api/ticket: move getting cluster name into an eval

[pve-access-control.git] / PVE / Auth / AD.pm

diff --git a/PVE/Auth/AD.pm b/PVE/Auth/AD.pm
index eb502f7bbf3a3348dc8fb44568fe5c1af641ea04..b924b02b2c550f24c86a2a8fcf0abfdab9d2c454 100755 (executable)
--- a/PVE/Auth/AD.pm
+++ b/PVE/Auth/AD.pm
@@ -4,6 +4,7 @@ use strict;
 use warnings;
 use PVE::Auth::Plugin;
 use Net::LDAP;
+use Net::IP;
 
 use base qw(PVE::Auth::Plugin);
 
@@ -13,33 +14,33 @@ sub type {
 
 sub properties {
     return {
-       server1 => { 
-           description => "Server IP address (or DNS name)",           
+       server1 => {
+           description => "Server IP address (or DNS name)",
            type => 'string',
-           pattern => '[\w\d]+(.[\w\d]+)*',
+           format => 'address',
            maxLength => 256,
        },
-       server2 => { 
+       server2 => {
            description => "Fallback Server IP address (or DNS name)",
            type => 'string',
            optional => 1,
-           pattern => '[\w\d]+(.[\w\d]+)*',
+           format => 'address',
            maxLength => 256,
        },
-       secure => { 
+       secure => {
            description => "Use secure LDAPS protocol.",
-           type => 'boolean', 
+           type => 'boolean',
            optional => 1,
 
        },
-       default => { 
+       default => {
            description => "Use this as default realm",
-           type => 'boolean', 
+           type => 'boolean',
            optional => 1,
        },
-       comment => { 
+       comment => {
            description => "Description.",
-           type => 'string', 
+           type => 'string',
            optional => 1,
            maxLength => 4096,
        },
@@ -57,6 +58,7 @@ sub properties {
            optional => 1,
            maxLength => 256,
        },
+       tfa => PVE::JSONSchema::get_standard_option('tfa'),
     };
 }
 
@@ -69,6 +71,11 @@ sub options {
        secure => { optional => 1 },
        default => { optional => 1 },,
        comment => { optional => 1 },
+       tfa => { optional => 1 },
+       verify => { optional => 1 },
+       capath => { optional => 1 },
+       cert => { optional => 1 },
+       certkey => { optional => 1 },
     };
 }
 
@@ -78,11 +85,32 @@ my $authenticate_user_ad = sub {
     my $default_port = $config->{secure} ? 636: 389;
     my $port = $config->{port} ? $config->{port} : $default_port;
     my $scheme = $config->{secure} ? 'ldaps' : 'ldap';
+    $server = "[$server]" if Net::IP::ip_is_ipv6($server);
     my $conn_string = "$scheme://${server}:$port";
-    
-    my $ldap = Net::LDAP->new($server) || die "$@\n";
 
-    $username = "$username\@$config->{domain}" 
+    my %ad_args;
+    if ($config->{verify}) {
+       $ad_args{verify} = 'require';
+       if (defined(my $cert = $config->{cert})) {
+           $ad_args{clientcert} = $cert;
+       }
+       if (defined(my $key = $config->{certkey})) {
+           $ad_args{clientkey} = $key;
+       }
+       if (defined(my $capath = $config->{capath})) {
+           if (-d $capath) {
+               $ad_args{capath} = $capath;
+           } else {
+               $ad_args{cafile} = $capath;
+           }
+       }
+    } elsif (defined($config->{verify})) {
+       $ad_args{verify} = 'none';
+    }
+
+    my $ldap = Net::LDAP->new($conn_string, %ad_args) || die "$@\n";
+
+    $username = "$username\@$config->{domain}"
        if $username !~ m/@/ && $config->{domain};
 
     my $res = $ldap->bind($username, password => $password);