From de8c5e6cebeeda13ced4c23bd108040c3c68438d Mon Sep 17 00:00:00 2001 From: Dominik Csapak Date: Fri, 8 May 2020 13:16:58 +0200 Subject: [PATCH] LDAP: skip anonymous bind when clientcert/key is given It seems that servers associate the client-cert/key with an account, so doing an explicit anonymous bind then 'logs out' the already verified user, limiting the search results in some cases before refactoring to PVE::LDAP, we did not do '$ldap->bind' at all when there was no bind_dn, but it is not really clear if Net::LDAP does this automatically when searching (other libraries do this), so leave the anonymous bind (for compatibility with PMG) but skip it when a client certificate and key is given. Signed-off-by: Dominik Csapak --- PVE/Auth/LDAP.pm | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/PVE/Auth/LDAP.pm b/PVE/Auth/LDAP.pm index 9fa9095..09b2202 100755 --- a/PVE/Auth/LDAP.pm +++ b/PVE/Auth/LDAP.pm @@ -203,17 +203,17 @@ sub connect_and_bind { my $ldap = PVE::LDAP::ldap_connect($servers, $scheme, $port, \%ldap_args); - my $bind_dn; - my $bind_pass; - if ($config->{bind_dn}) { - $bind_dn = $config->{bind_dn}; - $bind_pass = ldap_get_credentials($realm); + my $bind_dn = $config->{bind_dn}; + my $bind_pass = ldap_get_credentials($realm); die "missing password for realm $realm\n" if !defined($bind_pass); + PVE::LDAP::ldap_bind($ldap, $bind_dn, $bind_pass); + } elsif ($config->{cert} && $config->{certkey}) { + warn "skipping anonymous bind with clientcert\n"; + } else { + PVE::LDAP::ldap_bind($ldap); } - PVE::LDAP::ldap_bind($ldap, $bind_dn, $bind_pass); - if (!$config->{base_dn}) { my $root = $ldap->root_dse(attrs => [ 'defaultNamingContext' ]); $config->{base_dn} = $root->get_value('defaultNamingContext'); -- 2.39.2