]>
git.proxmox.com Git - pve-access-control.git/blob - PVE/Auth/LDAP.pm
1 package PVE
::Auth
::LDAP
;
9 use base
qw(PVE::Auth::Plugin);
18 description
=> "LDAP base domain name",
20 pattern
=> '\w+=[^,]+(,\s*\w+=[^,]+)*',
25 description
=> "LDAP user attribute name",
32 description
=> "LDAP bind domain name",
34 pattern
=> '\w+=[^,]+(,\s*\w+=[^,]+)*',
39 description
=> "Verify the server's SSL certificate",
45 description
=> "Path to the CA certificate store",
48 default => '/etc/ssl/certs',
51 description
=> "Path to the client certificate",
56 description
=> "Path to the client certificate key",
61 description
=> "LDAP filter for user sync.",
67 description
=> "Comma separated list of key=value pairs for specifying"
68 ." which LDAP attributes map to which PVE user field. For example,"
69 ." to map the LDAP attribute 'mail' to PVEs 'email', write "
70 ." 'email=mail'. By default, each PVE user field is represented "
71 ." by an LDAP attribute of the same name.",
74 pattern
=> '\w+=[^,]+(,\s*\w+=[^,]+)*',
77 description
=> "The objectclasses for users.",
79 default => 'inetorgperson, posixaccount, person, user',
80 format
=> 'ldap-simple-attr-list',
84 description
=> "LDAP base domain name for group sync. If not set, the"
85 ." base_dn will be used.",
87 pattern
=> '\w+=[^,]+(,\s*\w+=[^,]+)*',
92 description
=> "LDAP attribute representing a groups name. If not set"
93 ." or found, the first value of the DN will be used as name.",
95 format
=> 'ldap-simple-attr',
100 description
=> "LDAP filter for group sync.",
106 description
=> "The objectclasses for groups.",
108 default => 'groupOfNames, group, univentionGroup, ipausergroup',
109 format
=> 'ldap-simple-attr-list',
118 server2
=> { optional
=> 1 },
120 bind_dn
=> { optional
=> 1 },
122 port
=> { optional
=> 1 },
123 secure
=> { optional
=> 1 },
124 sslversion
=> { optional
=> 1 },
125 default => { optional
=> 1 },
126 comment
=> { optional
=> 1 },
127 tfa
=> { optional
=> 1 },
128 verify
=> { optional
=> 1 },
129 capath
=> { optional
=> 1 },
130 cert
=> { optional
=> 1 },
131 certkey
=> { optional
=> 1 },
132 filter
=> { optional
=> 1 },
133 sync_attributes
=> { optional
=> 1 },
134 user_classes
=> { optional
=> 1 },
135 group_dn
=> { optional
=> 1 },
136 group_name_attr
=> { optional
=> 1 },
137 group_filter
=> { optional
=> 1 },
138 group_classes
=> { optional
=> 1 },
142 sub connect_and_bind
{
143 my ($class, $config, $realm) = @_;
145 my $servers = [$config->{server1
}];
146 push @$servers, $config->{server2
} if $config->{server2
};
148 my $default_port = $config->{secure
} ?
636: 389;
149 my $port = $config->{port
} // $default_port;
150 my $scheme = $config->{secure
} ?
'ldaps' : 'ldap';
153 if ($config->{verify
}) {
154 $ldap_args{verify
} = 'require';
155 $ldap_args{clientcert
} = $config->{cert
} if $config->{cert
};
156 $ldap_args{clientkey
} = $config->{certkey
} if $config->{certkey
};
157 if (defined(my $capath = $config->{capath
})) {
159 $ldap_args{capath
} = $capath;
161 $ldap_args{cafile
} = $capath;
165 $ldap_args{verify
} = 'none';
168 if ($config->{secure
}) {
169 $ldap_args{sslversion
} = $config->{sslversion
} || 'tlsv1_2';
172 my $ldap = PVE
::LDAP
::ldap_connect
($servers, $scheme, $port, \
%ldap_args);
177 if ($config->{bind_dn
}) {
178 $bind_dn = $config->{bind_dn
};
179 $bind_pass = PVE
::Tools
::file_read_firstline
("/etc/pve/priv/ldap/${realm}.pw");
180 die "missing password for realm $realm\n" if !defined($bind_pass);
183 PVE
::LDAP
::ldap_bind
($ldap, $bind_dn, $bind_pass);
185 if (!$config->{base_dn
}) {
186 my $root = $ldap->root_dse(attrs
=> [ 'defaultNamingContext' ]);
187 $config->{base_dn
} = $root->get_value('defaultNamingContext');
193 sub authenticate_user
{
194 my ($class, $config, $realm, $username, $password) = @_;
196 my $ldap = $class->connect_and_bind($config, $realm);
198 my $user_dn = PVE
::LDAP
::get_user_dn
($ldap, $username, $config->{user_attr
}, $config->{base_dn
});
199 PVE
::LDAP
::auth_user_dn
($ldap, $user_dn, $password);