[pve-devel] [PATCH access-control 8/9] Auth/AD: make PVE::Auth::AD a subclass of PVE::Auth::LDAP
Dominik Csapak
d.csapak at proxmox.com
Fri Mar 6 11:05:44 CET 2020
this makes it much easier to reuse the sync code from LDAP in AD.
The 'authenticate_user' sub is still the same, but we now
can still use the get_users and get_groups functionality of LDAP
in the case of AD, the user_attr is optional in the config
(would have been a breaking change) but we set it
to default to 'sAMAccountName'
Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
---
PVE/Auth/AD.pm | 22 ++++++++++++++++++++--
1 file changed, 20 insertions(+), 2 deletions(-)
diff --git a/PVE/Auth/AD.pm b/PVE/Auth/AD.pm
index 06fac9d..102ad66 100755
--- a/PVE/Auth/AD.pm
+++ b/PVE/Auth/AD.pm
@@ -2,10 +2,10 @@ package PVE::Auth::AD;
use strict;
use warnings;
-use PVE::Auth::Plugin;
+use PVE::Auth::LDAP;
use PVE::LDAP;
-use base qw(PVE::Auth::Plugin);
+use base qw(PVE::Auth::LDAP);
sub type {
return 'ad';
@@ -81,9 +81,27 @@ sub options {
capath => { optional => 1 },
cert => { optional => 1 },
certkey => { optional => 1 },
+ base_dn => { optional => 1 },
+ bind_dn => { optional => 1 },
+ user_attr => { optional => 1 },
+ filter => { optional => 1 },
+ sync_attributes => { optional => 1 },
+ user_classes => { optional => 1 },
+ group_dn => { optional => 1 },
+ group_attr => { optional => 1 },
+ group_filter => { optional => 1 },
+ group_classes => { optional => 1 },
};
}
+sub get_users {
+ my ($class, $config, $realm) = @_;
+
+ $config->{user_attr} //= 'sAMAccountName';
+
+ return $class->SUPER::get_users($config, $realm);
+}
+
sub authenticate_user {
my ($class, $config, $realm, $username, $password) = @_;
--
2.20.1
More information about the pve-devel
mailing list