]> git.proxmox.com Git - pve-common.git/blob - src/PVE/LDAP.pm
projects / pve-common.git / blob
? search:


3294c51aacfd634e3dba01926db71ebf42c31410
[pve-common.git] / src / PVE / LDAP.pm
1 package PVE::LDAP;
2
3 use strict;
4 use warnings;
5
6 use Net::IP;
7 use Net::LDAP;
8 use Net::LDAP::Control::Paged;
9 use Net::LDAP::Constant qw(LDAP_CONTROL_PAGED);
10
11 sub ldap_connect {
12 my ($servers, $scheme, $port, $opts) = @_;
13
14 my $start_tls = 0;
15
16 if ($scheme eq 'ldap+starttls') {
17 $scheme = 'ldap';
18 $start_tls = 1;
19 }
20
21 my %ldap_opts = (
22 scheme => $scheme,
23 port => $port,
24 timeout => 10,
25 onerror => 'die',
26 );
27
28 my $hosts = [];
29 for my $host (@$servers) {
30 if (Net::IP::ip_is_ipv6($host)) {
31 push @$hosts, "[$host]";
32 } else {
33 push @$hosts, $host;
34 }
35 }
36
37 for my $opt (qw(clientcert clientkey capath cafile sslversion verify)) {
38 $ldap_opts{$opt} = $opts->{$opt} if $opts->{$opt};
39 }
40
41 my $ldap = Net::LDAP->new($hosts, %ldap_opts) || die "$@\n";
42
43 if ($start_tls) {
44 $ldap->start_tls(%$opts);
45 }
46
47 return $ldap;
48 }
49
50 sub ldap_bind {
51 my ($ldap, $dn, $pw) = @_;
52
53 my $res;
54 if (defined($dn) && defined($pw)) {
55 $res = $ldap->bind($dn, password => $pw);
56 } else { # anonymous bind
57 $res = $ldap->bind();
58 }
59
60 my $code = $res->code;
61 my $err = $res->error;
62
63 die "ldap bind failed: $err\n" if $code;
64 }
65
66 sub get_user_dn {
67 my ($ldap, $name, $attr, $base_dn) = @_;
68
69 # search for dn
70 my $result = $ldap->search(
71 base => $base_dn // "",
72 scope => "sub",
73 filter => "$attr=$name",
74 attrs => ['dn']
75 );
76 return undef if !$result->entries;
77 my @entries = $result->entries;
78 return $entries[0]->dn;
79 }
80
81 sub auth_user_dn {
82 my ($ldap, $dn, $pw, $noerr) = @_;
83 my $res = $ldap->bind($dn, password => $pw);
84
85 my $code = $res->code;
86 my $err = $res->error;
87
88 if ($code) {
89 return undef if $noerr;
90 die $err;
91 }
92
93 return 1;
94 }
95
96 sub query_users {
97 my ($ldap, $filter, $attributes, $base_dn) = @_;
98
99 # build filter from given filter and attribute list
100 my $tmp = "(|";
101 foreach my $att (@$attributes) {
102 $tmp .= "($att=*)";
103 }
104 $tmp .= ")";
105
106 if ($filter) {
107 $filter = "($filter)" if $filter !~ m/^\(.*\)$/;
108 $filter = "(&${filter}${tmp})"
109 } else {
110 $filter = $tmp;
111 }
112
113 my $page = Net::LDAP::Control::Paged->new(size => 900);
114
115 my @args = (
116 base => $base_dn // "",
117 scope => "subtree",
118 filter => $filter,
119 control => [ $page ],
120 attrs => [ @$attributes, 'memberOf'],
121 );
122
123 my $cookie;
124 my $err;
125 my $users = [];
126
127 while(1) {
128
129 my $mesg = $ldap->search(@args);
130
131 # stop on error
132 if ($mesg->code) {
133 $err = "ldap user search error: " . $mesg->error;
134 last;
135 }
136
137 #foreach my $entry ($mesg->entries) { $entry->dump; }
138 foreach my $entry ($mesg->entries) {
139 my $user = {
140 dn => $entry->dn,
141 attributes => {},
142 groups => [$entry->get_value('memberOf')],
143 };
144
145 foreach my $attr (@$attributes) {
146 my $vals = [$entry->get_value($attr)];
147 if (scalar(@$vals)) {
148 $user->{attributes}->{$attr} = $vals;
149 }
150 }
151
152 push @$users, $user;
153 }
154
155 # Get cookie from paged control
156 my ($resp) = $mesg->control(LDAP_CONTROL_PAGED) or last;
157 $cookie = $resp->cookie;
158
159 last if (!defined($cookie) || !length($cookie));
160
161 # Set cookie in paged control
162 $page->cookie($cookie);
163 }
164
165 if (defined($cookie) && length($cookie)) {
166 # We had an abnormal exit, so let the server know we do not want any more
167 $page->cookie($cookie);
168 $page->size(0);
169 $ldap->search(@args);
170 $err = "LDAP user query unsuccessful" if !$err;
171 }
172
173 die $err if $err;
174
175 return $users;
176 }
177
178 sub query_groups {
179 my ($ldap, $base_dn, $classes, $filter, $group_name_attr) = @_;
180
181 my $tmp = "(|";
182 for my $class (@$classes) {
183 $tmp .= "(objectclass=$class)";
184 }
185 $tmp .= ")";
186
187 if ($filter) {
188 $filter = "($filter)" if $filter !~ m/^\(.*\)$/;
189 $filter = "(&${filter}${tmp})"
190 } else {
191 $filter = $tmp;
192 }
193
194 my $page = Net::LDAP::Control::Paged->new(size => 100);
195
196 my $attrs = [ 'member', 'uniqueMember' ];
197 push @$attrs, $group_name_attr if $group_name_attr;
198 my @args = (
199 base => $base_dn,
200 scope => "subtree",
201 filter => $filter,
202 control => [ $page ],
203 attrs => $attrs,
204 );
205
206 my $cookie;
207 my $err;
208 my $groups = [];
209
210 while(1) {
211
212 my $mesg = $ldap->search(@args);
213
214 # stop on error
215 if ($mesg->code) {
216 $err = "ldap group search error: " . $mesg->error;
217 last;
218 }
219
220 foreach my $entry ( $mesg->entries ) {
221 my $group = {
222 dn => $entry->dn,
223 members => []
224 };
225 my $members = [$entry->get_value('member')];
226 if (!scalar(@$members)) {
227 $members = [$entry->get_value('uniqueMember')];
228 }
229 $group->{members} = $members;
230 if ($group_name_attr && (my $name = $entry->get_value($group_name_attr))) {
231 $group->{name} = $name;
232 }
233 push @$groups, $group;
234 }
235
236 # Get cookie from paged control
237 my ($resp) = $mesg->control(LDAP_CONTROL_PAGED) or last;
238 $cookie = $resp->cookie;
239
240 last if (!defined($cookie) || !length($cookie));
241
242 # Set cookie in paged control
243 $page->cookie($cookie);
244 }
245
246 if ($cookie) {
247 # We had an abnormal exit, so let the server know we do not want any more
248 $page->cookie($cookie);
249 $page->size(0);
250 $ldap->search(@args);
251 $err = "LDAP group query unsuccessful" if !$err;
252 }
253
254 die $err if $err;
255
256 return $groups;
257 }
258
259 1;
Common code