]>
git.proxmox.com Git - pve-access-control.git/blob - PVE/Auth/LDAP.pm
5eef12c6869c3190a4a8db0477b9a6a587c0e479
1 package PVE
::Auth
::LDAP
;
9 use base
qw(PVE::Auth::Plugin);
18 description
=> "LDAP base domain name",
20 pattern
=> '\w+=[^,]+(,\s*\w+=[^,]+)*',
25 description
=> "LDAP user attribute name",
32 description
=> "LDAP bind domain name",
34 pattern
=> '\w+=[^,]+(,\s*\w+=[^,]+)*',
39 description
=> "Verify the server's SSL certificate",
45 description
=> "Path to the CA certificate store",
48 default => '/etc/ssl/certs',
51 description
=> "Path to the client certificate",
56 description
=> "Path to the client certificate key",
66 server2
=> { optional
=> 1 },
68 bind_dn
=> { optional
=> 1 },
70 port
=> { optional
=> 1 },
71 secure
=> { optional
=> 1 },
72 sslversion
=> { optional
=> 1 },
73 default => { optional
=> 1 },
74 comment
=> { optional
=> 1 },
75 tfa
=> { optional
=> 1 },
76 verify
=> { optional
=> 1 },
77 capath
=> { optional
=> 1 },
78 cert
=> { optional
=> 1 },
79 certkey
=> { optional
=> 1 },
83 sub connect_and_bind
{
84 my ($class, $config, $realm) = @_;
86 my $servers = [$config->{server1
}];
87 push @$servers, $config->{server2
} if $config->{server2
};
89 my $default_port = $config->{secure
} ?
636: 389;
90 my $port = $config->{port
} // $default_port;
91 my $scheme = $config->{secure
} ?
'ldaps' : 'ldap';
94 if ($config->{verify
}) {
95 $ldap_args{verify
} = 'require';
96 $ldap_args{clientcert
} = $config->{cert
} if $config->{cert
};
97 $ldap_args{clientkey
} = $config->{certkey
} if $config->{certkey
};
98 if (defined(my $capath = $config->{capath
})) {
100 $ldap_args{capath
} = $capath;
102 $ldap_args{cafile
} = $capath;
106 $ldap_args{verify
} = 'none';
109 if ($config->{secure
}) {
110 $ldap_args{sslversion
} = $config->{sslversion
} || 'tlsv1_2';
113 my $ldap = PVE
::LDAP
::ldap_connect
($servers, $scheme, $port, \
%ldap_args);
118 if ($config->{bind_dn
}) {
119 $bind_dn = $config->{bind_dn
};
120 $bind_pass = PVE
::Tools
::file_read_firstline
("/etc/pve/priv/ldap/${realm}.pw");
121 die "missing password for realm $realm\n" if !defined($bind_pass);
124 PVE
::LDAP
::ldap_bind
($ldap, $bind_dn, $bind_pass);
126 if (!$config->{base_dn
}) {
127 my $root = $ldap->root_dse(attrs
=> [ 'defaultNamingContext' ]);
128 $config->{base_dn
} = $root->get_value('defaultNamingContext');
134 sub authenticate_user
{
135 my ($class, $config, $realm, $username, $password) = @_;
137 my $ldap = $class->connect_and_bind($config, $realm);
139 my $user_dn = PVE
::LDAP
::get_user_dn
($ldap, $username, $config->{user_attr
}, $config->{base_dn
});
140 PVE
::LDAP
::auth_user_dn
($ldap, $user_dn, $password);