]>
Commit | Line | Data |
---|---|---|
1 | package PVE::Auth::LDAP; | |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | ||
6 | use PVE::Auth::Plugin; | |
7 | use Net::LDAP; | |
8 | use base qw(PVE::Auth::Plugin); | |
9 | ||
10 | sub type { | |
11 | return 'ldap'; | |
12 | } | |
13 | ||
14 | sub properties { | |
15 | return { | |
16 | base_dn => { | |
17 | description => "LDAP base domain name", | |
18 | type => 'string', | |
19 | pattern => '\w+=[^,]+(,\s*\w+=[^,]+)*', | |
20 | optional => 1, | |
21 | maxLength => 256, | |
22 | }, | |
23 | user_attr => { | |
24 | description => "LDAP user attribute name", | |
25 | type => 'string', | |
26 | pattern => '\S{2,}', | |
27 | optional => 1, | |
28 | maxLength => 256, | |
29 | }, | |
30 | }; | |
31 | } | |
32 | ||
33 | sub options { | |
34 | return { | |
35 | server1 => {}, | |
36 | server2 => { optional => 1 }, | |
37 | base_dn => {}, | |
38 | user_attr => {}, | |
39 | port => { optional => 1 }, | |
40 | secure => { optional => 1 }, | |
41 | default => { optional => 1 }, | |
42 | comment => { optional => 1 }, | |
43 | }; | |
44 | } | |
45 | ||
46 | my $authenticate_user_ldap = sub { | |
47 | my ($config, $server, $username, $password) = @_; | |
48 | ||
49 | my $default_port = $config->{secure} ? 636: 389; | |
50 | my $port = $config->{port} ? $config->{port} : $default_port; | |
51 | my $scheme = $config->{secure} ? 'ldaps' : 'ldap'; | |
52 | my $conn_string = "$scheme://${server}:$port"; | |
53 | ||
54 | my $ldap = Net::LDAP->new($conn_string, verify => 'none') || die "$@\n"; | |
55 | my $search = $config->{user_attr} . "=" . $username; | |
56 | my $result = $ldap->search( base => "$config->{base_dn}", | |
57 | scope => "sub", | |
58 | filter => "$search", | |
59 | attrs => ['dn'] | |
60 | ); | |
61 | die "no entries returned\n" if !$result->entries; | |
62 | my @entries = $result->entries; | |
63 | my $res = $ldap->bind($entries[0]->dn, password => $password); | |
64 | ||
65 | my $code = $res->code(); | |
66 | my $err = $res->error; | |
67 | ||
68 | $ldap->unbind(); | |
69 | ||
70 | die "$err\n" if ($code); | |
71 | }; | |
72 | ||
73 | sub authenticate_user { | |
74 | my ($class, $config, $realm, $username, $password) = @_; | |
75 | ||
76 | eval { &$authenticate_user_ldap($config, $config->{server1}, $username, $password); }; | |
77 | my $err = $@; | |
78 | return 1 if !$err; | |
79 | die $err if !$config->{server2}; | |
80 | &$authenticate_user_ldap($config, $config->{server2}, $username, $password); | |
81 | } | |
82 | ||
83 | 1; |