check => ['perm', '/access/realm', ['Realm.Allocate']],
},
description => "Add an authentication server.",
- parameters => PVE::Auth::Plugin->createSchema(),
+ parameters => PVE::Auth::Plugin->createSchema(0, {
+ 'check-connection' => {
+ description => 'Check bind connection to the server.',
+ type => 'boolean',
+ optional => 1,
+ default => 0,
+ },
+ }),
returns => { type => 'null' },
code => sub {
my ($param) = @_;
my $realm = extract_param($param, 'realm');
my $type = $param->{type};
+ my $check_connection = extract_param($param, 'check-connection');
die "domain '$realm' already exists\n"
if $ids->{$realm};
die "unable to create builtin type '$type'\n"
if ($type eq 'pam' || $type eq 'pve');
+ die "'check-connection' parameter can only be set for realms of type 'ldap' or 'ad'\n"
+ if defined($check_connection) && !($type eq 'ldap' || $type eq 'ad');
+
if ($type eq 'ad' || $type eq 'ldap') {
$map_sync_default_options->($param, 1);
}
}
$plugin->on_add_hook($realm, $config, password => $password);
+ # Only for LDAP/AD, implied through the existence of the 'check-connection' param
+ $plugin->check_connection($realm, $config, password => $password)
+ if $check_connection;
+
cfs_write_file($domainconfigfile, $cfg);
}, "add auth server failed");
},
description => "Update authentication server settings.",
protected => 1,
- parameters => PVE::Auth::Plugin->updateSchema(),
+ parameters => PVE::Auth::Plugin->updateSchema(0, {
+ 'check-connection' => {
+ description => 'Check bind connection to the server.',
+ type => 'boolean',
+ optional => 1,
+ default => 0,
+ },
+ }),
returns => { type => 'null' },
code => sub {
my ($param) = @_;
PVE::SectionConfig::assert_if_modified($cfg, $digest);
my $realm = extract_param($param, 'realm');
+ my $type = $ids->{$realm}->{type};
+ my $check_connection = extract_param($param, 'check-connection');
die "domain '$realm' does not exist\n"
if !$ids->{$realm};
+ die "'check-connection' parameter can only be set for realms of type 'ldap' or 'ad'\n"
+ if defined($check_connection) && !($type eq 'ldap' || $type eq 'ad');
+
my $delete_str = extract_param($param, 'delete');
die "no options specified\n"
if !$delete_str && !scalar(keys %$param) && !defined($password);
$delete_pw = 1 if $opt eq 'password';
}
- my $type = $ids->{$realm}->{type};
if ($type eq 'ad' || $type eq 'ldap') {
$map_sync_default_options->($param, 1);
}
$plugin->on_update_hook($realm, $config);
}
+ # Only for LDAP/AD, implied through the existence of the 'check-connection' param
+ $plugin->check_connection($realm, $ids->{$realm}, password => $password)
+ if $check_connection;
+
cfs_write_file($domainconfigfile, $cfg);
}, "update auth server failed");
use base qw(PVE::Auth::Plugin);
-my $dn_part_regex = qr!("[^"]+"|[^ ,+"/<>;=#][^,+"/<>;=]*[^ ,+"/<>;=]|[^ ,+"/<>;=#])!;
-our $dn_regex = qr!\w+=${dn_part_regex}(,\s*\w+=${dn_part_regex})*!;
-
sub type {
return 'ldap';
}
base_dn => {
description => "LDAP base domain name",
type => 'string',
- pattern => $dn_regex,
optional => 1,
maxLength => 256,
},
bind_dn => {
description => "LDAP bind domain name",
type => 'string',
- pattern => $dn_regex,
optional => 1,
maxLength => 256,
},
description => "LDAP base domain name for group sync. If not set, the"
." base_dn will be used.",
type => 'string',
- pattern => $dn_regex,
optional => 1,
maxLength => 256,
},
type => 'boolean',
optional => 1,
default => 1,
- }
+ },
};
}
}
sub connect_and_bind {
- my ($class, $config, $realm) = @_;
+ my ($class, $config, $realm, $param) = @_;
my $servers = [$config->{server1}];
push @$servers, $config->{server2} if $config->{server2};
if ($config->{bind_dn}) {
my $bind_dn = $config->{bind_dn};
- my $bind_pass = ldap_get_credentials($realm);
+ my $bind_pass = $param->{password} || ldap_get_credentials($realm);
die "missing password for realm $realm\n" if !defined($bind_pass);
PVE::LDAP::ldap_bind($ldap, $bind_dn, $bind_pass);
} elsif ($config->{cert} && $config->{certkey}) {
ldap_delete_credentials($realm);
}
+sub check_connection {
+ my ($class, $realm, $config, %param) = @_;
+
+ $class->connect_and_bind($config, $realm, \%param);
+}
+
1;