1 package PVE
::API2
::Domains
;
5 use PVE
::Cluster qw
(cfs_read_file cfs_write_file
);
6 use PVE
::AccessControl
;
7 use PVE
::JSONSchema
qw(get_standard_option);
12 my $domainconfigfile = "domains.cfg";
14 use base
qw(PVE::RESTHandler);
16 __PACKAGE__-
>register_method ({
20 description
=> "Authentication domain index.",
22 description
=> "Anyone can access that, because we need that list for the login box (before the user is authenticated).",
26 additionalProperties
=> 0,
34 realm
=> { type
=> 'string' },
35 comment
=> { type
=> 'string', optional
=> 1 },
38 links
=> [ { rel
=> 'child', href
=> "{realm}" } ],
45 my $cfg = cfs_read_file
($domainconfigfile);
47 foreach my $realm (keys %$cfg) {
48 my $d = $cfg->{$realm};
49 my $entry = { realm
=> $realm, type
=> $d->{type
} };
50 $entry->{comment
} = $d->{comment
} if $d->{comment
};
51 $entry->{default} = 1 if $d->{default};
58 __PACKAGE__-
>register_method ({
64 check
=> ['perm', '/access/realm', ['Realm.Allocate']],
66 description
=> "Add an authentication server.",
68 additionalProperties
=> 0,
70 realm
=> get_standard_option
('realm'),
72 description
=> "Server type.",
74 enum
=> [ 'ad', 'ldap' ],
77 description
=> "Server IP address (or DNS name)",
81 description
=> "Fallback Server IP address (or DNS name)",
86 description
=> "Use secure LDAPS protocol.",
91 description
=> "Use this as default realm",
100 description
=> "Server port. Use '0' if you want to use default settings'",
107 description
=> "AD domain name",
112 description
=> "LDAP base domain name",
117 description
=> "LDAP user attribute name",
123 returns
=> { type
=> 'null' },
127 PVE
::AccessControl
::lock_domain_config
(
130 my $cfg = cfs_read_file
($domainconfigfile);
132 my $realm = $param->{realm
};
134 die "domain '$realm' already exists\n"
137 die "unable to use reserved name '$realm'\n"
138 if ($realm eq 'pam' || $realm eq 'pve');
140 if (defined($param->{secure
})) {
141 $cfg->{$realm}->{secure
} = $param->{secure
} ?
1 : 0;
144 if ($param->{default}) {
145 foreach my $r (keys %$cfg) {
146 delete $cfg->{$r}->{default};
150 foreach my $p (keys %$param) {
151 next if $p eq 'realm';
152 $cfg->{$realm}->{$p} = $param->{$p} if $param->{$p};
155 # port 0 ==> use default
156 # server2 == '' ===> delete server2
157 for my $p (qw(port server2)) {
158 if (defined($param->{$p}) && !$param->{$p}) {
159 delete $cfg->{$realm}->{$p};
163 cfs_write_file
($domainconfigfile, $cfg);
164 }, "add auth server failed");
169 __PACKAGE__-
>register_method ({
174 check
=> ['perm', '/access/realm', ['Realm.Allocate']],
176 description
=> "Update authentication server settings.",
179 additionalProperties
=> 0,
181 realm
=> get_standard_option
('realm'),
183 description
=> "Server IP address (or DNS name)",
188 description
=> "Fallback Server IP address (or DNS name)",
193 description
=> "Use secure LDAPS protocol.",
198 description
=> "Use this as default realm",
207 description
=> "Server port. Use '0' if you want to use default settings'",
214 description
=> "AD domain name",
219 description
=> "LDAP base domain name",
224 description
=> "LDAP user attribute name",
230 returns
=> { type
=> 'null' },
234 PVE
::AccessControl
::lock_domain_config
(
237 my $cfg = cfs_read_file
($domainconfigfile);
239 my $realm = $param->{realm
};
240 delete $param->{realm
};
242 die "unable to modify bultin domain '$realm'\n"
243 if ($realm eq 'pam' || $realm eq 'pve');
245 die "domain '$realm' does not exist\n"
248 if (defined($param->{secure
})) {
249 $cfg->{$realm}->{secure
} = $param->{secure
} ?
1 : 0;
252 if ($param->{default}) {
253 foreach my $r (keys %$cfg) {
254 delete $cfg->{$r}->{default};
258 foreach my $p (keys %$param) {
260 $cfg->{$realm}->{$p} = $param->{$p};
262 delete $cfg->{$realm}->{$p};
266 cfs_write_file
($domainconfigfile, $cfg);
267 }, "update auth server failed");
272 # fixme: return format!
273 __PACKAGE__-
>register_method ({
277 description
=> "Get auth server configuration.",
279 check
=> ['perm', '/access/realm', ['Realm.Allocate', 'Sys.Audit'], any
=> 1],
282 additionalProperties
=> 0,
284 realm
=> get_standard_option
('realm'),
291 my $cfg = cfs_read_file
($domainconfigfile);
293 my $realm = $param->{realm
};
295 my $data = $cfg->{$realm};
296 die "domain '$realm' does not exist\n" if !$data;
302 __PACKAGE__-
>register_method ({
307 check
=> ['perm', '/access/realm', ['Realm.Allocate']],
309 description
=> "Delete an authentication server.",
312 additionalProperties
=> 0,
314 realm
=> get_standard_option
('realm'),
317 returns
=> { type
=> 'null' },
321 PVE
::AccessControl
::lock_user_config
(
324 my $cfg = cfs_read_file
($domainconfigfile);
326 my $realm = $param->{realm
};
328 die "domain '$realm' does not exist\n" if !$cfg->{$realm};
330 delete $cfg->{$realm};
332 cfs_write_file
($domainconfigfile, $cfg);
333 }, "delete auth server failed");