From: Lukas Wagner <l.wagner@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH proxmox-ldap 4/6] allow searching for LDAP entities
Date: Tue, 17 Jan 2023 15:20:35 +0100 [thread overview]
Message-ID: <20230117142037.847150-5-l.wagner@proxmox.com> (raw)
In-Reply-To: <20230117142037.847150-1-l.wagner@proxmox.com>
This commit adds the search_entities function, which allows to search for
LDAP entities given certain provided criteria.
Signed-off-by: Lukas Wagner <l.wagner@proxmox.com>
---
src/lib.rs | 97 ++++++++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 94 insertions(+), 3 deletions(-)
diff --git a/src/lib.rs b/src/lib.rs
index 40c4f6d..c80513e 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -1,13 +1,13 @@
use std::{
+ collections::HashMap,
fs,
path::{Path, PathBuf},
time::Duration,
};
use anyhow::{bail, Error};
-use ldap3::{
- Ldap, LdapConnAsync, LdapConnSettings, LdapResult, Scope, SearchEntry,
-};
+use ldap3::{Ldap, LdapConnAsync, LdapConnSettings, LdapResult, Scope, SearchEntry};
+use ldap3::adapters::{Adapter, EntriesOnly, PagedResults};
use native_tls::{Certificate, TlsConnector, TlsConnectorBuilder};
use serde::{Deserialize, Serialize};
@@ -50,6 +50,26 @@ pub struct LdapConfig {
pub certificate_store_path: Option<PathBuf>,
}
+#[derive(Serialize, Deserialize)]
+/// Parameters for LDAP user searches
+pub struct SearchParameters {
+ /// Attributes that should be retrieved
+ pub attributes: Vec<String>,
+ /// `objectclass`es of intereset
+ pub user_classes: Vec<String>,
+ /// Custom user filter
+ pub user_filter: Option<String>,
+}
+
+#[derive(Serialize, Deserialize)]
+/// Single LDAP user search result
+pub struct SearchResult {
+ /// The full user's domain
+ pub dn: String,
+ /// Queried user attributes
+ pub attributes: HashMap<String, Vec<String>>,
+}
+
/// Connection to an LDAP server, can be used to authenticate users.
pub struct LdapConnection {
/// Configuration for this connection
@@ -88,6 +108,51 @@ impl LdapConnection {
Ok(())
}
+ /// Query entities matching given search parameters
+ pub async fn search_entities(
+ &self,
+ parameters: &SearchParameters,
+ ) -> Result<Vec<SearchResult>, Error> {
+ let search_filter = Self::assemble_search_filter(parameters);
+
+ let mut ldap = self.create_connection().await?;
+
+ if let Some(bind_dn) = self.config.bind_dn.as_deref() {
+ let password = self.config.bind_password.as_deref().unwrap_or_default();
+ let _: LdapResult = ldap.simple_bind(bind_dn, password).await?.success()?;
+ }
+
+ let adapters: Vec<Box<dyn Adapter<_, _>>> = vec![
+ Box::new(EntriesOnly::new()),
+ Box::new(PagedResults::new(500)),
+ ];
+ let mut search = ldap
+ .streaming_search_with(
+ adapters,
+ &self.config.base_dn,
+ Scope::Subtree,
+ &search_filter,
+ parameters.attributes.clone(),
+ )
+ .await?;
+
+ let mut results = Vec::new();
+
+ while let Some(entry) = search.next().await? {
+ let entry = SearchEntry::construct(entry);
+
+ results.push(SearchResult {
+ dn: entry.dn,
+ attributes: entry.attrs,
+ })
+ }
+ let _res = search.finish().await.success()?;
+
+ let _ = ldap.unbind().await;
+
+ Ok(results)
+ }
+
/// Retrive port from LDAP configuration, otherwise use the correct default
fn port_from_config(&self) -> u16 {
self.config.port.unwrap_or_else(|| {
@@ -225,6 +290,32 @@ impl LdapConnection {
bail!("user not found")
}
+
+ fn assemble_search_filter(parameters: &SearchParameters) -> String {
+ use FilterElement::*;
+
+ let attr_wildcards = Or(parameters
+ .attributes
+ .iter()
+ .map(|attr| Condition(attr.clone(), "*".into()))
+ .collect());
+ let user_classes = Or(parameters
+ .user_classes
+ .iter()
+ .map(|class| Condition("objectclass".into(), class.clone()))
+ .collect());
+
+ if let Some(user_filter) = ¶meters.user_filter {
+ And(vec![
+ Verbatim(user_filter.clone()),
+ attr_wildcards,
+ user_classes,
+ ])
+ } else {
+ And(vec![attr_wildcards, user_classes])
+ }
+ .to_string()
+ }
}
#[allow(dead_code)]
--
2.30.2
next prev parent reply other threads:[~2023-01-17 14:20 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-17 14:20 [pbs-devel] [PATCH proxmox-ldap 0/6] introduce proxmox-ldap crate Lukas Wagner
2023-01-17 14:20 ` [pbs-devel] [PATCH proxmox-ldap 1/6] initial commit Lukas Wagner
2023-01-17 14:20 ` [pbs-devel] [PATCH proxmox-ldap 2/6] add basic user auth functionality Lukas Wagner
2023-01-17 14:20 ` [pbs-devel] [PATCH proxmox-ldap 3/6] add helpers for constructing LDAP filters Lukas Wagner
2023-01-18 12:21 ` Wolfgang Bumiller
2023-01-17 14:20 ` Lukas Wagner [this message]
2023-01-17 14:20 ` [pbs-devel] [PATCH proxmox-ldap 5/6] tests: add LDAP integration tests Lukas Wagner
2023-01-17 14:20 ` [pbs-devel] [PATCH proxmox-ldap 6/6] add debian packaging Lukas Wagner
2023-01-18 12:30 ` [pbs-devel] [PATCH proxmox-ldap 0/6] introduce proxmox-ldap crate Wolfgang Bumiller
2023-01-23 11:27 ` Thomas Lamprecht
2023-01-23 14:50 ` Lukas Wagner
2023-01-24 7:04 ` Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230117142037.847150-5-l.wagner@proxmox.com \
--to=l.wagner@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal