X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=blobdiff_plain;f=PVE%2FAuth%2FLDAP.pm;h=d4e277995bcffb1837c652cc28f02c3998fe909f;hp=3f867ec3891c0c3b3c599363997e6159bc138995;hb=98eb404f77d95b8fa449db48b6d38196b7582549;hpb=96f8ebd62506bc7126d58400004101ef6a13ca71 diff --git a/PVE/Auth/LDAP.pm b/PVE/Auth/LDAP.pm index 3f867ec..d4e2779 100755 --- a/PVE/Auth/LDAP.pm +++ b/PVE/Auth/LDAP.pm @@ -3,8 +3,10 @@ package PVE::Auth::LDAP; use strict; use warnings; +use PVE::Tools; use PVE::Auth::Plugin; use Net::LDAP; +use Net::IP; use base qw(PVE::Auth::Plugin); sub type { @@ -27,6 +29,13 @@ sub properties { optional => 1, maxLength => 256, }, + bind_dn => { + description => "LDAP bind domain name", + type => 'string', + pattern => '\w+=[^,]+(,\s*\w+=[^,]+)*', + optional => 1, + maxLength => 256, + }, }; } @@ -35,6 +44,7 @@ sub options { server1 => {}, server2 => { optional => 1 }, base_dn => {}, + bind_dn => { optional => 1 }, user_attr => {}, port => { optional => 1 }, secure => { optional => 1 }, @@ -45,14 +55,25 @@ sub options { } my $authenticate_user_ldap = sub { - my ($config, $server, $username, $password) = @_; + my ($config, $server, $username, $password, $realm) = @_; my $default_port = $config->{secure} ? 636: 389; my $port = $config->{port} ? $config->{port} : $default_port; my $scheme = $config->{secure} ? 'ldaps' : 'ldap'; + $server = "[$server]" if Net::IP::ip_is_ipv6($server); my $conn_string = "$scheme://${server}:$port"; my $ldap = Net::LDAP->new($conn_string, verify => 'none') || die "$@\n"; + + if (my $bind_dn = $config->{bind_dn}) { + my $bind_pass = PVE::Tools::file_read_firstline("/etc/pve/priv/ldap/${realm}.pw"); + die "missing password for realm $realm\n" if !defined($bind_pass); + my $res = $ldap->bind($bind_dn, password => $bind_pass); + my $code = $res->code(); + my $err = $res->error; + die "failed to authenticate to ldap service: $err\n" if ($code); + } + my $search = $config->{user_attr} . "=" . $username; my $result = $ldap->search( base => "$config->{base_dn}", scope => "sub", @@ -74,7 +95,7 @@ my $authenticate_user_ldap = sub { sub authenticate_user { my ($class, $config, $realm, $username, $password) = @_; - eval { &$authenticate_user_ldap($config, $config->{server1}, $username, $password); }; + eval { &$authenticate_user_ldap($config, $config->{server1}, $username, $password, $realm); }; my $err = $@; return 1 if !$err; die $err if !$config->{server2};