From: Lukas Wagner <l.wagner@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH v3 proxmox-backup 08/18] api-types: add config options for LDAP user sync
Date: Thu, 9 Feb 2023 14:31:18 +0100 [thread overview]
Message-ID: <20230209133128.695211-9-l.wagner@proxmox.com> (raw)
In-Reply-To: <20230209133128.695211-1-l.wagner@proxmox.com>
Signed-off-by: Lukas Wagner <l.wagner@proxmox.com>
---
pbs-api-types/src/ldap.rs | 125 ++++++++++++++++++++++++++++++++-
src/api2/config/access/ldap.rs | 33 +++++++++
2 files changed, 156 insertions(+), 2 deletions(-)
diff --git a/pbs-api-types/src/ldap.rs b/pbs-api-types/src/ldap.rs
index 06b8788d..316b5a65 100644
--- a/pbs-api-types/src/ldap.rs
+++ b/pbs-api-types/src/ldap.rs
@@ -1,6 +1,6 @@
use serde::{Deserialize, Serialize};
-use proxmox_schema::{api, Updater};
+use proxmox_schema::{api, ApiStringFormat, ApiType, ArraySchema, Schema, StringSchema, Updater};
use super::{REALM_ID_SCHEMA, SINGLE_LINE_COMMENT_SCHEMA};
@@ -32,7 +32,19 @@ pub enum LdapMode {
"verify": {
optional: true,
default: false,
- }
+ },
+ "sync-defaults-options": {
+ schema: SYNC_DEFAULTS_STRING_SCHEMA,
+ optional: true,
+ },
+ "sync-attributes": {
+ schema: SYNC_ATTRIBUTES_SCHEMA,
+ optional: true,
+ },
+ "user-classes" : {
+ optional: true,
+ schema: USER_CLASSES_SCHEMA,
+ },
},
)]
#[derive(Serialize, Deserialize, Updater, Clone)]
@@ -75,4 +87,113 @@ pub struct LdapRealmConfig {
/// Bind domain to use for looking up users
#[serde(skip_serializing_if = "Option::is_none")]
pub bind_dn: Option<String>,
+ /// Custom LDAP search filter for user sync
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub filter: Option<String>,
+ /// Default options for LDAP sync
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub sync_defaults_options: Option<String>,
+ /// List of attributes to sync from LDAP to user config
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub sync_attributes: Option<String>,
+ /// User ``objectClass`` classes to sync
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub user_classes: Option<String>,
+}
+
+#[api(
+ properties: {
+ "remove-vanished": {
+ optional: true,
+ schema: REMOVE_VANISHED_SCHEMA,
+ },
+ },
+
+)]
+#[derive(Serialize, Deserialize, Updater, Default, Debug)]
+#[serde(rename_all = "kebab-case")]
+/// Default options for LDAP synchronization runs
+pub struct SyncDefaultsOptions {
+ /// How to handle vanished properties/users
+ pub remove_vanished: Option<String>,
+ /// Enable new users after sync
+ pub enable_new: Option<bool>,
+}
+
+#[api()]
+#[derive(Serialize, Deserialize, Debug, PartialEq, Eq)]
+#[serde(rename_all = "kebab-case")]
+/// remove-vanished options
+pub enum RemoveVanished {
+ /// Delete ACLs for vanished users
+ Acl,
+ /// Remove vanished users
+ Entry,
+ /// Remove vanished properties from users (e.g. email)
+ Properties,
}
+
+pub const SYNC_DEFAULTS_STRING_SCHEMA: Schema = StringSchema::new("sync defaults options")
+ .format(&ApiStringFormat::PropertyString(
+ &SyncDefaultsOptions::API_SCHEMA,
+ ))
+ .schema();
+
+const REMOVE_VANISHED_DESCRIPTION: &str =
+ "A semicolon-seperated list of things to remove when they or the user \
+vanishes during user synchronization. The following values are possible: ``entry`` removes the \
+user when not returned from the sync; ``properties`` removes any \
+properties on existing user that do not appear in the source. \
+``acl`` removes ACLs when the user is not returned from the sync.";
+
+pub const REMOVE_VANISHED_SCHEMA: Schema = StringSchema::new(REMOVE_VANISHED_DESCRIPTION)
+ .format(&ApiStringFormat::PropertyString(&REMOVE_VANISHED_ARRAY))
+ .schema();
+
+pub const REMOVE_VANISHED_ARRAY: Schema = ArraySchema::new(
+ "Array of remove-vanished options",
+ &RemoveVanished::API_SCHEMA,
+)
+.min_length(1)
+.schema();
+
+#[api()]
+#[derive(Serialize, Deserialize, Updater, Default, Debug)]
+#[serde(rename_all = "kebab-case")]
+/// Determine which LDAP attributes should be synced to which user attributes
+pub struct SyncAttributes {
+ /// Name of the LDAP attribute containing the user's email address
+ pub email: Option<String>,
+ /// Name of the LDAP attribute containing the user's first name
+ pub firstname: Option<String>,
+ /// Name of the LDAP attribute containing the user's last name
+ pub lastname: Option<String>,
+}
+
+const SYNC_ATTRIBUTES_TEXT: &str = "Comma-separated list of key=value pairs for specifying \
+which LDAP attributes map to which PBS user field. For example, \
+to map the LDAP attribute ``mail`` to PBS's ``email``, write \
+``email=mail``.";
+
+pub const SYNC_ATTRIBUTES_SCHEMA: Schema = StringSchema::new(SYNC_ATTRIBUTES_TEXT)
+ .format(&ApiStringFormat::PropertyString(
+ &SyncAttributes::API_SCHEMA,
+ ))
+ .schema();
+
+pub const USER_CLASSES_ARRAY: Schema = ArraySchema::new(
+ "Array of user classes",
+ &StringSchema::new("user class").schema(),
+)
+.min_length(1)
+.schema();
+
+const USER_CLASSES_TEXT: &str = "Comma-separated list of allowed objectClass values for \
+user synchronization. For instance, if ``user-classes`` is set to ``person,user``, \
+then user synchronization will consider all LDAP entities \
+where ``objectClass: person`` `or` ``objectClass: user``.";
+
+pub const USER_CLASSES_SCHEMA: Schema = StringSchema::new(USER_CLASSES_TEXT)
+ .format(&ApiStringFormat::PropertyString(&USER_CLASSES_ARRAY))
+ .default("inetorgperson,posixaccount,person,user")
+ .schema();
diff --git a/src/api2/config/access/ldap.rs b/src/api2/config/access/ldap.rs
index fa83d8ba..90cd43c9 100644
--- a/src/api2/config/access/ldap.rs
+++ b/src/api2/config/access/ldap.rs
@@ -172,6 +172,14 @@ pub enum DeletableProperty {
BindDn,
/// LDAP bind passwort
Password,
+ /// User filter
+ Filter,
+ /// Default options for user sync
+ SyncDefaultsOptions,
+ /// user attributes to sync with LDAP attributes
+ SyncAttributes,
+ /// User classes
+ UserClasses,
}
#[api(
@@ -252,6 +260,18 @@ pub fn update_ldap_realm(
DeletableProperty::Password => {
auth_helpers::remove_ldap_bind_password(&realm, &domain_config_lock)?;
}
+ DeletableProperty::Filter => {
+ config.filter = None;
+ }
+ DeletableProperty::SyncDefaultsOptions => {
+ config.sync_defaults_options = None;
+ }
+ DeletableProperty::SyncAttributes => {
+ config.sync_attributes = None;
+ }
+ DeletableProperty::UserClasses => {
+ config.user_classes = None;
+ }
}
}
}
@@ -301,6 +321,19 @@ pub fn update_ldap_realm(
auth_helpers::store_ldap_bind_password(&realm, &password, &domain_config_lock)?;
}
+ if let Some(filter) = update.filter {
+ config.filter = Some(filter);
+ }
+ if let Some(sync_defaults_options) = update.sync_defaults_options {
+ config.sync_defaults_options = Some(sync_defaults_options);
+ }
+ if let Some(sync_attributes) = update.sync_attributes {
+ config.sync_attributes = Some(sync_attributes);
+ }
+ if let Some(user_classes) = update.user_classes {
+ config.user_classes = Some(user_classes);
+ }
+
domains.set_data(&realm, "ldap", &config)?;
domains::save_config(&domains)?;
--
2.30.2
next prev parent reply other threads:[~2023-02-09 13:32 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-09 13:31 [pbs-devel] [PATCH v3 proxmox{, -backup, -widget-toolkit} 00/18] add LDAP realm support Lukas Wagner
2023-02-09 13:31 ` [pbs-devel] [PATCH v3 proxmox 01/18] rest-server: add handle_worker from backup debug cli Lukas Wagner
2023-02-10 9:44 ` [pbs-devel] applied: " Wolfgang Bumiller
2023-02-09 13:31 ` [pbs-devel] [PATCH v3 proxmox-backup 02/18] debug cli: use handle_worker in proxmox-rest-server Lukas Wagner
2023-02-09 13:31 ` [pbs-devel] [PATCH v3 proxmox-backup 03/18] pbs-config: add delete_authid to ACL-tree Lukas Wagner
2023-02-09 13:31 ` [pbs-devel] [PATCH v3 proxmox-backup 04/18] ui: add 'realm' field in user edit Lukas Wagner
2023-02-09 13:31 ` [pbs-devel] [PATCH v3 proxmox-backup 05/18] api-types: add LDAP configuration type Lukas Wagner
2023-02-09 13:31 ` [pbs-devel] [PATCH v3 proxmox-backup 06/18] api: add routes for managing LDAP realms Lukas Wagner
2023-02-09 13:31 ` [pbs-devel] [PATCH v3 proxmox-backup 07/18] auth: add LDAP realm authenticator Lukas Wagner
2023-02-09 13:31 ` Lukas Wagner [this message]
2023-02-09 13:31 ` [pbs-devel] [PATCH v3 proxmox-backup 09/18] server: add LDAP realm sync job Lukas Wagner
2023-02-09 13:31 ` [pbs-devel] [PATCH v3 proxmox-backup 10/18] manager: add commands for managing LDAP realms Lukas Wagner
2023-02-10 10:16 ` Fabian Grünbichler
2023-02-10 10:30 ` Lukas Wagner
2023-02-10 12:42 ` Wolfgang Bumiller
2023-02-09 13:31 ` [pbs-devel] [PATCH v3 proxmox-backup 11/18] docs: add configuration file reference for domains.cfg Lukas Wagner
2023-02-09 13:31 ` [pbs-devel] [PATCH v3 proxmox-backup 12/18] docs: add documentation for LDAP realms Lukas Wagner
2023-02-09 13:31 ` [pbs-devel] [PATCH v3 proxmox-backup 13/18] auth: add dummy OpenIdAuthenticator struct Lukas Wagner
2023-02-09 13:31 ` [pbs-devel] [PATCH v3 proxmox-backup 14/18] auth: unify naming for all authenticator implementations Lukas Wagner
2023-02-09 13:31 ` [pbs-devel] [PATCH v3 proxmox-widget-toolkit 15/18] auth ui: add LDAP realm edit panel Lukas Wagner
2023-02-09 13:31 ` [pbs-devel] [PATCH v3 proxmox-widget-toolkit 16/18] auth ui: add LDAP sync UI Lukas Wagner
2023-02-09 13:31 ` [pbs-devel] [PATCH v3 proxmox-widget-toolkit 17/18] auth ui: add `onlineHelp` for AuthEditLDAP Lukas Wagner
2023-02-09 13:31 ` [pbs-devel] [PATCH v3 proxmox-widget-toolkit 18/18] auth ui: add `firstname` and `lastname` sync-attribute fields Lukas Wagner
2023-02-10 12:39 ` [pbs-devel] partially-applied: [PATCH v3 proxmox{, -backup, -widget-toolkit} 00/18] add LDAP realm support Wolfgang Bumiller
2023-02-10 14:01 ` [pbs-devel] " Friedrich Weber
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230209133128.695211-9-l.wagner@proxmox.com \
--to=l.wagner@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.