From: Lukas Wagner <l.wagner@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH v3 proxmox 4/6] ldap: allow searching for LDAP entities
Date: Tue, 24 Jan 2023 11:03:35 +0100 [thread overview]
Message-ID: <20230124100337.152394-5-l.wagner@proxmox.com> (raw)
In-Reply-To: <20230124100337.152394-1-l.wagner@proxmox.com>
This commit adds the search_entities function, which allows to search for
LDAP entities given certain provided criteria.
Signed-off-by: Lukas Wagner <l.wagner@proxmox.com>
---
proxmox-ldap/src/lib.rs | 89 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 89 insertions(+)
diff --git a/proxmox-ldap/src/lib.rs b/proxmox-ldap/src/lib.rs
index ac164db..903ce1a 100644
--- a/proxmox-ldap/src/lib.rs
+++ b/proxmox-ldap/src/lib.rs
@@ -1,4 +1,5 @@
use std::{
+ collections::HashMap,
fmt::{Display, Formatter},
fs,
path::{Path, PathBuf},
@@ -6,6 +7,7 @@ use std::{
};
use anyhow::{bail, Error};
+use ldap3::adapters::{Adapter, EntriesOnly, PagedResults};
use ldap3::{Ldap, LdapConnAsync, LdapConnSettings, LdapResult, Scope, SearchEntry};
use native_tls::{Certificate, TlsConnector, TlsConnectorBuilder};
use serde::{Deserialize, Serialize};
@@ -49,6 +51,26 @@ pub struct LdapConfig {
pub certificate_store_path: Option<PathBuf>,
}
+#[derive(Serialize, Deserialize)]
+/// Parameters for LDAP user searches
+pub struct SearchParameters {
+ /// Attributes that should be retrieved
+ pub attributes: Vec<String>,
+ /// `objectclass`es of intereset
+ pub user_classes: Vec<String>,
+ /// Custom user filter
+ pub user_filter: Option<String>,
+}
+
+#[derive(Serialize, Deserialize)]
+/// Single LDAP user search result
+pub struct SearchResult {
+ /// The full user's domain
+ pub dn: String,
+ /// Queried user attributes
+ pub attributes: HashMap<String, Vec<String>>,
+}
+
/// Connection to an LDAP server, can be used to authenticate users.
pub struct LdapConnection {
/// Configuration for this connection
@@ -87,6 +109,51 @@ impl LdapConnection {
Ok(())
}
+ /// Query entities matching given search parameters
+ pub async fn search_entities(
+ &self,
+ parameters: &SearchParameters,
+ ) -> Result<Vec<SearchResult>, Error> {
+ let search_filter = Self::assemble_search_filter(parameters);
+
+ let mut ldap = self.create_connection().await?;
+
+ if let Some(bind_dn) = self.config.bind_dn.as_deref() {
+ let password = self.config.bind_password.as_deref().unwrap_or_default();
+ let _: LdapResult = ldap.simple_bind(bind_dn, password).await?.success()?;
+ }
+
+ let adapters: Vec<Box<dyn Adapter<_, _>>> = vec![
+ Box::new(EntriesOnly::new()),
+ Box::new(PagedResults::new(500)),
+ ];
+ let mut search = ldap
+ .streaming_search_with(
+ adapters,
+ &self.config.base_dn,
+ Scope::Subtree,
+ &search_filter,
+ parameters.attributes.clone(),
+ )
+ .await?;
+
+ let mut results = Vec::new();
+
+ while let Some(entry) = search.next().await? {
+ let entry = SearchEntry::construct(entry);
+
+ results.push(SearchResult {
+ dn: entry.dn,
+ attributes: entry.attrs,
+ })
+ }
+ let _res = search.finish().await.success()?;
+
+ let _ = ldap.unbind().await;
+
+ Ok(results)
+ }
+
/// Retrive port from LDAP configuration, otherwise use the correct default
fn port_from_config(&self) -> u16 {
self.config.port.unwrap_or_else(|| {
@@ -224,6 +291,28 @@ impl LdapConnection {
bail!("user not found")
}
+
+ fn assemble_search_filter(parameters: &SearchParameters) -> String {
+ use FilterElement::*;
+
+ let attr_wildcards = Or(parameters
+ .attributes
+ .iter()
+ .map(|attr| Condition(attr, "*"))
+ .collect());
+ let user_classes = Or(parameters
+ .user_classes
+ .iter()
+ .map(|class| Condition("objectclass".into(), class))
+ .collect());
+
+ if let Some(user_filter) = ¶meters.user_filter {
+ And(vec![Verbatim(user_filter), attr_wildcards, user_classes])
+ } else {
+ And(vec![attr_wildcards, user_classes])
+ }
+ .to_string()
+ }
}
#[allow(dead_code)]
--
2.30.2
next prev parent reply other threads:[~2023-01-24 10:03 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-24 10:03 [pbs-devel] [PATCH v3 proxmox 0/6] introduce proxmox-ldap crate Lukas Wagner
2023-01-24 10:03 ` [pbs-devel] [PATCH v3 proxmox 1/6] ldap: create new `proxmox-ldap` crate Lukas Wagner
2023-01-24 10:03 ` [pbs-devel] [PATCH v3 proxmox 2/6] ldap: add basic user auth functionality Lukas Wagner
2023-01-24 10:03 ` [pbs-devel] [PATCH v3 proxmox 3/6] ldap: add helpers for constructing LDAP filters Lukas Wagner
2023-01-24 10:03 ` Lukas Wagner [this message]
2023-01-24 10:03 ` [pbs-devel] [PATCH v3 proxmox 5/6] ldap: tests: add LDAP integration tests Lukas Wagner
2023-01-24 10:03 ` [pbs-devel] [PATCH v3 proxmox 6/6] ldap: add debian packaging Lukas Wagner
2023-02-08 13:32 ` [pbs-devel] applied-series: [PATCH v3 proxmox 0/6] introduce proxmox-ldap crate Wolfgang Bumiller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230124100337.152394-5-l.wagner@proxmox.com \
--to=l.wagner@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal