[pve-devel] [PATCH access-control 8/9] Auth/AD: make PVE::Auth::AD a subclass of PVE::Auth::LDAP

Dominik Csapak d.csapak at proxmox.com
Fri Mar 6 11:05:44 CET 2020


this makes it much easier to reuse the sync code from LDAP in AD.
The 'authenticate_user' sub is still the same, but we now
can still use the get_users and get_groups functionality of LDAP

in the case of AD, the user_attr is optional in the config
(would have been a breaking change) but we set it
to default to 'sAMAccountName'

Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
---
 PVE/Auth/AD.pm | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/PVE/Auth/AD.pm b/PVE/Auth/AD.pm
index 06fac9d..102ad66 100755
--- a/PVE/Auth/AD.pm
+++ b/PVE/Auth/AD.pm
@@ -2,10 +2,10 @@ package PVE::Auth::AD;
 
 use strict;
 use warnings;
-use PVE::Auth::Plugin;
+use PVE::Auth::LDAP;
 use PVE::LDAP;
 
-use base qw(PVE::Auth::Plugin);
+use base qw(PVE::Auth::LDAP);
 
 sub type {
     return 'ad';
@@ -81,9 +81,27 @@ sub options {
 	capath => { optional => 1 },
 	cert => { optional => 1 },
 	certkey => { optional => 1 },
+	base_dn => { optional => 1 },
+	bind_dn => { optional => 1 },
+	user_attr => { optional => 1 },
+	filter => { optional => 1 },
+	sync_attributes => { optional => 1 },
+	user_classes => { optional => 1 },
+	group_dn => { optional => 1 },
+	group_attr => { optional => 1 },
+	group_filter => { optional => 1 },
+	group_classes => { optional => 1 },
     };
 }
 
+sub get_users {
+    my ($class, $config, $realm) = @_;
+
+    $config->{user_attr} //= 'sAMAccountName';
+
+    return $class->SUPER::get_users($config, $realm);
+}
+
 sub authenticate_user {
     my ($class, $config, $realm, $username, $password) = @_;
 
-- 
2.20.1





More information about the pve-devel mailing list