]>
git.proxmox.com Git - pve-access-control.git/blob - PVE/Auth/LDAP.pm
1 package PVE
::Auth
::LDAP
;
10 use base
qw(PVE::Auth::Plugin);
19 description
=> "LDAP base domain name",
21 pattern
=> '\w+=[^,]+(,\s*\w+=[^,]+)*',
26 description
=> "LDAP user attribute name",
33 description
=> "LDAP bind domain name",
35 pattern
=> '\w+=[^,]+(,\s*\w+=[^,]+)*',
40 description
=> "Verify the server's SSL certificate",
46 description
=> "Path to the CA certificate store",
49 default => '/etc/ssl/certs',
52 description
=> "Path to the client certificate",
57 description
=> "Path to the client certificate key",
67 server2
=> { optional
=> 1 },
69 bind_dn
=> { optional
=> 1 },
71 port
=> { optional
=> 1 },
72 secure
=> { optional
=> 1 },
73 default => { optional
=> 1 },
74 comment
=> { optional
=> 1 },
75 tfa
=> { optional
=> 1 },
76 verify
=> { optional
=> 1 },
77 capath
=> { optional
=> 1 },
78 cert
=> { optional
=> 1 },
79 certkey
=> { optional
=> 1 },
83 my $authenticate_user_ldap = sub {
84 my ($config, $server, $username, $password, $realm) = @_;
86 my $default_port = $config->{secure
} ?
636: 389;
87 my $port = $config->{port
} ?
$config->{port
} : $default_port;
88 my $scheme = $config->{secure
} ?
'ldaps' : 'ldap';
89 $server = "[$server]" if Net
::IP
::ip_is_ipv6
($server);
90 my $conn_string = "$scheme://${server}:$port";
93 if ($config->{verify
}) {
94 $ldap_args{verify
} = 'require';
95 if (defined(my $cert = $config->{cert
})) {
96 $ldap_args{clientcert
} = $cert;
98 if (defined(my $key = $config->{certkey
})) {
99 $ldap_args{clientkey
} = $key;
101 if (defined(my $capath = $config->{capath
})) {
103 $ldap_args{capath
} = $capath;
105 $ldap_args{cafile
} = $capath;
109 $ldap_args{verify
} = 'none';
112 my $ldap = Net
::LDAP-
>new($conn_string, %ldap_args) || die "$@\n";
114 if (my $bind_dn = $config->{bind_dn
}) {
115 my $bind_pass = PVE
::Tools
::file_read_firstline
("/etc/pve/priv/ldap/${realm}.pw");
116 die "missing password for realm $realm\n" if !defined($bind_pass);
117 my $res = $ldap->bind($bind_dn, password
=> $bind_pass);
118 my $code = $res->code();
119 my $err = $res->error;
120 die "failed to authenticate to ldap service: $err\n" if ($code);
123 my $search = $config->{user_attr
} . "=" . $username;
124 my $result = $ldap->search( base
=> "$config->{base_dn}",
129 die "no entries returned\n" if !$result->entries;
130 my @entries = $result->entries;
131 my $res = $ldap->bind($entries[0]->dn, password
=> $password);
133 my $code = $res->code();
134 my $err = $res->error;
138 die "$err\n" if ($code);
141 sub authenticate_user
{
142 my ($class, $config, $realm, $username, $password) = @_;
144 eval { &$authenticate_user_ldap($config, $config->{server1
}, $username, $password, $realm); };
147 die $err if !$config->{server2
};
148 &$authenticate_user_ldap($config, $config->{server2
}, $username, $password);