+ my %ldap_args;
+ if ($config->{verify}) {
+ $ldap_args{verify} = 'require';
+ if (defined(my $cert = $config->{cert})) {
+ $ldap_args{clientcert} = $cert;
+ }
+ if (defined(my $key = $config->{certkey})) {
+ $ldap_args{clientkey} = $key;
+ }
+ if (defined(my $capath = $config->{capath})) {
+ if (-d $capath) {
+ $ldap_args{capath} = $capath;
+ } else {
+ $ldap_args{cafile} = $capath;
+ }
+ }
+ } else {
+ $ldap_args{verify} = 'none';
+ }
+
+ my $ldap = Net::LDAP->new($conn_string, %ldap_args) || die "$@\n";
+
+ if (my $bind_dn = $config->{bind_dn}) {
+ my $bind_pass = PVE::Tools::file_read_firstline("/etc/pve/priv/ldap/${realm}.pw");
+ die "missing password for realm $realm\n" if !defined($bind_pass);
+ my $res = $ldap->bind($bind_dn, password => $bind_pass);
+ my $code = $res->code();
+ my $err = $res->error;
+ die "failed to authenticate to ldap service: $err\n" if ($code);
+ }
+