[pve-devel] r5581 - in pve-access-control/trunk: . PVE PVE/API2

svn-commits at proxmox.com svn-commits at proxmox.com
Tue Feb 22 11:01:32 CET 2011


Author: dietmar
Date: 2011-02-22 11:01:32 +0100 (Tue, 22 Feb 2011)
New Revision: 5581

Modified:
   pve-access-control/trunk/ChangeLog
   pve-access-control/trunk/PVE/API2/Domains.pm
   pve-access-control/trunk/PVE/AccessControl.pm
Log:
	(valid_attributes): add 'domain, port, secure' attributes for AD. 
	(parse_domains): add attribute 'secure' (replace LDAPS type),



Modified: pve-access-control/trunk/ChangeLog
===================================================================
--- pve-access-control/trunk/ChangeLog	2011-02-22 07:43:01 UTC (rev 5580)
+++ pve-access-control/trunk/ChangeLog	2011-02-22 10:01:32 UTC (rev 5581)
@@ -2,6 +2,8 @@
 
 	* PVE/AccessControl.pm: realm is now part of the username.
 	Example: 'userid at realm'
+	(valid_attributes): add 'domain, port, secure' attributes for AD. 
+	(parse_domains): add attribute 'secure' (replace LDAPS type),
 
 	* PVE/AccessControl.pm (parse_user_config): add firstname/lastname
 	and email fields.

Modified: pve-access-control/trunk/PVE/API2/Domains.pm
===================================================================
--- pve-access-control/trunk/PVE/API2/Domains.pm	2011-02-22 07:43:01 UTC (rev 5580)
+++ pve-access-control/trunk/PVE/API2/Domains.pm	2011-02-22 10:01:32 UTC (rev 5581)
@@ -16,7 +16,6 @@
 
 use base qw(PVE::RESTHandler);
 
-# fixme: index should return more/all attributes?
 __PACKAGE__->register_method ({
     name => 'index', 
     path => '', 
@@ -32,6 +31,7 @@
 	    type => "object",
 	    properties => {
 		id => { type => 'string' },
+		comment => { type => 'string', optional => 1 },
 	    },
 	},
 	links => [ { rel => 'child', href => "{id}" } ],
@@ -77,22 +77,32 @@
 		type => 'string',
 		optional => 1,
 	    },
+	    secure => { 
+		description => "Use secure LDAPS protocol.",
+		type => 'boolean', 
+		optional => 1,
+	    },
 	    comment => { 
 		type => 'string', 
 		optional => 1,
 	    },
 	    port => {
-		description => "LDAP Server port",
+		description => "Server port",
 		type => 'integer',
 		minimum => 1,
 		maximum => 65535,
 		optional => 1,
 	    },
-	    basedn => {
+	    base_dn => {
 		description => "LDAP base domain name",
 		type => 'string',
 		optional => 1,
 	    },
+	    user_attr => {
+		description => "LDAP user attribute name",
+		type => 'string',
+		optional => 1,
+	    },
 	},
     },
     returns => { type => 'null' },
@@ -112,13 +122,13 @@
 		die "unable to use reserved name '$realm'\n"
 		    if ($realm eq 'pam' || $realm eq 'pve');
 
-		$cfg->{$realm} = {
-		    type => $param->{type},
-		    server1 => $param->{server1},
-		};
+		if (defined($param->{secure})) {
+		    $cfg->{$realm}->{secure} = $param->{secure} ? 1 : 0;
+		}
 
-		foreach my $p (qw(server2 port basedn)) {
-		    $cfg->{$realm}->{$p} = $param->{$p} if $param->{$p};
+		foreach my $p (keys %$param) {
+		    next if $p eq 'realm';
+		    $cfg->{$realm}->{$p} = $param->{$p};
 		}
 
 		cfs_write_file($domainconfigfile, $cfg);
@@ -132,7 +142,7 @@
     protected => 1,
     path => '{realm}', 
     method => 'PUT',
-    description => "Add an authentication server.",
+    description => "Update authentication server settings.",
     parameters => {
    	additionalProperties => 0,
 	properties => {
@@ -147,22 +157,32 @@
 		type => 'string',
 		optional => 1,
 	    },
+	    secure => { 
+		description => "Use secure LDAPS protocol.",
+		type => 'boolean', 
+		optional => 1,
+	    },
 	    comment => { 
 		type => 'string', 
 		optional => 1,
 	    },
 	    port => {
-		description => "LDAP Server port",
+		description => "Server port",
 		type => 'integer',
 		minimum => 1,
 		maximum => 65535,
 		optional => 1,
 	    },
-	    basedn => {
+	    base_dn => {
 		description => "LDAP base domain name",
 		type => 'string',
 		optional => 1,
 	    },
+	    user_attr => {
+		description => "LDAP user attribute name",
+		type => 'string',
+		optional => 1,
+	    },
 	},
     },
     returns => { type => 'null' },
@@ -183,6 +203,10 @@
 		die "domain '$realm' does not exist\n" 
 		    if !$cfg->{$realm};
 
+		if (defined($param->{secure})) {
+		    $cfg->{$realm}->{secure} = $param->{secure} ? 1 : 0;
+		}
+
 		foreach my $p (keys %$param) {
 		    $cfg->{$realm}->{$p} = $param->{$p};
 		}

Modified: pve-access-control/trunk/PVE/AccessControl.pm
===================================================================
--- pve-access-control/trunk/PVE/AccessControl.pm	2011-02-22 07:43:01 UTC (rev 5580)
+++ pve-access-control/trunk/PVE/AccessControl.pm	2011-02-22 10:01:32 UTC (rev 5581)
@@ -197,10 +197,18 @@
 
 sub authenticate_user_ad {
 
-    my ($server, $userid, $password) = @_;
+    my ($entry, $server, $userid, $password) = @_;
+
+    my $default_port = $entry->{secure} ? 636: 389;
+    my $port = $entry->{port} ? $entry->{port} : $default_port;
+    my $scheme = $entry->{secure} ? 'ldaps' : 'ldap';
+    my $conn_string = "$scheme://${server}:$port";
     
     my $ldap = Net::LDAP->new($server) || die "$@\n";
 
+    $userid = "$userid\@$entry->{domain}" 
+	if $userid !~ m/@/ && $entry->{domain};
+
     my $res = $ldap->bind($userid, password => $password);
 
     my $code = $res->code();
@@ -215,10 +223,11 @@
 
     my ($entry, $server, $userid, $password) = @_;
 
-    my $default_port = ($entry->{type} eq 'ldap') ? 389 : 636;
+    my $default_port = $entry->{secure} ? 636: 389;
     my $port = $entry->{port} ? $entry->{port} : $default_port;
-    my $conn_string = $entry->{type} . "://" if ($entry->{type} ne 'ldap');
-    $conn_string .= $server . ":" . $port;
+    my $scheme = $entry->{secure} ? 'ldaps' : 'ldap';
+    my $conn_string = "$scheme://${server}:$port";
+
     my $ldap = Net::LDAP->new($conn_string, verify => 'none') || die "$@\n";
     my $search = $entry->{user_attr} . "=" . $userid;
     my $result = $ldap->search( base    => "$entry->{base_dn}",
@@ -259,12 +268,12 @@
 	    die "auth domain '$realm' does not exists\n" if !$cfg;
     
 	    if ($cfg->{type} eq 'ad') {
-		eval { authenticate_user_ad($cfg->{server1}, $userid, $password); };
+		eval { authenticate_user_ad($cfg, $cfg->{server1}, $userid, $password); };
 		my $err = $@;
 		return if !$err;
 		die $err if !$cfg->{server2};
-		authenticate_user_ad($cfg->{server2}, $userid, $password); 
-	    } elsif (($cfg->{type} eq 'ldap') || ($cfg->{type} eq 'ldaps')) {
+		authenticate_user_ad($cfg, $cfg->{server2}, $userid, $password); 
+	    } elsif ($cfg->{type} eq 'ldap') {
 		eval { authenticate_user_ldap($cfg, $cfg->{server1}, $userid, $password); };
 		my $err = $@;
 		return if !$err;
@@ -527,6 +536,9 @@
     ad => {
 	server1 => '[\w\d]+(.[\w\d]+)*',
 	server2 => '[\w\d]+(.[\w\d]+)*',
+	domain => '\S+',
+	port => '\d*',
+	secure => '[01]',
 	comment => '.*',
     },
     ldap => {
@@ -534,11 +546,11 @@
 	server2 => '[\w\d]+(.[\w\d]+)*',
 	base_dn => '\w+=[\w\s]+(,\s*\w+=[\w\s]+)*',
 	user_attr => '\S{2,}',
+	secure => '[01]',
 	port => '\d*',
 	comment => '.*',
     }
 };
-$valid_attributes->{ldaps} = $valid_attributes->{ldap};
 
 sub add_role_privs {
     my ($role, $usercfg, $privs) = @_;
@@ -952,11 +964,9 @@
 		# do nothing
 	    } elsif (!$entry->{server1}) {
 		warn "ignoring domain '$realm' - missing server attribute\n";
-	    } elsif ((($entry->{type} eq "ldap") || ($entry->{type} eq "ldaps")) && 
-		     (!$entry->{user_attr})) {
+	    } elsif (($entry->{type} eq "ldap") && !$entry->{user_attr}) {
 		warn "ignoring domain '$realm' - missing user attribute\n";
-	    } elsif ((($entry->{type} eq "ldap") || ($entry->{type} eq "ldaps")) && 
-		     (!$entry->{base_dn})) {
+	    } elsif (($entry->{type} eq "ldap") && !$entry->{base_dn}) {
 		warn "ignoring domain '$realm' - missing base_dn attribute\n";
 	    } else {
 		$cfg->{$realm} = $entry;



More information about the pve-devel mailing list