proxmox-mirrors/pve-access-control
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-access-control synced 2025-06-14 23:08:39 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

ldap: server and client certificate support

Browse Source 
This adds 4 more options to the ldap authentication method:

verify: boolean
  If enabled, the server certificate must be valid

capath: path to a file or directory
  The CA to use to verify the server certificate. Used only
  if 'verify' is true.

cert: path to a certificate
  Used as client certificate when connecting to a server,
  provided 'secure' is true. Requires 'certkey' to be set.

certkey: path to the certificate's key
  Required only used when 'cert' is used.
This commit is contained in:
Wolfgang Bumiller 2017-08-08 11:10:13 +02:00
parent 63134bd436
commit e03c2aef17
1 changed files with 47 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
PVE/Auth/LDAP.pm
View File

@ -36,6 +36,28 @@ sub properties {
optional => 1,
maxLength => 256,
},
verify => {
description => "Verify the server's SSL certificate",
type => 'boolean',
optional => 1,
default => 0,
},
capath => {
description => "Path to the CA certificate store",
type => 'string',
optional => 1,
default => '/etc/ssl/certs',
},
cert => {
description => "Path to the client certificate",
type => 'string',
optional => 1,
},
certkey => {
description => "Path to the client certificate key",
type => 'string',
optional => 1,
},
};
}
@ -51,6 +73,10 @@ sub options {
default => { optional => 1 },
comment => { optional => 1 },
tfa => { optional => 1 },
verify => { optional => 1 },
capath => { optional => 1 },
cert => { optional => 1 },
certkey => { optional => 1 },
};
}
@ -63,7 +89,27 @@ my $authenticate_user_ldap = sub {
$server = "[$server]" if Net::IP::ip_is_ipv6($server);
my $conn_string = "$scheme://${server}:$port";
my $ldap = Net::LDAP->new($conn_string, verify => 'none') || die "$@\n";
my %ldap_args;
if ($config->{verify}) {
$ldap_args{verify} = 'require';
if (defined(my $cert = $config->{cert})) {
$ldap_args{clientcert} = $cert;
}
if (defined(my $key = $config->{certkey})) {
$ldap_args{clientkey} = $key;
}
if (defined(my $capath = $config->{capath})) {
if (-d $capath) {
$ldap_args{capath} = $capath;
} else {
$ldap_args{cafile} = $capath;
}
}
} else {
$ldap_args{verify} = 'none';
}
my $ldap = Net::LDAP->new($conn_string, %ldap_args) || die "$@\n";
if (my $bind_dn = $config->{bind_dn}) {
my $bind_pass = PVE::Tools::file_read_firstline("/etc/pve/priv/ldap/${realm}.pw");