]>
git.proxmox.com Git - pve-access-control.git/blob - PVE/Auth/LDAP.pm
1 package PVE
::Auth
::LDAP
;
8 use base
qw(PVE::Auth::Plugin);
17 description
=> "LDAP base domain name",
19 pattern
=> '\w+=[^,]+(,\s*\w+=[^,]+)*',
24 description
=> "LDAP user attribute name",
36 server2
=> { optional
=> 1 },
39 port
=> { optional
=> 1 },
40 secure
=> { optional
=> 1 },
41 default => { optional
=> 1 },
42 comment
=> { optional
=> 1 },
43 tfa
=> { optional
=> 1 },
47 my $authenticate_user_ldap = sub {
48 my ($config, $server, $username, $password) = @_;
50 my $default_port = $config->{secure
} ?
636: 389;
51 my $port = $config->{port
} ?
$config->{port
} : $default_port;
52 my $scheme = $config->{secure
} ?
'ldaps' : 'ldap';
53 my $conn_string = "$scheme://${server}:$port";
55 my $ldap = Net
::LDAP-
>new($conn_string, verify
=> 'none') || die "$@\n";
56 my $search = $config->{user_attr
} . "=" . $username;
57 my $result = $ldap->search( base
=> "$config->{base_dn}",
62 die "no entries returned\n" if !$result->entries;
63 my @entries = $result->entries;
64 my $res = $ldap->bind($entries[0]->dn, password
=> $password);
66 my $code = $res->code();
67 my $err = $res->error;
71 die "$err\n" if ($code);
74 sub authenticate_user
{
75 my ($class, $config, $realm, $username, $password) = @_;
77 eval { &$authenticate_user_ldap($config, $config->{server1
}, $username, $password); };
80 die $err if !$config->{server2
};
81 &$authenticate_user_ldap($config, $config->{server2
}, $username, $password);