base domain name",
	    type => 'string',
	    pattern => '\w+=[^,]+(,\s*\w+=[^,]+)*',
	    optional => 1,
	    maxLength => 256,
	},
	user_attr => {
	    description => "LDAP user attribute name",
	    type => 'string',
	    pattern => '\S{2,}',
	    optional => 1,
	    maxLength => 256,
	},
	bind_dn => {
	    description => "LDAP bind domain name",
	    type => 'string',
	    pattern => '\w+=[^,]+(,\s*\w+=[^,]+)*',
	    optional => 1,
	    maxLength => 256,
	},
	verify => {
	    description => "Verify the server's SSL certificate",
	    type => 'boolean',
	    optional => 1,
	    default => 0,
	},
	capath => {
	    description => "Path to the CA certificate store",
	    type => 'string',
	    optional => 1,
	    default => '/etc/ssl/certs',
	},
	cert => {
	    description => "Path to the client certificate",
	    type => 'string',
	    optional => 1,
	},
	certkey => {
	    description => "Path to the client certificate key",
	    type => 'string',
	    optional => 1,
	},
    };
}

sub options {
    return {
	server1 => {},
	server2 => { optional => 1 },
	base_dn => {},
	bind_dn => { optional => 1 },
	user_attr => {},
	port => { optional => 1 },
	secure => { optional => 1 },
	sslversion => { optional => 1 },
	default => { optional => 1 },
	comment => { optional => 1 },
	tfa => { optional => 1 },
	verify => { optional => 1 },
	capath => { optional => 1 },
	cert => { optional => 1 },
	certkey => { optional => 1 },
    };
}

my $authenticate_user_ldap = sub {
    my ($config, $server, $username, $password, $realm) = @_;

    my $default_port = $config->{secure} ? 636: 389;
    my $port = $config->{port} ? $config->{port} : $default_port;
    my $scheme = $config->{secure} ? 'ldaps' : 'ldap';
    $server = "[$server]" if Net::IP::ip_is_ipv6($server);
    my $conn_string = "$scheme://${server}:$port";

    my %ldap_args;
    if ($config->{verify}) {
	$ldap_args{verify} = 'require';
	if (defined(my $cert = $config->{cert})) {
	    $ldap_args{clientcert} = $cert;
	}
	if (defined(my $key = $config->{certkey})) {
	    $ldap_args{clientkey} = $key;
	}
	if (defined(my $capath = $config->{capath})) {
	    if (-d $capath) {
		$ldap_args{capath} = $capath;
	    } else {
		$ldap_args{cafile} = $capath;
	    }
	}
    } else {
	$ldap_args{verify} = 'none';
    }

    if ($config->{secure}) {
	$ldap_args{sslversion} = $config->{sslversion} ? $config->{sslversion} : 'tlsv1_2';
    }

    my $ldap = Net::LDAP->new($conn_string, %ldap_args) || die "$@\n";

    if (my $bind_dn = $config->{bind_dn}) {
	my $bind_pass = PVE::Tools::file_read_firstline("/etc/pve/priv/ldap/${realm}.pw");
	die "missing password for realm $realm\n" if !defined($bind_pass);
	my $res = $ldap->bind($bind_dn, password => $bind_pass);
	my $code = $res->code();
	my $err = $res->error;
	die "failed to authenticate to ldap service: $err\n" if ($code);
    }

    my $search = $config->{user_attr} . "=" . $username;
    my $result = $ldap->search( base    => "$config->{base_dn}",
				scope   => "sub",
				filter  => "$search",
				attrs   => ['dn']
				);
    die "no entries returned\n" if !$result->entries;
    my @entries = $result->entries;
    my $res = $ldap->bind($entries[0]->dn, password => $password);

    my $code = $res->code();
    my $err = $res->error;

    $ldap->unbind();

    die "$err\n" if ($code);
};

sub authenticate_user {
    my ($class, $config, $realm, $username, $password) = @_;

    eval { &$authenticate_user_ldap($config, $config->{server1}, $username, $password, $realm); };
    my $err = $@;
    return 1 if !$err;
    die $err if !$config->{server2};
    &$authenticate_user_ldap($config, $config->{server2}, $username, $password, $realm);
}

1;
Commit	Line	Data
5bb4e06a DM	1	package PVE::Auth::LDAP;
	2
	3	use strict;
7c410d63 DM	4	use warnings;
7c410d63 DM	5
b5040b42	6	use PVE::Tools;
5bb4e06a DM	7	use PVE::Auth::Plugin;
5bb4e06a DM	8	use Net::LDAP;
8b600c4d	9	use Net::IP;
5bb4e06a DM	10	use base qw(PVE::Auth::Plugin);
	11
	12	sub type {
	13	return 'ldap';
	14	}
	15
	16	sub properties {
	17	return {
	18	base_dn => {
	19	description => "LDAP base domain name",
	20	type => 'string',
	21	pattern => '\w+=[^,]+(,\s\w+=[^,]+)',
	22	optional => 1,
	23	maxLength => 256,
	24	},
	25	user_attr => {
	26	description => "LDAP user attribute name",
	27	type => 'string',
	28	pattern => '\S{2,}',
	29	optional => 1,
	30	maxLength => 256,
	31	},
b5040b42 WB	32	bind_dn => {
	33	description => "LDAP bind domain name",
	34	type => 'string',
	35	pattern => '\w+=[^,]+(,\s\w+=[^,]+)',
	36	optional => 1,
	37	maxLength => 256,
	38	},
e03c2aef WB	39	verify => {
	40	description => "Verify the server's SSL certificate",
	41	type => 'boolean',
	42	optional => 1,
	43	default => 0,
	44	},
	45	capath => {
	46	description => "Path to the CA certificate store",
	47	type => 'string',
	48	optional => 1,
	49	default => '/etc/ssl/certs',
	50	},
	51	cert => {
	52	description => "Path to the client certificate",
	53	type => 'string',
	54	optional => 1,
	55	},
	56	certkey => {
	57	description => "Path to the client certificate key",
	58	type => 'string',
	59	optional => 1,
	60	},
5bb4e06a DM	61	};
	62	}
	63
	64	sub options {
	65	return {
	66	server1 => {},
	67	server2 => { optional => 1 },
	68	base_dn => {},
b5040b42	69	bind_dn => { optional => 1 },
5bb4e06a DM	70	user_attr => {},
	71	port => { optional => 1 },
	72	secure => { optional => 1 },
07dd90d7	73	sslversion => { optional => 1 },
5bb4e06a DM	74	default => { optional => 1 },
5bb4e06a DM	75	comment => { optional => 1 },
96f8ebd6	76	tfa => { optional => 1 },
e03c2aef WB	77	verify => { optional => 1 },
	78	capath => { optional => 1 },
	79	cert => { optional => 1 },
	80	certkey => { optional => 1 },
5bb4e06a DM	81	};
	82	}
	83
	84	my $authenticate_user_ldap = sub {
b5040b42	85	my ($config, $server, $username, $password, $realm) = @_;
5bb4e06a DM	86
	87	my $default_port = $config->{secure} ? 636: 389;
	88	my $port = $config->{port} ? $config->{port} : $default_port;
	89	my $scheme = $config->{secure} ? 'ldaps' : 'ldap';
8b600c4d	90	$server = "[$server]" if Net::IP::ip_is_ipv6($server);
5bb4e06a DM	91	my $conn_string = "$scheme://${server}:$port";
5bb4e06a DM	92
e03c2aef WB	93	my %ldap_args;
	94	if ($config->{verify}) {
	95	$ldap_args{verify} = 'require';
	96	if (defined(my $cert = $config->{cert})) {
	97	$ldap_args{clientcert} = $cert;
	98	}
	99	if (defined(my $key = $config->{certkey})) {
	100	$ldap_args{clientkey} = $key;
	101	}
	102	if (defined(my $capath = $config->{capath})) {
	103	if (-d $capath) {
	104	$ldap_args{capath} = $capath;
	105	} else {
	106	$ldap_args{cafile} = $capath;
	107	}
	108	}
	109	} else {
	110	$ldap_args{verify} = 'none';
	111	}
	112
07dd90d7 AD	113	if ($config->{secure}) {
	114	$ldap_args{sslversion} = $config->{sslversion} ? $config->{sslversion} : 'tlsv1_2';
	115	}
	116
e03c2aef	117	my $ldap = Net::LDAP->new($conn_string, %ldap_args) \|\| die "$@\n";
b5040b42 WB	118
	119	if (my $bind_dn = $config->{bind_dn}) {
	120	my $bind_pass = PVE::Tools::file_read_firstline("/etc/pve/priv/ldap/${realm}.pw");
	121	die "missing password for realm $realm\n" if !defined($bind_pass);
	122	my $res = $ldap->bind($bind_dn, password => $bind_pass);
	123	my $code = $res->code();
	124	my $err = $res->error;
	125	die "failed to authenticate to ldap service: $err\n" if ($code);
	126	}
	127
5bb4e06a DM	128	my $search = $config->{user_attr} . "=" . $username;
	129	my $result = $ldap->search( base => "$config->{base_dn}",
	130	scope => "sub",
	131	filter => "$search",
	132	attrs => ['dn']
	133	);
	134	die "no entries returned\n" if !$result->entries;
	135	my @entries = $result->entries;
	136	my $res = $ldap->bind($entries[0]->dn, password => $password);
	137
	138	my $code = $res->code();
	139	my $err = $res->error;
	140
	141	$ldap->unbind();
	142
	143	die "$err\n" if ($code);
	144	};
	145
	146	sub authenticate_user {
	147	my ($class, $config, $realm, $username, $password) = @_;
	148
b5040b42	149	eval { &$authenticate_user_ldap($config, $config->{server1}, $username, $password, $realm); };
5bb4e06a DM	150	my $err = $@;
	151	return 1 if !$err;
	152	die $err if !$config->{server2};
f4e7fc7b	153	&$authenticate_user_ldap($config, $config->{server2}, $username, $password, $realm);
5bb4e06a DM	154	}
	155
	156	1;