proxmox-mirrors/pve-access-control
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-access-control synced 2025-08-05 02:31:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

LDAP: skip anonymous bind when clientcert/key is given

Browse Source 
It seems that servers associate the client-cert/key with an account, so
doing an explicit anonymous bind then 'logs out' the already verified
user, limiting the search results in some cases

before refactoring to PVE::LDAP, we did not do '$ldap->bind' at all when
there was no bind_dn, but it is not really clear if Net::LDAP does this
automatically when searching (other libraries do this), so leave the
anonymous bind (for compatibility with PMG) but skip it when a client
certificate and key is given.

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
This commit is contained in:
Dominik Csapak 2020-05-08 13:16:58 +02:00 committed by Thomas Lamprecht
parent eeabad5a13
commit de8c5e6ceb
1 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
PVE/Auth/LDAP.pm
View File

@ -203,17 +203,17 @@ sub connect_and_bind {
my $ldap = PVE::LDAP::ldap_connect($servers, $scheme, $port, \%ldap_args);
my $bind_dn;
my $bind_pass;
if ($config->{bind_dn}) {
$bind_dn = $config->{bind_dn};
$bind_pass = ldap_get_credentials($realm);
my $bind_dn = $config->{bind_dn};
my $bind_pass = ldap_get_credentials($realm);
die "missing password for realm $realm\n" if !defined($bind_pass);
PVE::LDAP::ldap_bind($ldap, $bind_dn, $bind_pass);
} elsif ($config->{cert} && $config->{certkey}) {
warn "skipping anonymous bind with clientcert\n";
} else {
PVE::LDAP::ldap_bind($ldap);
}
PVE::LDAP::ldap_bind($ldap, $bind_dn, $bind_pass);
if (!$config->{base_dn}) {
my $root = $ldap->root_dse(attrs => [ 'defaultNamingContext' ]);
$config->{base_dn} = $root->get_value('defaultNamingContext');