From d9e93d2eca41423b387e7280376661b9bbe560ea Mon Sep 17 00:00:00 2001 From: Dominik Csapak Date: Fri, 6 Mar 2020 11:05:37 +0100 Subject: [PATCH] use PVE::LDAP module instead of useing Net::LDAP directly for things like connecting/binding/etc. Signed-off-by: Dominik Csapak --- PVE/Auth/AD.pm | 44 +++++++++------------------------ PVE/Auth/LDAP.pm | 64 +++++++++++++++--------------------------------- 2 files changed, 32 insertions(+), 76 deletions(-) diff --git a/PVE/Auth/AD.pm b/PVE/Auth/AD.pm index 42eb79d..06fac9d 100755 --- a/PVE/Auth/AD.pm +++ b/PVE/Auth/AD.pm @@ -3,8 +3,7 @@ package PVE::Auth::AD; use strict; use warnings; use PVE::Auth::Plugin; -use Net::LDAP; -use Net::IP; +use PVE::LDAP; use base qw(PVE::Auth::Plugin); @@ -31,7 +30,6 @@ sub properties { description => "Use secure LDAPS protocol.", type => 'boolean', optional => 1, - }, sslversion => { description => "LDAPS TLS/SSL version. It's not recommended to use version older than 1.2!", @@ -86,24 +84,21 @@ sub options { }; } -my $authenticate_user_ad = sub { - my ($config, $server, $username, $password) = @_; +sub authenticate_user { + my ($class, $config, $realm, $username, $password) = @_; + + my $servers = [$config->{server1}]; + push @$servers, $config->{server2} if $config->{server2}; my $default_port = $config->{secure} ? 636: 389; - my $port = $config->{port} ? $config->{port} : $default_port; + my $port = $config->{port} // $default_port; my $scheme = $config->{secure} ? 'ldaps' : 'ldap'; - $server = "[$server]" if Net::IP::ip_is_ipv6($server); - my $conn_string = "$scheme://${server}:$port"; my %ad_args; if ($config->{verify}) { $ad_args{verify} = 'require'; - if (defined(my $cert = $config->{cert})) { - $ad_args{clientcert} = $cert; - } - if (defined(my $key = $config->{certkey})) { - $ad_args{clientkey} = $key; - } + $ad_args{clientcert} = $config->{cert} if $config->{cert}; + $ad_args{clientkey} = $config->{certkey} if $config->{certkey}; if (defined(my $capath = $config->{capath})) { if (-d $capath) { $ad_args{capath} = $capath; @@ -116,32 +111,17 @@ my $authenticate_user_ad = sub { } if ($config->{secure}) { - $ad_args{sslversion} = $config->{sslversion} || 'tlsv1_2'; + $ad_args{sslversion} = $config->{sslversion} // 'tlsv1_2'; } - my $ldap = Net::LDAP->new($conn_string, %ad_args) || die "$@\n"; + my $ldap = PVE::LDAP::ldap_connect($servers, $scheme, $port, \%ad_args); $username = "$username\@$config->{domain}" if $username !~ m/@/ && $config->{domain}; - my $res = $ldap->bind($username, password => $password); - - my $code = $res->code(); - my $err = $res->error; + PVE::LDAP::auth_user_dn($ldap, $username, $password); $ldap->unbind(); - - die "$err\n" if ($code); -}; - -sub authenticate_user { - my ($class, $config, $realm, $username, $password) = @_; - - eval { &$authenticate_user_ad($config, $config->{server1}, $username, $password); }; - my $err = $@; - return 1 if !$err; - die $err if !$config->{server2}; - &$authenticate_user_ad($config, $config->{server2}, $username, $password); return 1; } diff --git a/PVE/Auth/LDAP.pm b/PVE/Auth/LDAP.pm index a94778e..0faa40a 100755 --- a/PVE/Auth/LDAP.pm +++ b/PVE/Auth/LDAP.pm @@ -5,8 +5,7 @@ use warnings; use PVE::Tools; use PVE::Auth::Plugin; -use Net::LDAP; -use Net::IP; +use PVE::LDAP; use base qw(PVE::Auth::Plugin); sub type { @@ -81,24 +80,21 @@ sub options { }; } -my $authenticate_user_ldap = sub { - my ($config, $server, $username, $password, $realm) = @_; +sub authenticate_user { + my ($class, $config, $realm, $username, $password) = @_; + + my $servers = [$config->{server1}]; + push @$servers, $config->{server2} if $config->{server2}; my $default_port = $config->{secure} ? 636: 389; - my $port = $config->{port} ? $config->{port} : $default_port; + my $port = $config->{port} // $default_port; my $scheme = $config->{secure} ? 'ldaps' : 'ldap'; - $server = "[$server]" if Net::IP::ip_is_ipv6($server); - my $conn_string = "$scheme://${server}:$port"; my %ldap_args; if ($config->{verify}) { $ldap_args{verify} = 'require'; - if (defined(my $cert = $config->{cert})) { - $ldap_args{clientcert} = $cert; - } - if (defined(my $key = $config->{certkey})) { - $ldap_args{clientkey} = $key; - } + $ldap_args{clientcert} = $config->{cert} if $config->{cert}; + $ldap_args{clientkey} = $config->{certkey} if $config->{certkey}; if (defined(my $capath = $config->{capath})) { if (-d $capath) { $ldap_args{capath} = $capath; @@ -114,43 +110,23 @@ my $authenticate_user_ldap = sub { $ldap_args{sslversion} = $config->{sslversion} || 'tlsv1_2'; } - my $ldap = Net::LDAP->new($conn_string, %ldap_args) || die "$@\n"; + my $ldap = PVE::LDAP::ldap_connect($servers, $scheme, $port, \%ldap_args); + + my $bind_dn; + my $bind_pass; - if (my $bind_dn = $config->{bind_dn}) { - my $bind_pass = PVE::Tools::file_read_firstline("/etc/pve/priv/ldap/${realm}.pw"); + if ($config->{bind_dn}) { + $bind_dn = $config->{bind_dn}; + $bind_pass = PVE::Tools::file_read_firstline("/etc/pve/priv/ldap/${realm}.pw"); die "missing password for realm $realm\n" if !defined($bind_pass); - my $res = $ldap->bind($bind_dn, password => $bind_pass); - my $code = $res->code(); - my $err = $res->error; - die "failed to authenticate to ldap service: $err\n" if ($code); } - my $search = $config->{user_attr} . "=" . $username; - my $result = $ldap->search( base => "$config->{base_dn}", - scope => "sub", - filter => "$search", - attrs => ['dn'] - ); - die "no entries returned\n" if !$result->entries; - my @entries = $result->entries; - my $res = $ldap->bind($entries[0]->dn, password => $password); - - my $code = $res->code(); - my $err = $res->error; + PVE::LDAP::ldap_bind($ldap, $bind_dn, $bind_pass); + my $user_dn = PVE::LDAP::get_user_dn($ldap, $username, $config->{user_attr}, $config->{base_dn}); + PVE::LDAP::auth_user_dn($ldap, $user_dn, $password); $ldap->unbind(); - - die "$err\n" if ($code); -}; - -sub authenticate_user { - my ($class, $config, $realm, $username, $password) = @_; - - eval { &$authenticate_user_ldap($config, $config->{server1}, $username, $password, $realm); }; - my $err = $@; - return 1 if !$err; - die $err if !$config->{server2}; - &$authenticate_user_ldap($config, $config->{server2}, $username, $password, $realm); + return 1; } 1; -- 2.39.2