[pve-devel] [PATCH access-control 2/3] fix #1470: ad: server and client certificate support
Dominik Csapak
d.csapak at proxmox.com
Tue Aug 8 11:10:14 CEST 2017
as with ldap we now accept
the verify, capath, cert and certkey parameters for active directory
Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
---
PVE/Auth/AD.pm | 30 +++++++++++++++++++++++++++---
1 file changed, 27 insertions(+), 3 deletions(-)
diff --git a/PVE/Auth/AD.pm b/PVE/Auth/AD.pm
index e03d04c..b9db568 100755
--- a/PVE/Auth/AD.pm
+++ b/PVE/Auth/AD.pm
@@ -72,6 +72,10 @@ sub options {
default => { optional => 1 },,
comment => { optional => 1 },
tfa => { optional => 1 },
+ verify => { optional => 1 },
+ capath => { optional => 1 },
+ cert => { optional => 1 },
+ certkey => { optional => 1 },
};
}
@@ -83,10 +87,30 @@ my $authenticate_user_ad = sub {
my $scheme = $config->{secure} ? 'ldaps' : 'ldap';
$server = "[$server]" if Net::IP::ip_is_ipv6($server);
my $conn_string = "$scheme://${server}:$port";
-
- my $ldap = Net::LDAP->new($conn_string) || die "$@\n";
- $username = "$username\@$config->{domain}"
+ my %ad_args;
+ if ($config->{verify}) {
+ $ad_args{verify} = 'require';
+ if (defined(my $cert = $config->{cert})) {
+ $ad_args{clientcert} = $cert;
+ }
+ if (defined(my $key = $config->{certkey})) {
+ $ad_args{clientkey} = $key;
+ }
+ if (defined(my $capath = $config->{capath})) {
+ if (-d $capath) {
+ $ad_args{capath} = $capath;
+ } else {
+ $ad_args{cafile} = $capath;
+ }
+ }
+ } elsif (defined($config->{verify})) {
+ $ad_args{verify} = 'none';
+ }
+
+ my $ldap = Net::LDAP->new($conn_string, %ad_args) || die "$@\n";
+
+ $username = "$username\@$config->{domain}"
if $username !~ m/@/ && $config->{domain};
my $res = $ldap->bind($username, password => $password);
--
2.11.0
More information about the pve-devel
mailing list