[pve-devel] r4917 - pve-access-control/trunk

Tue Jul 20 08:14:10 CEST 2010

Author: dietmar
Date: 2010-07-20 06:14:10 +0000 (Tue, 20 Jul 2010)
New Revision: 4917

Modified:
   pve-access-control/trunk/AccessControl.pm
   pve-access-control/trunk/ChangeLog
Log:
* AccessControl.pm: modified LDAP authentication to a two step bind method


Modified: pve-access-control/trunk/AccessControl.pm
===================================================================

--- pve-access-control/trunk/AccessControl.pm	2010-07-19 13:31:55 UTC (rev 4916)
+++ pve-access-control/trunk/AccessControl.pm	2010-07-20 06:14:10 UTC (rev 4917)
@@ -494,13 +494,23 @@
 sub authenticate_user_ldap {
 
     my ($entry, $username, $password) = @_;
+
     my (undef, $user, $domain) = verify_username($username);
+    my $port = $entry->{port} ? $entry->{port} : 389;
+    my $ldap = Net::LDAP->new($entry->{server}, port=>$port) || die "$@\n";
 
-    my $ldap = Net::LDAP->new($entry->{server}) || die "$@\n";
+    my $search = $entry->{user_attr} . "=" . $user;
+    my $result = $ldap->search( base    => "$entry->{base_dn}",
+				scope   => "sub",
+				filter  => "$search",
+				attrs   => ['dn']
+				);
+    my @entries = $result->entries;
+    my $res;
+    foreach my $entr ( @entries ) {
+	$res = $ldap->bind($entr->dn, password => $password);
+    }
 
-    my $domain_dn = join ',', map "dc=$_", split /\./, $domain;
-    my $res = $ldap->bind("uid=$user,$entry->{ou},$domain_dn", password => $password);
-
     my $code = $res->code();
     my $err = $res->error;
 
@@ -945,8 +955,10 @@
 };
 
 my $valid_params = {
-    server => '\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b',
-    ou => 'ou=\w+(,\s*ou=[\w\s]+)*',
+    server => '[\w\d]+(.[\w\d]+)*',
+    base_dn => '\w+=[\w\s]+(,\s*\w+=[\w\s]+)*',
+    user_attr => '\S{2,}',
+    port => '\d*',
 };
 
 sub modify_role {
@@ -1309,7 +1321,13 @@
 		    warn "ignore config line: $line\n";
 		}
 	    }
+	    if (!$ad->{server}) {
+		warn "ignoring domain '$domains' - missing server attribute\n";
+	    } elsif (($ad->{type} eq "LDAP") && (!$ad->{user_attr})) {
+		warn "ignoring domain '$domains' - missing user attribute\n";
+	    } else {
 	    push(@$connlist, $ad) if !$ignore;
+	    }
 	    $ad = undef
      
 	} else {

Modified: pve-access-control/trunk/ChangeLog
===================================================================
--- pve-access-control/trunk/ChangeLog	2010-07-19 13:31:55 UTC (rev 4916)
+++ pve-access-control/trunk/ChangeLog	2010-07-20 06:14:10 UTC (rev 4917)
@@ -8,6 +8,8 @@
 
 	* AccessControl.pm: fixed timeout for ldap/AD errors and reduced to two seconds
 
+	* AccessControl.pm: modified LDAP authentication to a two step bind method
+
 2010-07-16  Proxmox Support Team  <support at proxmox.com>
 
 	* AccessControl.pm (authenticate_user_domain): catch special


