[pve-devel] [PATCH access-control] Close #1470: ldap: server and client certificate support
Wolfgang Bumiller
w.bumiller at proxmox.com
Mon Aug 7 15:02:59 CEST 2017
This adds 4 more options to the ldap authentication method:
verify: boolean
If enabled, the server certificate must be valid
capath: path to a file or directory
The CA to use to verify the server certificate. Used only
if 'verify' is true.
cert: path to a certificate
Used as client certificate when connecting to a server,
provided 'secure' is true. Requires 'certkey' to be set.
certkey: path to the certificate's key
Required only used when 'cert' is used.
---
PVE/Auth/LDAP.pm | 48 +++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 47 insertions(+), 1 deletion(-)
diff --git a/PVE/Auth/LDAP.pm b/PVE/Auth/LDAP.pm
index d4e2779..310234a 100755
--- a/PVE/Auth/LDAP.pm
+++ b/PVE/Auth/LDAP.pm
@@ -36,6 +36,28 @@ sub properties {
optional => 1,
maxLength => 256,
},
+ verify => {
+ description => "Verify the server's SSL certificate",
+ type => 'boolean',
+ optional => 1,
+ default => 0,
+ },
+ capath => {
+ description => "Path to the CA certificate store",
+ type => 'string',
+ optional => 1,
+ default => '/etc/ssl/certs',
+ },
+ cert => {
+ description => "Path to the client certificate",
+ type => 'string',
+ optional => 1,
+ },
+ certkey => {
+ description => "Path to the client certificate key",
+ type => 'string',
+ optional => 1,
+ },
};
}
@@ -51,6 +73,10 @@ sub options {
default => { optional => 1 },
comment => { optional => 1 },
tfa => { optional => 1 },
+ verify => { optional => 1 },
+ capath => { optional => 1 },
+ cert => { optional => 1 },
+ certkey => { optional => 1 },
};
}
@@ -63,7 +89,27 @@ my $authenticate_user_ldap = sub {
$server = "[$server]" if Net::IP::ip_is_ipv6($server);
my $conn_string = "$scheme://${server}:$port";
- my $ldap = Net::LDAP->new($conn_string, verify => 'none') || die "$@\n";
+ my %ldap_args;
+ if ($config->{verify}) {
+ $ldap_args{verify} = 'require';
+ if (defined(my $cert = $config->{cert})) {
+ $ldap_args{clientcert} = $cert;
+ }
+ if (defined(my $key = $config->{certkey})) {
+ $ldap_args{clientkey} = $key;
+ }
+ if (defined(my $capath = $config->{capath})) {
+ if (-d $capath) {
+ $ldap_args{capath} = $capath;
+ } else {
+ $ldap_args{cafile} = $capath;
+ }
+ }
+ } else {
+ $ldap_args{verify} = 'none';
+ }
+
+ my $ldap = Net::LDAP->new($conn_string, %ldap_args) || die "$@\n";
if (my $bind_dn = $config->{bind_dn}) {
my $bind_pass = PVE::Tools::file_read_firstline("/etc/pve/priv/ldap/${realm}.pw");
--
2.11.0
More information about the pve-devel
mailing list