[pve-devel] [PATCH access-control 2/3] fix #1470: ad: server and client certificate support

Dominik Csapak d.csapak at proxmox.com
Tue Aug 8 11:10:14 CEST 2017


as with ldap we now accept
the verify, capath, cert and certkey parameters for active directory

Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
---
 PVE/Auth/AD.pm | 30 +++++++++++++++++++++++++++---
 1 file changed, 27 insertions(+), 3 deletions(-)

diff --git a/PVE/Auth/AD.pm b/PVE/Auth/AD.pm
index e03d04c..b9db568 100755
--- a/PVE/Auth/AD.pm
+++ b/PVE/Auth/AD.pm
@@ -72,6 +72,10 @@ sub options {
 	default => { optional => 1 },,
 	comment => { optional => 1 },
 	tfa => { optional => 1 },
+	verify => { optional => 1 },
+	capath => { optional => 1 },
+	cert => { optional => 1 },
+	certkey => { optional => 1 },
     };
 }
 
@@ -83,10 +87,30 @@ my $authenticate_user_ad = sub {
     my $scheme = $config->{secure} ? 'ldaps' : 'ldap';
     $server = "[$server]" if Net::IP::ip_is_ipv6($server);
     my $conn_string = "$scheme://${server}:$port";
-    
-    my $ldap = Net::LDAP->new($conn_string) || die "$@\n";
 
-    $username = "$username\@$config->{domain}" 
+    my %ad_args;
+    if ($config->{verify}) {
+	$ad_args{verify} = 'require';
+	if (defined(my $cert = $config->{cert})) {
+	    $ad_args{clientcert} = $cert;
+	}
+	if (defined(my $key = $config->{certkey})) {
+	    $ad_args{clientkey} = $key;
+	}
+	if (defined(my $capath = $config->{capath})) {
+	    if (-d $capath) {
+		$ad_args{capath} = $capath;
+	    } else {
+		$ad_args{cafile} = $capath;
+	    }
+	}
+    } elsif (defined($config->{verify})) {
+	$ad_args{verify} = 'none';
+    }
+
+    my $ldap = Net::LDAP->new($conn_string, %ad_args) || die "$@\n";
+
+    $username = "$username\@$config->{domain}"
 	if $username !~ m/@/ && $config->{domain};
 
     my $res = $ldap->bind($username, password => $password);
-- 
2.11.0




More information about the pve-devel mailing list