PVE/Auth/LDAP.pm

   1 package PVE::Auth::LDAP;
   2
   3 use strict;
   4 use warnings;
   5
   6 use PVE::Auth::Plugin;
   7 use Net::LDAP;
   8 use base qw(PVE::Auth::Plugin);
   9
  10 sub type {
  11     return 'ldap';
  12 }
  13
  14 sub properties {
  15     return {
  16         base_dn => {
  17             description => "LDAP base domain name",
  18             type => 'string',
  19             pattern => '\w+=[^,]+(,\s*\w+=[^,]+)*',
  20             optional => 1,
  21             maxLength => 256,
  22         },
  23         user_attr => {
  24             description => "LDAP user attribute name",
  25             type => 'string',
  26             pattern => '\S{2,}',
  27             optional => 1,
  28             maxLength => 256,
  29         },
  30     };
  31 }
  32
  33 sub options {
  34     return {
  35         server1 => {},
  36         server2 => { optional => 1 },
  37         base_dn => {},
  38         user_attr => {},
  39         port => { optional => 1 },
  40         secure => { optional => 1 },
  41         default => { optional => 1 },
  42         comment => { optional => 1 },
  43         tfa => { optional => 1 },
  44     };
  45 }
  46
  47 my $authenticate_user_ldap = sub {
  48     my ($config, $server, $username, $password) = @_;
  49
  50     my $default_port = $config->{secure} ? 636: 389;
  51     my $port = $config->{port} ? $config->{port} : $default_port;
  52     my $scheme = $config->{secure} ? 'ldaps' : 'ldap';
  53     my $conn_string = "$scheme://${server}:$port";
  54
  55     my $ldap = Net::LDAP->new($conn_string, verify => 'none') || die "$@\n";
  56     my $search = $config->{user_attr} . "=" . $username;
  57     my $result = $ldap->search( base    => "$config->{base_dn}",
  58                                 scope   => "sub",
  59                                 filter  => "$search",
  60                                 attrs   => ['dn']
  61                                 );
  62     die "no entries returned\n" if !$result->entries;
  63     my @entries = $result->entries;
  64     my $res = $ldap->bind($entries[0]->dn, password => $password);
  65
  66     my $code = $res->code();
  67     my $err = $res->error;
  68
  69     $ldap->unbind();
  70
  71     die "$err\n" if ($code);
  72 };
  73
  74 sub authenticate_user {
  75     my ($class, $config, $realm, $username, $password) = @_;
  76
  77     eval { &$authenticate_user_ldap($config, $config->{server1}, $username, $password); };
  78     my $err = $@;
  79     return 1 if !$err;
  80     die $err if !$config->{server2};
  81     &$authenticate_user_ldap($config, $config->{server2}, $username, $password);
  82 }
  83
  84 1;