[pve-devel] [PATCH access-control] Close #833: ldap: non-anonymous bind support

Wolfgang Bumiller w.bumiller at proxmox.com
Mon Jul 25 15:56:03 CEST 2016 

The password will be read from /etc/pve/priv/ldap/$realm.pw
---
In contrast to the patches floating around on the forum and bugtracker
this will read the password from /etc/pve/priv/ldap/ which I think
makes more sense for sensitive data.

 PVE/Auth/LDAP.pm | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/PVE/Auth/LDAP.pm b/PVE/Auth/LDAP.pm
index e1161b6..d4e2779 100755
--- a/PVE/Auth/LDAP.pm
+++ b/PVE/Auth/LDAP.pm
@@ -3,6 +3,7 @@ package PVE::Auth::LDAP;
 use strict;
 use warnings;
 
+use PVE::Tools;
 use PVE::Auth::Plugin;
 use Net::LDAP;
 use Net::IP;
@@ -28,6 +29,13 @@ sub properties {
 	    optional => 1,
 	    maxLength => 256,
 	},
+	bind_dn => {
+	    description => "LDAP bind domain name",
+	    type => 'string',
+	    pattern => '\w+=[^,]+(,\s*\w+=[^,]+)*',
+	    optional => 1,
+	    maxLength => 256,
+	},
     };
 }
 
@@ -36,6 +44,7 @@ sub options {
 	server1 => {},
 	server2 => { optional => 1 },
 	base_dn => {},
+	bind_dn => { optional => 1 },
 	user_attr => {},
 	port => { optional => 1 },
 	secure => { optional => 1 },
@@ -46,7 +55,7 @@ sub options {
 }
 
 my $authenticate_user_ldap = sub {
-    my ($config, $server, $username, $password) = @_;
+    my ($config, $server, $username, $password, $realm) = @_;
 
     my $default_port = $config->{secure} ? 636: 389;
     my $port = $config->{port} ? $config->{port} : $default_port;
@@ -55,6 +64,16 @@ my $authenticate_user_ldap = sub {
     my $conn_string = "$scheme://${server}:$port";
 
     my $ldap = Net::LDAP->new($conn_string, verify => 'none') || die "$@\n";
+
+    if (my $bind_dn = $config->{bind_dn}) {
+	my $bind_pass = PVE::Tools::file_read_firstline("/etc/pve/priv/ldap/${realm}.pw");
+	die "missing password for realm $realm\n" if !defined($bind_pass);
+	my $res = $ldap->bind($bind_dn, password => $bind_pass);
+	my $code = $res->code();
+	my $err = $res->error;
+	die "failed to authenticate to ldap service: $err\n" if ($code);
+    }
+
     my $search = $config->{user_attr} . "=" . $username;
     my $result = $ldap->search( base    => "$config->{base_dn}",
 				scope   => "sub",
@@ -76,7 +95,7 @@ my $authenticate_user_ldap = sub {
 sub authenticate_user {
     my ($class, $config, $realm, $username, $password) = @_;
 
-    eval { &$authenticate_user_ldap($config, $config->{server1}, $username, $password); };
+    eval { &$authenticate_user_ldap($config, $config->{server1}, $username, $password, $realm); };
     my $err = $@;
     return 1 if !$err;
     die $err if !$config->{server2};
-- 
2.1.4

More information about the pve-devel mailing list