From: Wolfgang Bumiller Date: Mon, 25 Jul 2016 13:56:03 +0000 (+0200) Subject: Close #833: ldap: non-anonymous bind support X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=commitdiff_plain;h=b5040b42f13bd5f9f6c3e0eebf44df5988e2f718 Close #833: ldap: non-anonymous bind support The password will be read from /etc/pve/priv/ldap/$realm.pw --- diff --git a/PVE/Auth/LDAP.pm b/PVE/Auth/LDAP.pm index e1161b6..d4e2779 100755 --- a/PVE/Auth/LDAP.pm +++ b/PVE/Auth/LDAP.pm @@ -3,6 +3,7 @@ package PVE::Auth::LDAP; use strict; use warnings; +use PVE::Tools; use PVE::Auth::Plugin; use Net::LDAP; use Net::IP; @@ -28,6 +29,13 @@ sub properties { optional => 1, maxLength => 256, }, + bind_dn => { + description => "LDAP bind domain name", + type => 'string', + pattern => '\w+=[^,]+(,\s*\w+=[^,]+)*', + optional => 1, + maxLength => 256, + }, }; } @@ -36,6 +44,7 @@ sub options { server1 => {}, server2 => { optional => 1 }, base_dn => {}, + bind_dn => { optional => 1 }, user_attr => {}, port => { optional => 1 }, secure => { optional => 1 }, @@ -46,7 +55,7 @@ sub options { } my $authenticate_user_ldap = sub { - my ($config, $server, $username, $password) = @_; + my ($config, $server, $username, $password, $realm) = @_; my $default_port = $config->{secure} ? 636: 389; my $port = $config->{port} ? $config->{port} : $default_port; @@ -55,6 +64,16 @@ my $authenticate_user_ldap = sub { my $conn_string = "$scheme://${server}:$port"; my $ldap = Net::LDAP->new($conn_string, verify => 'none') || die "$@\n"; + + if (my $bind_dn = $config->{bind_dn}) { + my $bind_pass = PVE::Tools::file_read_firstline("/etc/pve/priv/ldap/${realm}.pw"); + die "missing password for realm $realm\n" if !defined($bind_pass); + my $res = $ldap->bind($bind_dn, password => $bind_pass); + my $code = $res->code(); + my $err = $res->error; + die "failed to authenticate to ldap service: $err\n" if ($code); + } + my $search = $config->{user_attr} . "=" . $username; my $result = $ldap->search( base => "$config->{base_dn}", scope => "sub", @@ -76,7 +95,7 @@ my $authenticate_user_ldap = sub { sub authenticate_user { my ($class, $config, $realm, $username, $password) = @_; - eval { &$authenticate_user_ldap($config, $config->{server1}, $username, $password); }; + eval { &$authenticate_user_ldap($config, $config->{server1}, $username, $password, $realm); }; my $err = $@; return 1 if !$err; die $err if !$config->{server2};