]>
git.proxmox.com Git - pve-access-control.git/blob - PVE/Auth/AD.pm
42eb79d0a386e2127fc5e94ece5c26925b58b494
9 use base
qw(PVE::Auth::Plugin);
18 description
=> "Server IP address (or DNS name)",
24 description
=> "Fallback Server IP address (or DNS name)",
31 description
=> "Use secure LDAPS protocol.",
37 description
=> "LDAPS TLS/SSL version. It's not recommended to use version older than 1.2!",
39 enum
=> [qw(tlsv1 tlsv1_1 tlsv1_2 tlsv1_3)],
43 description
=> "Use this as default realm",
48 description
=> "Description.",
54 description
=> "Server port.",
61 description
=> "AD domain name",
67 tfa
=> PVE
::JSONSchema
::get_standard_option
('tfa'),
74 server2
=> { optional
=> 1 },
76 port
=> { optional
=> 1 },
77 secure
=> { optional
=> 1 },
78 sslversion
=> { optional
=> 1 },
79 default => { optional
=> 1 },,
80 comment
=> { optional
=> 1 },
81 tfa
=> { optional
=> 1 },
82 verify
=> { optional
=> 1 },
83 capath
=> { optional
=> 1 },
84 cert
=> { optional
=> 1 },
85 certkey
=> { optional
=> 1 },
89 my $authenticate_user_ad = sub {
90 my ($config, $server, $username, $password) = @_;
92 my $default_port = $config->{secure
} ?
636: 389;
93 my $port = $config->{port
} ?
$config->{port
} : $default_port;
94 my $scheme = $config->{secure
} ?
'ldaps' : 'ldap';
95 $server = "[$server]" if Net
::IP
::ip_is_ipv6
($server);
96 my $conn_string = "$scheme://${server}:$port";
99 if ($config->{verify
}) {
100 $ad_args{verify
} = 'require';
101 if (defined(my $cert = $config->{cert
})) {
102 $ad_args{clientcert
} = $cert;
104 if (defined(my $key = $config->{certkey
})) {
105 $ad_args{clientkey
} = $key;
107 if (defined(my $capath = $config->{capath
})) {
109 $ad_args{capath
} = $capath;
111 $ad_args{cafile
} = $capath;
114 } elsif (defined($config->{verify
})) {
115 $ad_args{verify
} = 'none';
118 if ($config->{secure
}) {
119 $ad_args{sslversion
} = $config->{sslversion
} || 'tlsv1_2';
122 my $ldap = Net
::LDAP-
>new($conn_string, %ad_args) || die "$@\n";
124 $username = "$username\@$config->{domain}"
125 if $username !~ m/@/ && $config->{domain
};
127 my $res = $ldap->bind($username, password
=> $password);
129 my $code = $res->code();
130 my $err = $res->error;
134 die "$err\n" if ($code);
137 sub authenticate_user
{
138 my ($class, $config, $realm, $username, $password) = @_;
140 eval { &$authenticate_user_ad($config, $config->{server1
}, $username, $password); };
143 die $err if !$config->{server2
};
144 &$authenticate_user_ad($config, $config->{server2
}, $username, $password);