proxmox-mirrors/pve-access-control
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-access-control synced 2025-10-04 22:29:06 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

use PVE::LDAP module instead of useing Net::LDAP directly

Browse Source 
for things like connecting/binding/etc.

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
This commit is contained in:
Dominik Csapak 2020-03-06 11:05:37 +01:00 committed by Thomas Lamprecht
parent deb63acf3f
commit d9e93d2eca
2 changed files with 32 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
PVE/Auth/AD.pm
View File

@ -3,8 +3,7 @@ package PVE::Auth::AD;
use strict; use strict;
use warnings; use warnings;
use PVE::Auth::Plugin; use PVE::Auth::Plugin;
use Net::LDAP; use PVE::LDAP;
use Net::IP;
use base qw(PVE::Auth::Plugin); use base qw(PVE::Auth::Plugin);
@ -31,7 +30,6 @@ sub properties {
description => "Use secure LDAPS protocol.", description => "Use secure LDAPS protocol.",
type => 'boolean', type => 'boolean',
optional => 1, optional => 1,
}, },
sslversion => { sslversion => {
description => "LDAPS TLS/SSL version. It's not recommended to use version older than 1.2!", description => "LDAPS TLS/SSL version. It's not recommended to use version older than 1.2!",
@ -86,24 +84,21 @@ sub options {
}; };
} }
my $authenticate_user_ad = sub { sub authenticate_user {
my ($config, $server, $username, $password) = @_; my ($class, $config, $realm, $username, $password) = @_;
my $servers = [$config->{server1}];
push @$servers, $config->{server2} if $config->{server2};
my $default_port = $config->{secure} ? 636: 389; my $default_port = $config->{secure} ? 636: 389;
my $port = $config->{port} ? $config->{port} : $default_port; my $port = $config->{port} // $default_port;
my $scheme = $config->{secure} ? 'ldaps' : 'ldap'; my $scheme = $config->{secure} ? 'ldaps' : 'ldap';
$server = "[$server]" if Net::IP::ip_is_ipv6($server);
my $conn_string = "$scheme://${server}:$port";
my %ad_args; my %ad_args;
if ($config->{verify}) { if ($config->{verify}) {
$ad_args{verify} = 'require'; $ad_args{verify} = 'require';
if (defined(my $cert = $config->{cert})) { $ad_args{clientcert} = $config->{cert} if $config->{cert};
$ad_args{clientcert} = $cert; $ad_args{clientkey} = $config->{certkey} if $config->{certkey};
}
if (defined(my $key = $config->{certkey})) {
$ad_args{clientkey} = $key;
}
if (defined(my $capath = $config->{capath})) { if (defined(my $capath = $config->{capath})) {
if (-d $capath) { if (-d $capath) {
$ad_args{capath} = $capath; $ad_args{capath} = $capath;
@ -116,32 +111,17 @@ my $authenticate_user_ad = sub {
} }
if ($config->{secure}) { if ($config->{secure}) {
$ad_args{sslversion} = $config->{sslversion} || 'tlsv1_2'; $ad_args{sslversion} = $config->{sslversion} // 'tlsv1_2';
} }
my $ldap = Net::LDAP->new($conn_string, %ad_args) || die "$@\n"; my $ldap = PVE::LDAP::ldap_connect($servers, $scheme, $port, \%ad_args);
$username = "$username\@$config->{domain}" $username = "$username\@$config->{domain}"
if $username !~ m/@/ && $config->{domain}; if $username !~ m/@/ && $config->{domain};
my $res = $ldap->bind($username, password => $password); PVE::LDAP::auth_user_dn($ldap, $username, $password);
my $code = $res->code();
my $err = $res->error;
$ldap->unbind(); $ldap->unbind();
die "$err\n" if ($code);
};
sub authenticate_user {
my ($class, $config, $realm, $username, $password) = @_;
eval { &$authenticate_user_ad($config, $config->{server1}, $username, $password); };
my $err = $@;
return 1 if !$err;
die $err if !$config->{server2};
&$authenticate_user_ad($config, $config->{server2}, $username, $password);
return 1; return 1;
} }

64
PVE/Auth/LDAP.pm
View File

@ -5,8 +5,7 @@ use warnings;
use PVE::Tools; use PVE::Tools;
use PVE::Auth::Plugin; use PVE::Auth::Plugin;
use Net::LDAP; use PVE::LDAP;
use Net::IP;
use base qw(PVE::Auth::Plugin); use base qw(PVE::Auth::Plugin);
sub type { sub type {
@ -81,24 +80,21 @@ sub options {
}; };
} }
my $authenticate_user_ldap = sub { sub authenticate_user {
my ($config, $server, $username, $password, $realm) = @_; my ($class, $config, $realm, $username, $password) = @_;
my $servers = [$config->{server1}];
push @$servers, $config->{server2} if $config->{server2};
my $default_port = $config->{secure} ? 636: 389; my $default_port = $config->{secure} ? 636: 389;
my $port = $config->{port} ? $config->{port} : $default_port; my $port = $config->{port} // $default_port;
my $scheme = $config->{secure} ? 'ldaps' : 'ldap'; my $scheme = $config->{secure} ? 'ldaps' : 'ldap';
$server = "[$server]" if Net::IP::ip_is_ipv6($server);
my $conn_string = "$scheme://${server}:$port";
my %ldap_args; my %ldap_args;
if ($config->{verify}) { if ($config->{verify}) {
$ldap_args{verify} = 'require'; $ldap_args{verify} = 'require';
if (defined(my $cert = $config->{cert})) { $ldap_args{clientcert} = $config->{cert} if $config->{cert};
$ldap_args{clientcert} = $cert; $ldap_args{clientkey} = $config->{certkey} if $config->{certkey};
}
if (defined(my $key = $config->{certkey})) {
$ldap_args{clientkey} = $key;
}
if (defined(my $capath = $config->{capath})) { if (defined(my $capath = $config->{capath})) {
if (-d $capath) { if (-d $capath) {
$ldap_args{capath} = $capath; $ldap_args{capath} = $capath;
@ -114,43 +110,23 @@ my $authenticate_user_ldap = sub {
$ldap_args{sslversion} = $config->{sslversion} || 'tlsv1_2'; $ldap_args{sslversion} = $config->{sslversion} || 'tlsv1_2';
} }
my $ldap = Net::LDAP->new($conn_string, %ldap_args) || die "$@\n"; my $ldap = PVE::LDAP::ldap_connect($servers, $scheme, $port, \%ldap_args);
if (my $bind_dn = $config->{bind_dn}) { my $bind_dn;
my $bind_pass = PVE::Tools::file_read_firstline("/etc/pve/priv/ldap/${realm}.pw"); my $bind_pass;
if ($config->{bind_dn}) {
$bind_dn = $config->{bind_dn};
$bind_pass = PVE::Tools::file_read_firstline("/etc/pve/priv/ldap/${realm}.pw");
die "missing password for realm $realm\n" if !defined($bind_pass); die "missing password for realm $realm\n" if !defined($bind_pass);
my $res = $ldap->bind($bind_dn, password => $bind_pass);
my $code = $res->code();
my $err = $res->error;
die "failed to authenticate to ldap service: $err\n" if ($code);
} }
my $search = $config->{user_attr} . "=" . $username; PVE::LDAP::ldap_bind($ldap, $bind_dn, $bind_pass);
my $result = $ldap->search( base => "$config->{base_dn}", my $user_dn = PVE::LDAP::get_user_dn($ldap, $username, $config->{user_attr}, $config->{base_dn});
scope => "sub", PVE::LDAP::auth_user_dn($ldap, $user_dn, $password);
filter => "$search",
attrs => ['dn']
);
die "no entries returned\n" if !$result->entries;
my @entries = $result->entries;
my $res = $ldap->bind($entries[0]->dn, password => $password);
my $code = $res->code();
my $err = $res->error;
$ldap->unbind(); $ldap->unbind();
return 1;
die "$err\n" if ($code);
};
sub authenticate_user {
my ($class, $config, $realm, $username, $password) = @_;
eval { &$authenticate_user_ldap($config, $config->{server1}, $username, $password, $realm); };
my $err = $@;
return 1 if !$err;
die $err if !$config->{server2};
&$authenticate_user_ldap($config, $config->{server2}, $username, $password, $realm);
} }
1; 1;