1 package SL::Auth::LDAP;
3 use English '-no_match_vars';
5 use SL::Auth::Constants qw(:all);
10 if (!defined eval "require Net::LDAP;") {
11 die 'The module "Net::LDAP" is not installed.';
16 $self->{config} = shift;
25 $self->{ldap} = undef;
26 $self->{dn_cache} = { };
31 my $cfg = $self->{config};
33 return $self->{ldap} if $self->{ldap};
35 my $port = $cfg->{port} || 389;
36 $self->{ldap} = Net::LDAP->new($cfg->{host}, 'port' => $port);
39 $main::form->error($main::locale->text('The LDAP server "#1:#2" is unreachable. Please check config/kivitendo.conf.', $cfg->{host}, $port));
43 my $mesg = $self->{ldap}->start_tls('verify' => 'none');
44 if ($mesg->is_error()) {
45 $main::form->error($main::locale->text('The connection to the LDAP server cannot be encrypted (SSL/TLS startup failure). Please check config/kivitendo.conf.'));
49 if ($cfg->{bind_dn}) {
50 my $mesg = $self->{ldap}->bind($cfg->{bind_dn}, 'password' => $cfg->{bind_password});
51 if ($mesg->is_error()) {
52 $main::form->error($main::locale->text('Binding to the LDAP server as "#1" failed. Please check config/kivitendo.conf.', $cfg->{bind_dn}));
65 $cfg = $self->{config};
67 $filter = "$cfg->{filter}";
71 $login =~ s|\\|\\\\|g;
72 $login =~ s|\(|\\\(|g;
73 $login =~ s|\)|\\\)|g;
74 $login =~ s|\*|\\\*|g;
75 $login =~ s|\x00|\\00|g;
77 if ($filter =~ m|<\%login\%>|) {
78 substr($filter, $LAST_MATCH_START[0], $LAST_MATCH_END[0] - $LAST_MATCH_START[0]) = $login;
81 if ((substr($filter, 0, 1) ne '(') || (substr($filter, -1, 1) ne ')')) {
82 $filter = "($filter)";
85 $filter = "(&${filter}($cfg->{attribute}=${login}))";
88 $filter = "$cfg->{attribute}=${login}";
100 $self->{dn_cache} ||= { };
102 return $self->{dn_cache}->{$login} if $self->{dn_cache}->{$login};
104 my $cfg = $self->{config};
106 my $filter = $self->_get_filter($login);
108 my $mesg = $ldap->search('base' => $cfg->{base_dn}, 'scope' => 'sub', 'filter' => $filter);
110 return undef if $mesg->is_error || !$mesg->count();
112 my $entry = $mesg->entry(0);
113 $self->{dn_cache}->{$login} = $entry->dn();
115 return $self->{dn_cache}->{$login};
121 my $password = shift;
122 my $is_crypted = shift;
124 return ERR_BACKEND if $is_crypted;
126 my $ldap = $self->_connect();
128 return ERR_BACKEND if !$ldap;
130 my $dn = $self->_get_user_dn($ldap, $login);
132 $main::lxdebug->message(LXDebug->DEBUG2(), "LDAP authenticate: dn $dn");
134 return ERR_BACKEND if !$dn;
136 my $mesg = $ldap->bind($dn, 'password' => $password);
138 $main::lxdebug->message(LXDebug->DEBUG2(), "LDAP authenticate: bind mesg " . $mesg->error());
140 return $mesg->is_error() ? ERR_PASSWORD : OK;
143 sub can_change_password {
147 sub requires_cleartext_password {
151 sub change_password {
156 my $form = $main::form;
157 my $locale = $main::locale;
160 my $cfg = $self->{config};
163 $form->error($locale->text('config/kivitendo.conf: Key "authentication/ldap" is missing.'));
166 if (!$cfg->{host} || !$cfg->{attribute} || !$cfg->{base_dn}) {
167 $form->error($locale->text('config/kivitendo.conf: Missing parameters in "authentication/ldap". Required parameters are "host", "attribute" and "base_dn".'));