[pve-devel] r5581 - in pve-access-control/trunk: . PVE PVE/API2
svn-commits at proxmox.com
svn-commits at proxmox.com
Tue Feb 22 11:01:32 CET 2011
Author: dietmar
Date: 2011-02-22 11:01:32 +0100 (Tue, 22 Feb 2011)
New Revision: 5581
Modified:
pve-access-control/trunk/ChangeLog
pve-access-control/trunk/PVE/API2/Domains.pm
pve-access-control/trunk/PVE/AccessControl.pm
Log:
(valid_attributes): add 'domain, port, secure' attributes for AD.
(parse_domains): add attribute 'secure' (replace LDAPS type),
Modified: pve-access-control/trunk/ChangeLog
===================================================================
--- pve-access-control/trunk/ChangeLog 2011-02-22 07:43:01 UTC (rev 5580)
+++ pve-access-control/trunk/ChangeLog 2011-02-22 10:01:32 UTC (rev 5581)
@@ -2,6 +2,8 @@
* PVE/AccessControl.pm: realm is now part of the username.
Example: 'userid at realm'
+ (valid_attributes): add 'domain, port, secure' attributes for AD.
+ (parse_domains): add attribute 'secure' (replace LDAPS type),
* PVE/AccessControl.pm (parse_user_config): add firstname/lastname
and email fields.
Modified: pve-access-control/trunk/PVE/API2/Domains.pm
===================================================================
--- pve-access-control/trunk/PVE/API2/Domains.pm 2011-02-22 07:43:01 UTC (rev 5580)
+++ pve-access-control/trunk/PVE/API2/Domains.pm 2011-02-22 10:01:32 UTC (rev 5581)
@@ -16,7 +16,6 @@
use base qw(PVE::RESTHandler);
-# fixme: index should return more/all attributes?
__PACKAGE__->register_method ({
name => 'index',
path => '',
@@ -32,6 +31,7 @@
type => "object",
properties => {
id => { type => 'string' },
+ comment => { type => 'string', optional => 1 },
},
},
links => [ { rel => 'child', href => "{id}" } ],
@@ -77,22 +77,32 @@
type => 'string',
optional => 1,
},
+ secure => {
+ description => "Use secure LDAPS protocol.",
+ type => 'boolean',
+ optional => 1,
+ },
comment => {
type => 'string',
optional => 1,
},
port => {
- description => "LDAP Server port",
+ description => "Server port",
type => 'integer',
minimum => 1,
maximum => 65535,
optional => 1,
},
- basedn => {
+ base_dn => {
description => "LDAP base domain name",
type => 'string',
optional => 1,
},
+ user_attr => {
+ description => "LDAP user attribute name",
+ type => 'string',
+ optional => 1,
+ },
},
},
returns => { type => 'null' },
@@ -112,13 +122,13 @@
die "unable to use reserved name '$realm'\n"
if ($realm eq 'pam' || $realm eq 'pve');
- $cfg->{$realm} = {
- type => $param->{type},
- server1 => $param->{server1},
- };
+ if (defined($param->{secure})) {
+ $cfg->{$realm}->{secure} = $param->{secure} ? 1 : 0;
+ }
- foreach my $p (qw(server2 port basedn)) {
- $cfg->{$realm}->{$p} = $param->{$p} if $param->{$p};
+ foreach my $p (keys %$param) {
+ next if $p eq 'realm';
+ $cfg->{$realm}->{$p} = $param->{$p};
}
cfs_write_file($domainconfigfile, $cfg);
@@ -132,7 +142,7 @@
protected => 1,
path => '{realm}',
method => 'PUT',
- description => "Add an authentication server.",
+ description => "Update authentication server settings.",
parameters => {
additionalProperties => 0,
properties => {
@@ -147,22 +157,32 @@
type => 'string',
optional => 1,
},
+ secure => {
+ description => "Use secure LDAPS protocol.",
+ type => 'boolean',
+ optional => 1,
+ },
comment => {
type => 'string',
optional => 1,
},
port => {
- description => "LDAP Server port",
+ description => "Server port",
type => 'integer',
minimum => 1,
maximum => 65535,
optional => 1,
},
- basedn => {
+ base_dn => {
description => "LDAP base domain name",
type => 'string',
optional => 1,
},
+ user_attr => {
+ description => "LDAP user attribute name",
+ type => 'string',
+ optional => 1,
+ },
},
},
returns => { type => 'null' },
@@ -183,6 +203,10 @@
die "domain '$realm' does not exist\n"
if !$cfg->{$realm};
+ if (defined($param->{secure})) {
+ $cfg->{$realm}->{secure} = $param->{secure} ? 1 : 0;
+ }
+
foreach my $p (keys %$param) {
$cfg->{$realm}->{$p} = $param->{$p};
}
Modified: pve-access-control/trunk/PVE/AccessControl.pm
===================================================================
--- pve-access-control/trunk/PVE/AccessControl.pm 2011-02-22 07:43:01 UTC (rev 5580)
+++ pve-access-control/trunk/PVE/AccessControl.pm 2011-02-22 10:01:32 UTC (rev 5581)
@@ -197,10 +197,18 @@
sub authenticate_user_ad {
- my ($server, $userid, $password) = @_;
+ my ($entry, $server, $userid, $password) = @_;
+
+ my $default_port = $entry->{secure} ? 636: 389;
+ my $port = $entry->{port} ? $entry->{port} : $default_port;
+ my $scheme = $entry->{secure} ? 'ldaps' : 'ldap';
+ my $conn_string = "$scheme://${server}:$port";
my $ldap = Net::LDAP->new($server) || die "$@\n";
+ $userid = "$userid\@$entry->{domain}"
+ if $userid !~ m/@/ && $entry->{domain};
+
my $res = $ldap->bind($userid, password => $password);
my $code = $res->code();
@@ -215,10 +223,11 @@
my ($entry, $server, $userid, $password) = @_;
- my $default_port = ($entry->{type} eq 'ldap') ? 389 : 636;
+ my $default_port = $entry->{secure} ? 636: 389;
my $port = $entry->{port} ? $entry->{port} : $default_port;
- my $conn_string = $entry->{type} . "://" if ($entry->{type} ne 'ldap');
- $conn_string .= $server . ":" . $port;
+ my $scheme = $entry->{secure} ? 'ldaps' : 'ldap';
+ my $conn_string = "$scheme://${server}:$port";
+
my $ldap = Net::LDAP->new($conn_string, verify => 'none') || die "$@\n";
my $search = $entry->{user_attr} . "=" . $userid;
my $result = $ldap->search( base => "$entry->{base_dn}",
@@ -259,12 +268,12 @@
die "auth domain '$realm' does not exists\n" if !$cfg;
if ($cfg->{type} eq 'ad') {
- eval { authenticate_user_ad($cfg->{server1}, $userid, $password); };
+ eval { authenticate_user_ad($cfg, $cfg->{server1}, $userid, $password); };
my $err = $@;
return if !$err;
die $err if !$cfg->{server2};
- authenticate_user_ad($cfg->{server2}, $userid, $password);
- } elsif (($cfg->{type} eq 'ldap') || ($cfg->{type} eq 'ldaps')) {
+ authenticate_user_ad($cfg, $cfg->{server2}, $userid, $password);
+ } elsif ($cfg->{type} eq 'ldap') {
eval { authenticate_user_ldap($cfg, $cfg->{server1}, $userid, $password); };
my $err = $@;
return if !$err;
@@ -527,6 +536,9 @@
ad => {
server1 => '[\w\d]+(.[\w\d]+)*',
server2 => '[\w\d]+(.[\w\d]+)*',
+ domain => '\S+',
+ port => '\d*',
+ secure => '[01]',
comment => '.*',
},
ldap => {
@@ -534,11 +546,11 @@
server2 => '[\w\d]+(.[\w\d]+)*',
base_dn => '\w+=[\w\s]+(,\s*\w+=[\w\s]+)*',
user_attr => '\S{2,}',
+ secure => '[01]',
port => '\d*',
comment => '.*',
}
};
-$valid_attributes->{ldaps} = $valid_attributes->{ldap};
sub add_role_privs {
my ($role, $usercfg, $privs) = @_;
@@ -952,11 +964,9 @@
# do nothing
} elsif (!$entry->{server1}) {
warn "ignoring domain '$realm' - missing server attribute\n";
- } elsif ((($entry->{type} eq "ldap") || ($entry->{type} eq "ldaps")) &&
- (!$entry->{user_attr})) {
+ } elsif (($entry->{type} eq "ldap") && !$entry->{user_attr}) {
warn "ignoring domain '$realm' - missing user attribute\n";
- } elsif ((($entry->{type} eq "ldap") || ($entry->{type} eq "ldaps")) &&
- (!$entry->{base_dn})) {
+ } elsif (($entry->{type} eq "ldap") && !$entry->{base_dn}) {
warn "ignoring domain '$realm' - missing base_dn attribute\n";
} else {
$cfg->{$realm} = $entry;
More information about the pve-devel
mailing list