PVE/Auth/LDAP.pm

   1 package PVE::Auth::LDAP;
   2
   3 use strict;
   4 use PVE::Auth::Plugin;
   5 use Net::LDAP;
   6 use base qw(PVE::Auth::Plugin);
   7
   8 sub type {
   9     return 'ldap';
  10 }
  11
  12 sub properties {
  13     return {
  14         base_dn => {
  15             description => "LDAP base domain name",
  16             type => 'string',
  17             pattern => '\w+=[^,]+(,\s*\w+=[^,]+)*',
  18             optional => 1,
  19             maxLength => 256,
  20         },
  21         user_attr => {
  22             description => "LDAP user attribute name",
  23             type => 'string',
  24             pattern => '\S{2,}',
  25             optional => 1,
  26             maxLength => 256,
  27         },
  28     };
  29 }
  30
  31 sub options {
  32     return {
  33         server1 => {},
  34         server2 => { optional => 1 },
  35         base_dn => {},
  36         user_attr => {},
  37         port => { optional => 1 },
  38         secure => { optional => 1 },
  39         default => { optional => 1 },
  40         comment => { optional => 1 },
  41     };
  42 }
  43
  44 my $authenticate_user_ldap = sub {
  45     my ($config, $server, $username, $password) = @_;
  46
  47     my $default_port = $config->{secure} ? 636: 389;
  48     my $port = $config->{port} ? $config->{port} : $default_port;
  49     my $scheme = $config->{secure} ? 'ldaps' : 'ldap';
  50     my $conn_string = "$scheme://${server}:$port";
  51
  52     my $ldap = Net::LDAP->new($conn_string, verify => 'none') || die "$@\n";
  53     my $search = $config->{user_attr} . "=" . $username;
  54     my $result = $ldap->search( base    => "$config->{base_dn}",
  55                                 scope   => "sub",
  56                                 filter  => "$search",
  57                                 attrs   => ['dn']
  58                                 );
  59     die "no entries returned\n" if !$result->entries;
  60     my @entries = $result->entries;
  61     my $res = $ldap->bind($entries[0]->dn, password => $password);
  62
  63     my $code = $res->code();
  64     my $err = $res->error;
  65
  66     $ldap->unbind();
  67
  68     die "$err\n" if ($code);
  69 };
  70
  71 sub authenticate_user {
  72     my ($class, $config, $realm, $username, $password) = @_;
  73
  74     eval { &$authenticate_user_ldap($config, $config->{server1}, $username, $password); };
  75     my $err = $@;
  76     return 1 if !$err;
  77     die $err if !$config->{server2};
  78     &$authenticate_user_ldap($config, $config->{server2}, $username, $password);
  79 }
  80
  81 1;