[pve-devel] r4951 - pve-access-control/trunk

svn-commits at proxmox.com svn-commits at proxmox.com
Tue Aug 10 08:23:53 CEST 2010


Author: dietmar
Date: 2010-08-10 06:23:52 +0000 (Tue, 10 Aug 2010)
New Revision: 4951

Modified:
   pve-access-control/trunk/AccessControl.pm
   pve-access-control/trunk/ChangeLog
   pve-access-control/trunk/TODO
Log:
2010-08-09  Seth Lauzon <seth.lauzon at gmail.com>

	* AccessControl.pm (authenticate_user_ldap): changed the bind function
	for LDAP to allow for secure connection



Modified: pve-access-control/trunk/AccessControl.pm
===================================================================
--- pve-access-control/trunk/AccessControl.pm	2010-08-09 13:01:33 UTC (rev 4950)
+++ pve-access-control/trunk/AccessControl.pm	2010-08-10 06:23:52 UTC (rev 4951)
@@ -496,9 +496,11 @@
     my ($entry, $username, $password) = @_;
 
     my (undef, $user, $domain) = verify_username($username);
-    my $port = $entry->{port} ? $entry->{port} : 389;
-    my $ldap = Net::LDAP->new($entry->{server}, port=>$port) || die "$@\n";
-
+    my $default_port = ($entry->{type} eq 'ldap') ? 389 : 636;
+    my $port = $entry->{port} ? $entry->{port} : $default_port;
+    my $conn_string = $entry->{type} . "://" if ($entry->{type} ne 'ldap');
+    $conn_string .= $entry->{server} . ":" . $port;
+    my $ldap = Net::LDAP->new($conn_string, verify => 'none') || die "$@\n";
     my $search = $entry->{user_attr} . "=" . $user;
     my $result = $ldap->search( base    => "$entry->{base_dn}",
 				scope   => "sub",
@@ -558,9 +560,9 @@
 			    authenticate_user_shadow($username, $password);
 			} elsif ($entry->{type} eq 'PAM') {
 			    authenticate_user_pam($user, $password);
-			} elsif ($entry->{type} eq 'AD') {
+			} elsif ($entry->{type} eq 'ad') {
 			    authenticate_user_ad($entry->{server}, $username, $password);
-			} elsif ($entry->{type} eq 'LDAP') {
+			} elsif (($entry->{type} eq 'ldap') || ($entry->{type} eq 'ldaps')) {
 			    authenticate_user_ldap($entry, $username, $password);
 			} else {
 			    die "unknown auth type '$entry->{type}'\n";
@@ -1279,11 +1281,11 @@
 	    my $domains = $2;
 	    my $ignore = 0;
 
-	    if (($type ne "AD") && ($type ne "LDAP")) {
+	    if (($type ne "AD") && ($type ne "LDAP") && ($type ne "LDAPS")) {
 		$ignore = 1;
 		warn "ignoring domains '$domains' - (unsupported authentication type '$type')\n";
 	    } else {
-		$ad = { type => $type, domains => [] };
+		$ad = { type => lc($type), domains => [] };
 
 		foreach my $domain (split_list($domains)) {
 		    if (!parse_domain_name ($domain, 1)) {
@@ -1301,7 +1303,7 @@
 		next if $ignore; # skip
 
 		if ($line =~ m/^\s+(\S+)(\s+(.*\S))?\s*$/) {
-		    my ($k, $v) = ($1, $3);
+		    my ($k, $v) = (lc($1), $3);
 		    if ($valid_attributes->{$k}) {
 			if ($v =~ m/^$valid_attributes->{$k}$/) {
 			    if (!defined($ad->{$k})) {
@@ -1321,9 +1323,9 @@
 	    }
 	    if (!$ad->{server}) {
 		warn "ignoring domain '$domains' - missing server attribute\n";
-	    } elsif (($ad->{type} eq "LDAP") && (!$ad->{user_attr})) {
+	    } elsif ((($ad->{type} eq "ldap") || ($ad->{type} eq "ldap")) && (!$ad->{user_attr})) {
 		warn "ignoring domain '$domains' - missing user attribute\n";
-	    } elsif (($ad->{type} eq "LDAP") && (!$ad->{base_dn})) {
+	    } elsif ((($ad->{type} eq "ldap") || ($ad->{type} eq "ldap")) && (!$ad->{base_dn})) {
 		warn "ignoring domain '$domains' - missing base_dn attribute\n";
 	    } else {
 	    push(@$connlist, $ad) if !$ignore;

Modified: pve-access-control/trunk/ChangeLog
===================================================================
--- pve-access-control/trunk/ChangeLog	2010-08-09 13:01:33 UTC (rev 4950)
+++ pve-access-control/trunk/ChangeLog	2010-08-10 06:23:52 UTC (rev 4951)
@@ -1,3 +1,8 @@
+2010-08-09  Seth Lauzon <seth.lauzon at gmail.com>
+
+	* AccessControl.pm (authenticate_user_ldap): changed the bind function
+	for LDAP to allow for secure connection
+
 2010-07-21  Seth Lauzon <seth.lauzon at gmail.com>
 
 	* AccessControl.pm (parse_domains): require base_dn for LDAP domains

Modified: pve-access-control/trunk/TODO
===================================================================
--- pve-access-control/trunk/TODO	2010-08-09 13:01:33 UTC (rev 4950)
+++ pve-access-control/trunk/TODO	2010-08-10 06:23:52 UTC (rev 4951)
@@ -4,8 +4,6 @@
 Recycle Code: Implement delete functionality into modify subroutines. Look for creative
     ways to recycle code.
 
-Implement secure LDAP communications over SSL tunnel (i.e. LDAPS)
-
 Implement some INotify Class to track config file changes. We need
    something similar to PVE::Config (package pve-manager). I would
    prefer some generic class which can be used from all PVE packages




More information about the pve-devel mailing list