Close #833: ldap: non-anonymous bind support

The password will be read from /etc/pve/priv/ldap/$realm.pw

diff --git a/PVE/Auth/LDAP.pm b/PVE/Auth/LDAP.pm
index e1161b64e131c1bebc85dfaef37435638f0b6ad8..d4e277995bcffb1837c652cc28f02c3998fe909f 100755 (executable)
--- a/PVE/Auth/LDAP.pm
+++ b/PVE/Auth/LDAP.pm
@@ -3,6 +3,7 @@ package PVE::Auth::LDAP;
 use strict;
 use warnings;
 
 use strict;
 use warnings;
 

+use PVE::Tools;

 use PVE::Auth::Plugin;
 use Net::LDAP;
 use Net::IP;
 use PVE::Auth::Plugin;
 use Net::LDAP;
 use Net::IP;


@@ -28,6 +29,13 @@ sub properties {
            optional => 1,
            maxLength => 256,
        },
            optional => 1,
            maxLength => 256,
        },

+       bind_dn => {
+           description => "LDAP bind domain name",
+           type => 'string',
+           pattern => '\w+=[^,]+(,\s*\w+=[^,]+)*',
+           optional => 1,
+           maxLength => 256,
+       },

     };
 }
 
     };
 }
 


@@ -36,6 +44,7 @@ sub options {
        server1 => {},
        server2 => { optional => 1 },
        base_dn => {},
        server1 => {},
        server2 => { optional => 1 },
        base_dn => {},

+       bind_dn => { optional => 1 },

        user_attr => {},
        port => { optional => 1 },
        secure => { optional => 1 },
        user_attr => {},
        port => { optional => 1 },
        secure => { optional => 1 },


@@ -46,7 +55,7 @@ sub options {
 }
 
 my $authenticate_user_ldap = sub {
 }
 
 my $authenticate_user_ldap = sub {

-    my ($config, $server, $username, $password) = @_;
+    my ($config, $server, $username, $password, $realm) = @_;

 
     my $default_port = $config->{secure} ? 636: 389;
     my $port = $config->{port} ? $config->{port} : $default_port;
 
     my $default_port = $config->{secure} ? 636: 389;
     my $port = $config->{port} ? $config->{port} : $default_port;


@@ -55,6 +64,16 @@ my $authenticate_user_ldap = sub {
     my $conn_string = "$scheme://${server}:$port";
 
     my $ldap = Net::LDAP->new($conn_string, verify => 'none') || die "$@\n";
     my $conn_string = "$scheme://${server}:$port";
 
     my $ldap = Net::LDAP->new($conn_string, verify => 'none') || die "$@\n";

+
+    if (my $bind_dn = $config->{bind_dn}) {
+       my $bind_pass = PVE::Tools::file_read_firstline("/etc/pve/priv/ldap/${realm}.pw");
+       die "missing password for realm $realm\n" if !defined($bind_pass);
+       my $res = $ldap->bind($bind_dn, password => $bind_pass);
+       my $code = $res->code();
+       my $err = $res->error;
+       die "failed to authenticate to ldap service: $err\n" if ($code);
+    }
+

     my $search = $config->{user_attr} . "=" . $username;
     my $result = $ldap->search( base    => "$config->{base_dn}",
                                scope   => "sub",
     my $search = $config->{user_attr} . "=" . $username;
     my $result = $ldap->search( base    => "$config->{base_dn}",
                                scope   => "sub",


@@ -76,7 +95,7 @@ my $authenticate_user_ldap = sub {
 sub authenticate_user {
     my ($class, $config, $realm, $username, $password) = @_;
 
 sub authenticate_user {
     my ($class, $config, $realm, $username, $password) = @_;
 

-    eval { &$authenticate_user_ldap($config, $config->{server1}, $username, $password); };
+    eval { &$authenticate_user_ldap($config, $config->{server1}, $username, $password, $realm); };

     my $err = $@;
     return 1 if !$err;
     die $err if !$config->{server2};
     my $err = $@;
     return 1 if !$err;
     die $err if !$config->{server2};