]> git.proxmox.com Git - pve-access-control.git/blob - PVE/Auth/LDAP.pm
projects / pve-access-control.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
use PVE::LDAP module instead of useing Net::LDAP directly
[pve-access-control.git] / PVE / Auth / LDAP.pm
1 package PVE::Auth::LDAP;
2
3 use strict;
4 use warnings;
5
6 use PVE::Tools;
7 use PVE::Auth::Plugin;
8 use PVE::LDAP;
9 use base qw(PVE::Auth::Plugin);
10
11 sub type {
12 return 'ldap';
13 }
14
15 sub properties {
16 return {
17 base_dn => {
18 description => "LDAP base domain name",
19 type => 'string',
20 pattern => '\w+=[^,]+(,\s*\w+=[^,]+)*',
21 optional => 1,
22 maxLength => 256,
23 },
24 user_attr => {
25 description => "LDAP user attribute name",
26 type => 'string',
27 pattern => '\S{2,}',
28 optional => 1,
29 maxLength => 256,
30 },
31 bind_dn => {
32 description => "LDAP bind domain name",
33 type => 'string',
34 pattern => '\w+=[^,]+(,\s*\w+=[^,]+)*',
35 optional => 1,
36 maxLength => 256,
37 },
38 verify => {
39 description => "Verify the server's SSL certificate",
40 type => 'boolean',
41 optional => 1,
42 default => 0,
43 },
44 capath => {
45 description => "Path to the CA certificate store",
46 type => 'string',
47 optional => 1,
48 default => '/etc/ssl/certs',
49 },
50 cert => {
51 description => "Path to the client certificate",
52 type => 'string',
53 optional => 1,
54 },
55 certkey => {
56 description => "Path to the client certificate key",
57 type => 'string',
58 optional => 1,
59 },
60 };
61 }
62
63 sub options {
64 return {
65 server1 => {},
66 server2 => { optional => 1 },
67 base_dn => {},
68 bind_dn => { optional => 1 },
69 user_attr => {},
70 port => { optional => 1 },
71 secure => { optional => 1 },
72 sslversion => { optional => 1 },
73 default => { optional => 1 },
74 comment => { optional => 1 },
75 tfa => { optional => 1 },
76 verify => { optional => 1 },
77 capath => { optional => 1 },
78 cert => { optional => 1 },
79 certkey => { optional => 1 },
80 };
81 }
82
83 sub authenticate_user {
84 my ($class, $config, $realm, $username, $password) = @_;
85
86 my $servers = [$config->{server1}];
87 push @$servers, $config->{server2} if $config->{server2};
88
89 my $default_port = $config->{secure} ? 636: 389;
90 my $port = $config->{port} // $default_port;
91 my $scheme = $config->{secure} ? 'ldaps' : 'ldap';
92
93 my %ldap_args;
94 if ($config->{verify}) {
95 $ldap_args{verify} = 'require';
96 $ldap_args{clientcert} = $config->{cert} if $config->{cert};
97 $ldap_args{clientkey} = $config->{certkey} if $config->{certkey};
98 if (defined(my $capath = $config->{capath})) {
99 if (-d $capath) {
100 $ldap_args{capath} = $capath;
101 } else {
102 $ldap_args{cafile} = $capath;
103 }
104 }
105 } else {
106 $ldap_args{verify} = 'none';
107 }
108
109 if ($config->{secure}) {
110 $ldap_args{sslversion} = $config->{sslversion} || 'tlsv1_2';
111 }
112
113 my $ldap = PVE::LDAP::ldap_connect($servers, $scheme, $port, \%ldap_args);
114
115 my $bind_dn;
116 my $bind_pass;
117
118 if ($config->{bind_dn}) {
119 $bind_dn = $config->{bind_dn};
120 $bind_pass = PVE::Tools::file_read_firstline("/etc/pve/priv/ldap/${realm}.pw");
121 die "missing password for realm $realm\n" if !defined($bind_pass);
122 }
123
124 PVE::LDAP::ldap_bind($ldap, $bind_dn, $bind_pass);
125 my $user_dn = PVE::LDAP::get_user_dn($ldap, $username, $config->{user_attr}, $config->{base_dn});
126 PVE::LDAP::auth_user_dn($ldap, $user_dn, $password);
127
128 $ldap->unbind();
129 return 1;
130 }
131
132 1;
Access control framework