[pve-access-control.git] / PVE / Auth / LDAP.pm

package PVE::Auth::LDAP;

use strict;
use warnings;

use PVE::Auth::Plugin;
use Net::LDAP;
use base qw(PVE::Auth::Plugin);

sub type {
    return 'ldap';
}

sub properties {
    return {
	base_dn => {
	    description => "LDAP base domain name",
	    type => 'string',
	    pattern => '\w+=[^,]+(,\s*\w+=[^,]+)*',
	    optional => 1,
	    maxLength => 256,
	},
	user_attr => {
	    description => "LDAP user attribute name",
	    type => 'string',
	    pattern => '\S{2,}',
	    optional => 1,
	    maxLength => 256,
	},
    };
}

sub options {
    return {
	server1 => {},
	server2 => { optional => 1 },
	base_dn => {},
	user_attr => {},
	port => { optional => 1 },
	secure => { optional => 1 },
	default => { optional => 1 },
	comment => { optional => 1 },
    };
}

my $authenticate_user_ldap = sub {
    my ($config, $server, $username, $password) = @_;

    my $default_port = $config->{secure} ? 636: 389;
    my $port = $config->{port} ? $config->{port} : $default_port;
    my $scheme = $config->{secure} ? 'ldaps' : 'ldap';
    my $conn_string = "$scheme://${server}:$port";

    my $ldap = Net::LDAP->new($conn_string, verify => 'none') || die "$@\n";
    my $search = $config->{user_attr} . "=" . $username;
    my $result = $ldap->search( base    => "$config->{base_dn}",
				scope   => "sub",
				filter  => "$search",
				attrs   => ['dn']
				);
    die "no entries returned\n" if !$result->entries;
    my @entries = $result->entries;
    my $res = $ldap->bind($entries[0]->dn, password => $password);

    my $code = $res->code();
    my $err = $res->error;

    $ldap->unbind();

    die "$err\n" if ($code);
};

sub authenticate_user {
    my ($class, $config, $realm, $username, $password) = @_;

    eval { &$authenticate_user_ldap($config, $config->{server1}, $username, $password); };
    my $err = $@;
    return 1 if !$err;
    die $err if !$config->{server2};
    &$authenticate_user_ldap($config, $config->{server2}, $username, $password); 
}

1;
Commit	Line	Data
5bb4e06a DM	1	package PVE::Auth::LDAP;
	2
	3	use strict;
7c410d63 DM	4	use warnings;
7c410d63 DM	5
5bb4e06a DM	6	use PVE::Auth::Plugin;
	7	use Net::LDAP;
	8	use base qw(PVE::Auth::Plugin);
	9
	10	sub type {
	11	return 'ldap';
	12	}
	13
	14	sub properties {
	15	return {
	16	base_dn => {
	17	description => "LDAP base domain name",
	18	type => 'string',
	19	pattern => '\w+=[^,]+(,\s\w+=[^,]+)',
	20	optional => 1,
	21	maxLength => 256,
	22	},
	23	user_attr => {
	24	description => "LDAP user attribute name",
	25	type => 'string',
	26	pattern => '\S{2,}',
	27	optional => 1,
	28	maxLength => 256,
	29	},
	30	};
	31	}
	32
	33	sub options {
	34	return {
	35	server1 => {},
	36	server2 => { optional => 1 },
	37	base_dn => {},
	38	user_attr => {},
	39	port => { optional => 1 },
	40	secure => { optional => 1 },
	41	default => { optional => 1 },
	42	comment => { optional => 1 },
	43	};
	44	}
	45
	46	my $authenticate_user_ldap = sub {
	47	my ($config, $server, $username, $password) = @_;
	48
	49	my $default_port = $config->{secure} ? 636: 389;
	50	my $port = $config->{port} ? $config->{port} : $default_port;
	51	my $scheme = $config->{secure} ? 'ldaps' : 'ldap';
	52	my $conn_string = "$scheme://${server}:$port";
	53
	54	my $ldap = Net::LDAP->new($conn_string, verify => 'none') \|\| die "$@\n";
	55	my $search = $config->{user_attr} . "=" . $username;
	56	my $result = $ldap->search( base => "$config->{base_dn}",
	57	scope => "sub",
	58	filter => "$search",
	59	attrs => ['dn']
	60	);
	61	die "no entries returned\n" if !$result->entries;
	62	my @entries = $result->entries;
	63	my $res = $ldap->bind($entries[0]->dn, password => $password);
	64
	65	my $code = $res->code();
	66	my $err = $res->error;
	67
	68	$ldap->unbind();
	69
70	die "$err\n" if ($code);
71	};
72
73	sub authenticate_user {
74	my ($class, $config, $realm, $username, $password) = @_;
75
76	eval { &$authenticate_user_ldap($config, $config->{server1}, $username, $password); };
77	my $err = $@;
78	return 1 if !$err;
79	die $err if !$config->{server2};
80	&$authenticate_user_ldap($config, $config->{server2}, $username, $password);
81	}
82
83	1;