PVE/Auth/AD.pm

   1 package PVE::Auth::AD;
   2
   3 use strict;
   4 use warnings;
   5 use PVE::Auth::Plugin;
   6 use Net::LDAP;
   7
   8 use base qw(PVE::Auth::Plugin);
   9
  10 sub type {
  11     return 'ad';
  12 }
  13
  14 sub properties {
  15     return {
  16         server1 => {
  17             description => "Server IP address (or DNS name)",
  18             type => 'string',
  19             pattern => '[\w\d]+(.[\w\d]+)*',
  20             maxLength => 256,
  21         },
  22         server2 => {
  23             description => "Fallback Server IP address (or DNS name)",
  24             type => 'string',
  25             optional => 1,
  26             pattern => '[\w\d]+(.[\w\d]+)*',
  27             maxLength => 256,
  28         },
  29         secure => {
  30             description => "Use secure LDAPS protocol.",
  31             type => 'boolean',
  32             optional => 1,
  33
  34         },
  35         default => {
  36             description => "Use this as default realm",
  37             type => 'boolean',
  38             optional => 1,
  39         },
  40         comment => {
  41             description => "Description.",
  42             type => 'string',
  43             optional => 1,
  44             maxLength => 4096,
  45         },
  46         port => {
  47             description => "Server port.",
  48             type => 'integer',
  49             minimum => 1,
  50             maximum => 65535,
  51             optional => 1,
  52         },
  53         domain => {
  54             description => "AD domain name",
  55             type => 'string',
  56             pattern => '\S+',
  57             optional => 1,
  58             maxLength => 256,
  59         },
  60         tfa => PVE::JSONSchema::get_standard_option('tfa'),
  61     };
  62 }
  63
  64 sub options {
  65     return {
  66         server1 => {},
  67         server2 => { optional => 1 },
  68         domain => {},
  69         port => { optional => 1 },
  70         secure => { optional => 1 },
  71         default => { optional => 1 },,
  72         comment => { optional => 1 },
  73         tfa => { optional => 1 },
  74     };
  75 }
  76
  77 my $authenticate_user_ad = sub {
  78     my ($config, $server, $username, $password) = @_;
  79
  80     my $default_port = $config->{secure} ? 636: 389;
  81     my $port = $config->{port} ? $config->{port} : $default_port;
  82     my $scheme = $config->{secure} ? 'ldaps' : 'ldap';
  83     my $conn_string = "$scheme://${server}:$port";
  84
  85     my $ldap = Net::LDAP->new($conn_string) || die "$@\n";
  86
  87     $username = "$username\@$config->{domain}"
  88         if $username !~ m/@/ && $config->{domain};
  89
  90     my $res = $ldap->bind($username, password => $password);
  91
  92     my $code = $res->code();
  93     my $err = $res->error;
  94
  95     $ldap->unbind();
  96
  97     die "$err\n" if ($code);
  98 };
  99
 100 sub authenticate_user {
 101     my ($class, $config, $realm, $username, $password) = @_;
 102
 103     eval { &$authenticate_user_ad($config, $config->{server1}, $username, $password); };
 104     my $err = $@;
 105     return 1 if !$err;
 106     die $err if !$config->{server2};
 107     &$authenticate_user_ad($config, $config->{server2}, $username, $password);
 108     return 1;
 109 }
 110
 111 1;