proxmox-mirrors/pve-access-control
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-access-control synced 2025-06-15 19:04:59 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Close #833: ldap: non-anonymous bind support

Browse Source 
The password will be read from /etc/pve/priv/ldap/$realm.pw
This commit is contained in:
Wolfgang Bumiller 2016-07-25 15:56:03 +02:00 committed by Dietmar Maurer
parent 03e2a71e3d
commit b5040b42f1
1 changed files with 21 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
PVE/Auth/LDAP.pm
View File

@ -3,6 +3,7 @@ package PVE::Auth::LDAP;
use strict; use strict;
use warnings; use warnings;
use PVE::Tools;
use PVE::Auth::Plugin; use PVE::Auth::Plugin;
use Net::LDAP; use Net::LDAP;
use Net::IP; use Net::IP;
@ -28,6 +29,13 @@ sub properties {
optional => 1, optional => 1,
maxLength => 256, maxLength => 256,
}, },
bind_dn => {
description => "LDAP bind domain name",
type => 'string',
pattern => '\w+=[^,]+(,\s*\w+=[^,]+)*',
optional => 1,
maxLength => 256,
},
}; };
} }
@ -36,6 +44,7 @@ sub options {
server1 => {}, server1 => {},
server2 => { optional => 1 }, server2 => { optional => 1 },
base_dn => {}, base_dn => {},
bind_dn => { optional => 1 },
user_attr => {}, user_attr => {},
port => { optional => 1 }, port => { optional => 1 },
secure => { optional => 1 }, secure => { optional => 1 },
@ -46,7 +55,7 @@ sub options {
} }
my $authenticate_user_ldap = sub { my $authenticate_user_ldap = sub {
my ($config, $server, $username, $password) = @_; my ($config, $server, $username, $password, $realm) = @_;
my $default_port = $config->{secure} ? 636: 389; my $default_port = $config->{secure} ? 636: 389;
my $port = $config->{port} ? $config->{port} : $default_port; my $port = $config->{port} ? $config->{port} : $default_port;
@ -55,6 +64,16 @@ my $authenticate_user_ldap = sub {
my $conn_string = "$scheme://${server}:$port"; my $conn_string = "$scheme://${server}:$port";
my $ldap = Net::LDAP->new($conn_string, verify => 'none') || die "$@\n"; my $ldap = Net::LDAP->new($conn_string, verify => 'none') || die "$@\n";
if (my $bind_dn = $config->{bind_dn}) {
my $bind_pass = PVE::Tools::file_read_firstline("/etc/pve/priv/ldap/${realm}.pw");
die "missing password for realm $realm\n" if !defined($bind_pass);
my $res = $ldap->bind($bind_dn, password => $bind_pass);
my $code = $res->code();
my $err = $res->error;
die "failed to authenticate to ldap service: $err\n" if ($code);
}
my $search = $config->{user_attr} . "=" . $username; my $search = $config->{user_attr} . "=" . $username;
my $result = $ldap->search( base => "$config->{base_dn}", my $result = $ldap->search( base => "$config->{base_dn}",
scope => "sub", scope => "sub",
@ -76,7 +95,7 @@ my $authenticate_user_ldap = sub {
sub authenticate_user { sub authenticate_user {
my ($class, $config, $realm, $username, $password) = @_; my ($class, $config, $realm, $username, $password) = @_;
eval { &$authenticate_user_ldap($config, $config->{server1}, $username, $password); }; eval { &$authenticate_user_ldap($config, $config->{server1}, $username, $password, $realm); };
my $err = $@; my $err = $@;
return 1 if !$err; return 1 if !$err;
die $err if !$config->{server2}; die $err if !$config->{server2};