[pve-devel] r4905 - pve-access-control/trunk

svn-commits at proxmox.com svn-commits at proxmox.com
Fri Jul 16 08:09:56 CEST 2010 

Author: dietmar
Date: 2010-07-16 06:09:56 +0000 (Fri, 16 Jul 2010)
New Revision: 4905

Modified:
   pve-access-control/trunk/AccessControl.pm
   pve-access-control/trunk/ChangeLog
   pve-access-control/trunk/TODO
Log:
	* AccessControl.pm: implemented LDAP authentication


Modified: pve-access-control/trunk/AccessControl.pm
===================================================================
--- pve-access-control/trunk/AccessControl.pm	2010-07-16 06:00:01 UTC (rev 4904)
+++ pve-access-control/trunk/AccessControl.pm	2010-07-16 06:09:56 UTC (rev 4905)
@@ -491,9 +491,33 @@
 
     $ldap->unbind();
 
-    die "$err\n" if $code;
+    if ($code) {
+	sleep(4);
+	die "$err\n";
+    }
 }
 
+sub authenticate_user_ldap {
+
+    my ($entry, $username, $password) = @_;
+    my (undef, $user, $domain) = verify_username($username);
+
+    my $ldap = Net::LDAP->new($entry->{server}) || die "$@\n";
+
+    my $domain_dn = join ',', map "dc=$_", split /\./, $domain;
+    my $res = $ldap->bind("uid=$user,$entry->{ou},$domain_dn", password => $password);
+
+    my $code = $res->code();
+    my $err = $res->error;
+
+    $ldap->unbind();
+
+    if ($code) {
+	sleep(4);
+	die "$err\n";
+    }
+}
+
 sub authenticate_user_domain {
 
     my ($username, $password) = @_;
@@ -536,6 +560,8 @@
 			    authenticate_user_pam($user, $password);
 			} elsif ($entry->{type} eq 'AD') {
 			    authenticate_user_ad($entry->{server}, $username, $password);
+			} elsif ($entry->{type} eq 'LDAP') {
+			    authenticate_user_ldap($entry, $username, $password);
 			} else {
 			    die "unknown auth type '$entry->{type}'\n";
 			}
@@ -927,6 +953,7 @@
 
 my $valid_params = {
     server => '\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b',
+    ou => 'ou=\w+(,\s*ou=[\w\s]+)*',
 };
 
 sub modify_role {

Modified: pve-access-control/trunk/ChangeLog
===================================================================
--- pve-access-control/trunk/ChangeLog	2010-07-16 06:00:01 UTC (rev 4904)
+++ pve-access-control/trunk/ChangeLog	2010-07-16 06:09:56 UTC (rev 4905)
@@ -3,6 +3,11 @@
 	* AccessControl.pm (parse_domains): borrowed code from Storage.pm to make it
 	less fragile to syntax errors in the domains.cfg file
 
+	* AccessControl.pm: implemented LDAP authentication
+
+	* AccessControl.pm: added four second timeout on authentication failure for
+	user_authentication_ldap and user_authentication_ad
+
 2010-07-14  Proxmox Support Team  <support at proxmox.com>
 
 	* AccessControl.pm (ldap_bind): rename to authenticate_user_ad (AD

Modified: pve-access-control/trunk/TODO
===================================================================
--- pve-access-control/trunk/TODO	2010-07-16 06:00:01 UTC (rev 4904)
+++ pve-access-control/trunk/TODO	2010-07-16 06:09:56 UTC (rev 4905)
@@ -4,8 +4,6 @@
 Recycle Code: Implement delete functionality into modify subroutines. Look for creative
     ways to recycle code.
 
-Implement LDAP Authentication using /etc/pve/auth.cfg for server information. See README.
-
 Implement some INotify Class to track config file changes. We need
    something similar to PVE::Config (package pve-manager). I would
    prefer some generic class which can be used from all PVE packages

More information about the pve-devel mailing list