1 package SL::Auth::LDAP;
3 use English '-no_match_vars';
5 use Scalar::Util qw(weaken);
6 use SL::Auth::Constants qw(:all);
11 if (!defined eval "require Net::LDAP;") {
12 die 'The module "Net::LDAP" is not installed.';
18 $self->{auth} = shift;
28 $self->{ldap} = undef;
29 $self->{dn_cache} = { };
34 my $cfg = $self->{auth}->{LDAP_config};
36 return $self->{ldap} if $self->{ldap};
38 my $port = $cfg->{port} || 389;
39 $self->{ldap} = Net::LDAP->new($cfg->{host}, 'port' => $port);
42 $main::form->error($main::locale->text('The LDAP server "#1:#2" is unreachable. Please check config/kivitendo.conf.', $cfg->{host}, $port));
46 my $mesg = $self->{ldap}->start_tls('verify' => 'none');
47 if ($mesg->is_error()) {
48 $main::form->error($main::locale->text('The connection to the LDAP server cannot be encrypted (SSL/TLS startup failure). Please check config/kivitendo.conf.'));
52 if ($cfg->{bind_dn}) {
53 my $mesg = $self->{ldap}->bind($cfg->{bind_dn}, 'password' => $cfg->{bind_password});
54 if ($mesg->is_error()) {
55 $main::form->error($main::locale->text('Binding to the LDAP server as "#1" failed. Please check config/kivitendo.conf.', $cfg->{bind_dn}));
68 $cfg = $self->{auth}->{LDAP_config};
70 $filter = "$cfg->{filter}";
74 $login =~ s|\\|\\\\|g;
75 $login =~ s|\(|\\\(|g;
76 $login =~ s|\)|\\\)|g;
77 $login =~ s|\*|\\\*|g;
78 $login =~ s|\x00|\\00|g;
80 if ($filter =~ m|<\%login\%>|) {
81 substr($filter, $LAST_MATCH_START[0], $LAST_MATCH_END[0] - $LAST_MATCH_START[0]) = $login;
84 if ((substr($filter, 0, 1) ne '(') || (substr($filter, -1, 1) ne ')')) {
85 $filter = "($filter)";
88 $filter = "(&${filter}($cfg->{attribute}=${login}))";
91 $filter = "$cfg->{attribute}=${login}";
103 $self->{dn_cache} ||= { };
105 return $self->{dn_cache}->{$login} if $self->{dn_cache}->{$login};
107 my $cfg = $self->{auth}->{LDAP_config};
109 my $filter = $self->_get_filter($login);
111 my $mesg = $ldap->search('base' => $cfg->{base_dn}, 'scope' => 'sub', 'filter' => $filter);
113 return undef if $mesg->is_error || !$mesg->count();
115 my $entry = $mesg->entry(0);
116 $self->{dn_cache}->{$login} = $entry->dn();
118 return $self->{dn_cache}->{$login};
124 my $password = shift;
125 my $is_crypted = shift;
127 return ERR_BACKEND if $is_crypted;
129 my $ldap = $self->_connect();
131 return ERR_BACKEND if !$ldap;
133 my $dn = $self->_get_user_dn($ldap, $login);
135 $main::lxdebug->message(LXDebug->DEBUG2(), "LDAP authenticate: dn $dn");
137 return ERR_BACKEND if !$dn;
139 my $mesg = $ldap->bind($dn, 'password' => $password);
141 $main::lxdebug->message(LXDebug->DEBUG2(), "LDAP authenticate: bind mesg " . $mesg->error());
143 return $mesg->is_error() ? ERR_PASSWORD : OK;
146 sub can_change_password {
150 sub requires_cleartext_password {
154 sub change_password {
159 my $form = $main::form;
160 my $locale = $main::locale;
163 my $cfg = $self->{auth}->{LDAP_config};
166 $form->error($locale->text('config/kivitendo.conf: Key "authentication/ldap" is missing.'));
169 if (!$cfg->{host} || !$cfg->{attribute} || !$cfg->{base_dn}) {
170 $form->error($locale->text('config/kivitendo.conf: Missing parameters in "authentication/ldap". Required parameters are "host", "attribute" and "base_dn".'));