proxmox-mirrors/pve-access-control
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-access-control synced 2025-07-15 09:57:48 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

auth ldap/ad: introduce connection 'mode'

Browse Source 
instead of having only a 'secure' flag which switches between
ldap/ldaps we now have a mode which also contains 'ldap+starttls'

our connection code in PVE::LDAP can handle this already (used in pmg)
so that is no problem

if we want to really remove the 'secure' flag, e.g. in 7.0
we'd either have to rewrite the config or have it as an error
in a pve6to7 script

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
This commit is contained in:
Dominik Csapak 2020-04-23 08:47:18 +02:00 committed by Thomas Lamprecht
parent 055c54b5a2
commit 72a9742b94
2 changed files with 25 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
PVE/Auth/AD.pm
View File

@ -27,7 +27,7 @@ sub properties {
maxLength => 256, maxLength => 256,
}, },
secure => { secure => {
description => "Use secure LDAPS protocol.", description => "Use secure LDAPS protocol. DEPRECATED: use 'mode' instead.",
type => 'boolean', type => 'boolean',
optional => 1, optional => 1,
}, },
@ -93,6 +93,7 @@ sub options {
group_filter => { optional => 1 }, group_filter => { optional => 1 },
group_classes => { optional => 1 }, group_classes => { optional => 1 },
'sync-defaults-options' => { optional => 1 }, 'sync-defaults-options' => { optional => 1 },
mode => { optional => 1 },
}; };
} }
@ -110,9 +111,7 @@ sub authenticate_user {
my $servers = [$config->{server1}]; my $servers = [$config->{server1}];
push @$servers, $config->{server2} if $config->{server2}; push @$servers, $config->{server2} if $config->{server2};
my $default_port = $config->{secure} ? 636: 389; my ($scheme, $port) = $class->get_scheme_and_port($config);
my $port = $config->{port} // $default_port;
my $scheme = $config->{secure} ? 'ldaps' : 'ldap';
my %ad_args; my %ad_args;
if ($config->{verify}) { if ($config->{verify}) {
@ -130,7 +129,7 @@ sub authenticate_user {
$ad_args{verify} = 'none'; $ad_args{verify} = 'none';
} }
if ($config->{secure}) { if ($scheme ne 'ldap') {
$ad_args{sslversion} = $config->{sslversion} // 'tlsv1_2'; $ad_args{sslversion} = $config->{sslversion} // 'tlsv1_2';
} }

25
PVE/Auth/LDAP.pm
View File

@ -122,6 +122,13 @@ sub properties {
format => 'realm-sync-options', format => 'realm-sync-options',
optional => 1, optional => 1,
}, },
mode => {
description => "LDAP protocol mode.",
type => 'string',
enum => [ 'ldap', 'ldaps', 'ldap+starttls'],
optional => 1,
default => 'ldap',
},
}; };
} }
@ -151,18 +158,28 @@ sub options {
group_filter => { optional => 1 }, group_filter => { optional => 1 },
group_classes => { optional => 1 }, group_classes => { optional => 1 },
'sync-defaults-options' => { optional => 1 }, 'sync-defaults-options' => { optional => 1 },
mode => { optional => 1 },
}; };
} }
sub get_scheme_and_port {
my ($class, $config) = @_;
my $scheme = $config->{mode} // ($config->{secure} ? 'ldaps' : 'ldap');
my $default_port = $scheme eq 'ldaps' ? 636 : 389;
my $port = $config->{port} // $default_port;
return ($scheme, $port);
}
sub connect_and_bind { sub connect_and_bind {
my ($class, $config, $realm) = @_; my ($class, $config, $realm) = @_;
my $servers = [$config->{server1}]; my $servers = [$config->{server1}];
push @$servers, $config->{server2} if $config->{server2}; push @$servers, $config->{server2} if $config->{server2};
my $default_port = $config->{secure} ? 636: 389; my ($scheme, $port) = $class->get_scheme_and_port($config);
my $port = $config->{port} // $default_port;
my $scheme = $config->{secure} ? 'ldaps' : 'ldap';
my %ldap_args; my %ldap_args;
if ($config->{verify}) { if ($config->{verify}) {
@ -180,7 +197,7 @@ sub connect_and_bind {
$ldap_args{verify} = 'none'; $ldap_args{verify} = 'none';
} }
if ($config->{secure}) { if ($scheme ne 'ldap') {
$ldap_args{sslversion} = $config->{sslversion} || 'tlsv1_2'; $ldap_args{sslversion} = $config->{sslversion} || 'tlsv1_2';
} }