From: Stefan Sterz <s.sterz@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH proxmox 2/4] ldap: add check_connection function
Date: Mon, 26 Jun 2023 11:39:14 +0200 [thread overview]
Message-ID: <20230626093916.701659-3-s.sterz@proxmox.com> (raw)
In-Reply-To: <20230626093916.701659-1-s.sterz@proxmox.com>
this function checks if a given connection could work. it uses the
current config to connect to an ldap directory and perform a search
with the provided base_dn. this enables us to verify a connection
before storing it in a more meaningful way than with a regex.
Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
---
proxmox-ldap/src/lib.rs | 50 ++++++++++++++++++++++++++++++++++++++++-
1 file changed, 49 insertions(+), 1 deletion(-)
diff --git a/proxmox-ldap/src/lib.rs b/proxmox-ldap/src/lib.rs
index cdc4c9d..c47870d 100644
--- a/proxmox-ldap/src/lib.rs
+++ b/proxmox-ldap/src/lib.rs
@@ -6,7 +6,7 @@ use std::{
time::Duration,
};
-use anyhow::{bail, format_err, Error};
+use anyhow::{bail, format_err, Context, Error};
use ldap3::adapters::{Adapter, EntriesOnly, PagedResults};
use ldap3::{Ldap, LdapConnAsync, LdapConnSettings, LdapResult, Scope, SearchEntry};
use native_tls::{Certificate, TlsConnector, TlsConnectorBuilder};
@@ -158,6 +158,54 @@ impl Connection {
Ok(results)
}
+ /// Helper to check if a connection with the current configuration is possible.
+ ///
+ /// This performs a search with the current configuration. If the search succeeds `Ok(()) is
+ /// returned, otherwise an `Error` is returned.
+ pub async fn check_connection(&self) -> Result<(), Error> {
+ let mut ldap = self.create_connection().await?;
+
+ if let Some(bind_dn) = self.config.bind_dn.as_deref() {
+ let password = self
+ .config
+ .bind_password
+ .as_deref()
+ .ok_or_else(|| format_err!("Missing bind password for {bind_dn}"))?;
+
+ let _: LdapResult = ldap
+ .simple_bind(bind_dn, password)
+ .await?
+ .success()
+ .context("LDAP bind failed, bind_dn or password could be incorrect")?;
+
+ let (_, _) = ldap
+ .search(
+ &self.config.base_dn,
+ Scope::Subtree,
+ "(objectClass=*)",
+ vec!["*"],
+ )
+ .await?
+ .success()
+ .context("Could not search LDAP realm, base_dn could be incorrect")?;
+
+ let _: Result<(), _> = ldap.unbind().await; // ignore errors, search succeeded already
+ } else {
+ let (_, _) = ldap
+ .search(
+ &self.config.base_dn,
+ Scope::Subtree,
+ "(objectClass=*)",
+ vec!["*"],
+ )
+ .await?
+ .success()
+ .context("Could not search LDAP realm, base_dn could be incorrect")?;
+ }
+
+ Ok(())
+ }
+
/// Retrive port from LDAP configuration, otherwise use the correct default
fn port_from_config(&self) -> u16 {
self.config.port.unwrap_or_else(|| {
--
2.39.2
next prev parent reply other threads:[~2023-06-26 9:39 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-26 9:39 [pbs-devel] [PATCH proxmox(-backup), widget-toolkit 0/4] improve ldap configuration handling Stefan Sterz
2023-06-26 9:39 ` [pbs-devel] [PATCH proxmox 1/4] ldap: remove support for unauthenticated binds Stefan Sterz
2023-06-26 13:00 ` [pbs-devel] applied: " Wolfgang Bumiller
2023-06-26 9:39 ` Stefan Sterz [this message]
2023-06-26 12:23 ` [pbs-devel] [PATCH proxmox 2/4] ldap: add check_connection function Lukas Wagner
2023-06-26 12:24 ` Stefan Sterz
2023-06-26 12:57 ` Wolfgang Bumiller
2023-06-26 9:39 ` [pbs-devel] [PATCH proxmox-backup 3/4] access: ldap check connection on creation and change Stefan Sterz
2023-06-26 12:36 ` Lukas Wagner
2023-06-26 12:40 ` Stefan Sterz
2023-06-26 12:59 ` Wolfgang Bumiller
2023-06-26 13:17 ` Stefan Sterz
2023-06-26 9:39 ` [pbs-devel] [PATCH widget-toolkit 4/4] window: ldap auth edit forbid specifying a bind_dn without a password Stefan Sterz
2023-06-26 13:04 ` [pbs-devel] applied: " Wolfgang Bumiller
2023-06-26 18:30 ` [pbs-devel] " Thomas Lamprecht
2023-06-27 7:23 ` Stefan Sterz
2023-06-26 12:39 ` [pbs-devel] [PATCH proxmox(-backup), widget-toolkit 0/4] improve ldap configuration handling Lukas Wagner
2023-06-26 12:46 ` Stefan Hanreich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230626093916.701659-3-s.sterz@proxmox.com \
--to=s.sterz@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.