X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=blobdiff_plain;f=PVE%2FAuth%2FLDAP.pm;h=9f08504a0997a9839670c3f5840d019d48585910;hp=d4e277995bcffb1837c652cc28f02c3998fe909f;hb=b27ae8aa44d088273f09d165dedbf270de376bca;hpb=b5040b42f13bd5f9f6c3e0eebf44df5988e2f718

diff --git a/PVE/Auth/LDAP.pm b/PVE/Auth/LDAP.pm
index d4e2779..9f08504 100755
--- a/PVE/Auth/LDAP.pm
+++ b/PVE/Auth/LDAP.pm
@@ -36,6 +36,28 @@ sub properties {
 	    optional => 1,
 	    maxLength => 256,
 	},
+	verify => {
+	    description => "Verify the server's SSL certificate",
+	    type => 'boolean',
+	    optional => 1,
+	    default => 0,
+	},
+	capath => {
+	    description => "Path to the CA certificate store",
+	    type => 'string',
+	    optional => 1,
+	    default => '/etc/ssl/certs',
+	},
+	cert => {
+	    description => "Path to the client certificate",
+	    type => 'string',
+	    optional => 1,
+	},
+	certkey => {
+	    description => "Path to the client certificate key",
+	    type => 'string',
+	    optional => 1,
+	},
     };
 }
 
@@ -51,6 +73,10 @@ sub options {
 	default => { optional => 1 },
 	comment => { optional => 1 },
 	tfa => { optional => 1 },
+	verify => { optional => 1 },
+	capath => { optional => 1 },
+	cert => { optional => 1 },
+	certkey => { optional => 1 },
     };
 }
 
@@ -63,7 +89,27 @@ my $authenticate_user_ldap = sub {
     $server = "[$server]" if Net::IP::ip_is_ipv6($server);
     my $conn_string = "$scheme://${server}:$port";
 
-    my $ldap = Net::LDAP->new($conn_string, verify => 'none') || die "$@\n";
+    my %ldap_args;
+    if ($config->{verify}) {
+	$ldap_args{verify} = 'require';
+	if (defined(my $cert = $config->{cert})) {
+	    $ldap_args{clientcert} = $cert;
+	}
+	if (defined(my $key = $config->{certkey})) {
+	    $ldap_args{clientkey} = $key;
+	}
+	if (defined(my $capath = $config->{capath})) {
+	    if (-d $capath) {
+		$ldap_args{capath} = $capath;
+	    } else {
+		$ldap_args{cafile} = $capath;
+	    }
+	}
+    } else {
+	$ldap_args{verify} = 'none';
+    }
+
+    my $ldap = Net::LDAP->new($conn_string, %ldap_args) || die "$@\n";
 
     if (my $bind_dn = $config->{bind_dn}) {
 	my $bind_pass = PVE::Tools::file_read_firstline("/etc/pve/priv/ldap/${realm}.pw");
@@ -99,7 +145,7 @@ sub authenticate_user {
     my $err = $@;
     return 1 if !$err;
     die $err if !$config->{server2};
-    &$authenticate_user_ldap($config, $config->{server2}, $username, $password); 
+    &$authenticate_user_ldap($config, $config->{server2}, $username, $password, $realm);
 }
 
 1;