+my $ldap_pw_dir = "/etc/pve/priv/realm";
+
+sub ldap_cred_file_name {
+ my ($realmid) = @_;
+ return "${ldap_pw_dir}/${realmid}.pw";
+}
+
+sub get_cred_file {
+ my ($realmid) = @_;
+
+ my $cred_file = ldap_cred_file_name($realmid);
+ if (-e $cred_file) {
+ return $cred_file;
+ } elsif (-e "/etc/pve/priv/ldap/${realmid}.pw") {
+ # FIXME: remove fallback with 7.0 by doing a rename on upgrade from 6.x
+ return "/etc/pve/priv/ldap/${realmid}.pw";
+ }
+
+ return $cred_file;
+}
+
+sub ldap_set_credentials {
+ my ($password, $realmid) = @_;
+
+ my $cred_file = ldap_cred_file_name($realmid);
+ mkdir $ldap_pw_dir;
+
+ PVE::Tools::file_set_contents($cred_file, $password);
+
+ return $cred_file;
+}
+
+sub ldap_get_credentials {
+ my ($realmid) = @_;
+
+ if (my $cred_file = get_cred_file($realmid)) {
+ return PVE::Tools::file_read_firstline($cred_file);
+ }
+ return undef;
+}
+
+sub ldap_delete_credentials {
+ my ($realmid) = @_;
+
+ if (my $cred_file = get_cred_file($realmid)) {
+ unlink($cred_file) or warn "removing LDAP credentials '$cred_file' failed: $!\n";
+ }
+}
+
+sub on_add_hook {
+ my ($class, $realm, $config, %param) = @_;
+
+ if (defined($param{password})) {
+ ldap_set_credentials($param{password}, $realm);
+ } else {
+ ldap_delete_credentials($realm);
+ }
+}
+
+sub on_update_hook {
+ my ($class, $realm, $config, %param) = @_;
+
+ return if !exists($param{password});
+
+ if (defined($param{password})) {
+ ldap_set_credentials($param{password}, $realm);
+ } else {
+ ldap_delete_credentials($realm);
+ }
+}
+
+sub on_delete_hook {
+ my ($class, $realm, $config) = @_;
+
+ ldap_delete_credentials($realm);
+}
+