[pve-devel] [PATCH access-control 1/1] use PVE::LDAP module instead of useing Net::LDAP directly

Dominik Csapak d.csapak at proxmox.com
Thu Feb 20 16:20:01 CET 2020


for things like connecting/binding/etc.

Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
---
 PVE/Auth/AD.pm   | 44 +++++++++------------------------
 PVE/Auth/LDAP.pm | 64 +++++++++++++++---------------------------------
 2 files changed, 32 insertions(+), 76 deletions(-)

diff --git a/PVE/Auth/AD.pm b/PVE/Auth/AD.pm
index 42eb79d..06fac9d 100755
--- a/PVE/Auth/AD.pm
+++ b/PVE/Auth/AD.pm
@@ -3,8 +3,7 @@ package PVE::Auth::AD;
 use strict;
 use warnings;
 use PVE::Auth::Plugin;
-use Net::LDAP;
-use Net::IP;
+use PVE::LDAP;
 
 use base qw(PVE::Auth::Plugin);
 
@@ -31,7 +30,6 @@ sub properties {
 	    description => "Use secure LDAPS protocol.",
 	    type => 'boolean',
 	    optional => 1,
-
 	},
 	sslversion => {
 	    description => "LDAPS TLS/SSL version. It's not recommended to use version older than 1.2!",
@@ -86,24 +84,21 @@ sub options {
     };
 }
 
-my $authenticate_user_ad = sub {
-    my ($config, $server, $username, $password) = @_;
+sub authenticate_user {
+    my ($class, $config, $realm, $username, $password) = @_;
+
+    my $servers = [$config->{server1}];
+    push @$servers, $config->{server2} if $config->{server2};
 
     my $default_port = $config->{secure} ? 636: 389;
-    my $port = $config->{port} ? $config->{port} : $default_port;
+    my $port = $config->{port} // $default_port;
     my $scheme = $config->{secure} ? 'ldaps' : 'ldap';
-    $server = "[$server]" if Net::IP::ip_is_ipv6($server);
-    my $conn_string = "$scheme://${server}:$port";
 
     my %ad_args;
     if ($config->{verify}) {
 	$ad_args{verify} = 'require';
-	if (defined(my $cert = $config->{cert})) {
-	    $ad_args{clientcert} = $cert;
-	}
-	if (defined(my $key = $config->{certkey})) {
-	    $ad_args{clientkey} = $key;
-	}
+	$ad_args{clientcert} = $config->{cert} if $config->{cert};
+	$ad_args{clientkey} = $config->{certkey} if $config->{certkey};
 	if (defined(my $capath = $config->{capath})) {
 	    if (-d $capath) {
 		$ad_args{capath} = $capath;
@@ -116,32 +111,17 @@ my $authenticate_user_ad = sub {
     }
 
     if ($config->{secure}) {
-	$ad_args{sslversion} = $config->{sslversion} || 'tlsv1_2';
+	$ad_args{sslversion} = $config->{sslversion} // 'tlsv1_2';
     }
 
-    my $ldap = Net::LDAP->new($conn_string, %ad_args) || die "$@\n";
+    my $ldap = PVE::LDAP::ldap_connect($servers, $scheme, $port, \%ad_args);
 
     $username = "$username\@$config->{domain}"
 	if $username !~ m/@/ && $config->{domain};
 
-    my $res = $ldap->bind($username, password => $password);
-
-    my $code = $res->code();
-    my $err = $res->error;
+    PVE::LDAP::auth_user_dn($ldap, $username, $password);
 
     $ldap->unbind();
-
-    die "$err\n" if ($code);
-};
-
-sub authenticate_user {
-    my ($class, $config, $realm, $username, $password) = @_;
-
-    eval { &$authenticate_user_ad($config, $config->{server1}, $username, $password); };
-    my $err = $@;
-    return 1 if !$err;
-    die $err if !$config->{server2};
-    &$authenticate_user_ad($config, $config->{server2}, $username, $password);
     return 1;
 }
 
diff --git a/PVE/Auth/LDAP.pm b/PVE/Auth/LDAP.pm
index a94778e..0faa40a 100755
--- a/PVE/Auth/LDAP.pm
+++ b/PVE/Auth/LDAP.pm
@@ -5,8 +5,7 @@ use warnings;
 
 use PVE::Tools;
 use PVE::Auth::Plugin;
-use Net::LDAP;
-use Net::IP;
+use PVE::LDAP;
 use base qw(PVE::Auth::Plugin);
 
 sub type {
@@ -81,24 +80,21 @@ sub options {
     };
 }
 
-my $authenticate_user_ldap = sub {
-    my ($config, $server, $username, $password, $realm) = @_;
+sub authenticate_user {
+    my ($class, $config, $realm, $username, $password) = @_;
+
+    my $servers = [$config->{server1}];
+    push @$servers, $config->{server2} if $config->{server2};
 
     my $default_port = $config->{secure} ? 636: 389;
-    my $port = $config->{port} ? $config->{port} : $default_port;
+    my $port = $config->{port} // $default_port;
     my $scheme = $config->{secure} ? 'ldaps' : 'ldap';
-    $server = "[$server]" if Net::IP::ip_is_ipv6($server);
-    my $conn_string = "$scheme://${server}:$port";
 
     my %ldap_args;
     if ($config->{verify}) {
 	$ldap_args{verify} = 'require';
-	if (defined(my $cert = $config->{cert})) {
-	    $ldap_args{clientcert} = $cert;
-	}
-	if (defined(my $key = $config->{certkey})) {
-	    $ldap_args{clientkey} = $key;
-	}
+	$ldap_args{clientcert} = $config->{cert} if $config->{cert};
+	$ldap_args{clientkey} = $config->{certkey} if $config->{certkey};
 	if (defined(my $capath = $config->{capath})) {
 	    if (-d $capath) {
 		$ldap_args{capath} = $capath;
@@ -114,43 +110,23 @@ my $authenticate_user_ldap = sub {
 	$ldap_args{sslversion} = $config->{sslversion} || 'tlsv1_2';
     }
 
-    my $ldap = Net::LDAP->new($conn_string, %ldap_args) || die "$@\n";
+    my $ldap = PVE::LDAP::ldap_connect($servers, $scheme, $port, \%ldap_args);
+
+    my $bind_dn;
+    my $bind_pass;
 
-    if (my $bind_dn = $config->{bind_dn}) {
-	my $bind_pass = PVE::Tools::file_read_firstline("/etc/pve/priv/ldap/${realm}.pw");
+    if ($config->{bind_dn}) {
+	$bind_dn = $config->{bind_dn};
+	$bind_pass = PVE::Tools::file_read_firstline("/etc/pve/priv/ldap/${realm}.pw");
 	die "missing password for realm $realm\n" if !defined($bind_pass);
-	my $res = $ldap->bind($bind_dn, password => $bind_pass);
-	my $code = $res->code();
-	my $err = $res->error;
-	die "failed to authenticate to ldap service: $err\n" if ($code);
     }
 
-    my $search = $config->{user_attr} . "=" . $username;
-    my $result = $ldap->search( base    => "$config->{base_dn}",
-				scope   => "sub",
-				filter  => "$search",
-				attrs   => ['dn']
-				);
-    die "no entries returned\n" if !$result->entries;
-    my @entries = $result->entries;
-    my $res = $ldap->bind($entries[0]->dn, password => $password);
-
-    my $code = $res->code();
-    my $err = $res->error;
+    PVE::LDAP::ldap_bind($ldap, $bind_dn, $bind_pass);
+    my $user_dn = PVE::LDAP::get_user_dn($ldap, $username, $config->{user_attr}, $config->{base_dn});
+    PVE::LDAP::auth_user_dn($ldap, $user_dn, $password);
 
     $ldap->unbind();
-
-    die "$err\n" if ($code);
-};
-
-sub authenticate_user {
-    my ($class, $config, $realm, $username, $password) = @_;
-
-    eval { &$authenticate_user_ldap($config, $config->{server1}, $username, $password, $realm); };
-    my $err = $@;
-    return 1 if !$err;
-    die $err if !$config->{server2};
-    &$authenticate_user_ldap($config, $config->{server2}, $username, $password, $realm);
+    return 1;
 }
 
 1;
-- 
2.20.1





More information about the pve-devel mailing list