auth ldap/ad: introduce connection 'mode'

instead of having only a 'secure' flag which switches between
ldap/ldaps we now have a mode which also contains 'ldap+starttls'

our connection code in PVE::LDAP can handle this already (used in pmg)
so that is no problem

if we want to really remove the 'secure' flag, e.g. in 7.0
we'd either have to rewrite the config or have it as an error
in a pve6to7 script

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>

diff --git a/PVE/Auth/AD.pm b/PVE/Auth/AD.pm
index 24b0e9f7c23af42e2edea820c4e299a03e91ba80..4d64c2064ea39a14628f7b162f585c40fa3a62e5 100755 (executable)
--- a/PVE/Auth/AD.pm
+++ b/PVE/Auth/AD.pm
@@ -27,7 +27,7 @@ sub properties {
            maxLength => 256,
        },
        secure => {
-           description => "Use secure LDAPS protocol.",
+           description => "Use secure LDAPS protocol. DEPRECATED: use 'mode' instead.",
            type => 'boolean',
            optional => 1,
        },
@@ -93,6 +93,7 @@ sub options {
        group_filter => { optional => 1 },
        group_classes => { optional => 1 },
        'sync-defaults-options' => { optional => 1 },
+       mode => { optional => 1 },
     };
 }
 
@@ -110,9 +111,7 @@ sub authenticate_user {
     my $servers = [$config->{server1}];
     push @$servers, $config->{server2} if $config->{server2};
 
-    my $default_port = $config->{secure} ? 636: 389;
-    my $port = $config->{port} // $default_port;
-    my $scheme = $config->{secure} ? 'ldaps' : 'ldap';
+    my ($scheme, $port) = $class->get_scheme_and_port($config);
 
     my %ad_args;
     if ($config->{verify}) {
@@ -130,7 +129,7 @@ sub authenticate_user {
        $ad_args{verify} = 'none';
     }
 
-    if ($config->{secure}) {
+    if ($scheme ne 'ldap') {
        $ad_args{sslversion} = $config->{sslversion} // 'tlsv1_2';
     }
 

diff --git a/PVE/Auth/LDAP.pm b/PVE/Auth/LDAP.pm
index 6b6b1849893f2e56d398a33cc3918859c55761fe..64250cb7af08c3a2e7c2c92c5b6538807ffe199b 100755 (executable)
--- a/PVE/Auth/LDAP.pm
+++ b/PVE/Auth/LDAP.pm
@@ -122,6 +122,13 @@ sub properties {
            format => 'realm-sync-options',
            optional => 1,
        },
+       mode => {
+           description => "LDAP protocol mode.",
+           type => 'string',
+           enum => [ 'ldap', 'ldaps', 'ldap+starttls'],
+           optional => 1,
+           default => 'ldap',
+       },
     };
 }
 
@@ -151,18 +158,28 @@ sub options {
        group_filter => { optional => 1 },
        group_classes => { optional => 1 },
        'sync-defaults-options' => { optional => 1 },
+       mode => { optional => 1 },
     };
 }
 
+sub get_scheme_and_port {
+    my ($class, $config) = @_;
+
+    my $scheme = $config->{mode} // ($config->{secure} ? 'ldaps' : 'ldap');
+
+    my $default_port = $scheme eq 'ldaps' ? 636 : 389;
+    my $port = $config->{port} // $default_port;
+
+    return ($scheme, $port);
+}
+
 sub connect_and_bind {
     my ($class, $config, $realm) = @_;
 
     my $servers = [$config->{server1}];
     push @$servers, $config->{server2} if $config->{server2};
 
-    my $default_port = $config->{secure} ? 636: 389;
-    my $port = $config->{port} // $default_port;
-    my $scheme = $config->{secure} ? 'ldaps' : 'ldap';
+    my ($scheme, $port) = $class->get_scheme_and_port($config);
 
     my %ldap_args;
     if ($config->{verify}) {
@@ -180,7 +197,7 @@ sub connect_and_bind {
        $ldap_args{verify} = 'none';
     }
 
-    if ($config->{secure}) {
+    if ($scheme ne 'ldap') {
        $ldap_args{sslversion} = $config->{sslversion} || 'tlsv1_2';
     }