From: Stefan Sterz <s.sterz@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH proxmox-backup 3/4] access: ldap check connection on creation and change
Date: Mon, 26 Jun 2023 11:39:15 +0200 [thread overview]
Message-ID: <20230626093916.701659-4-s.sterz@proxmox.com> (raw)
In-Reply-To: <20230626093916.701659-1-s.sterz@proxmox.com>
this commit makes the ldap realm endpoints check whether a new or
updated configuration works correctly. it uses the new
`check_connection` function to make sure that a configuration can be
successfully used to connect to and query an ldap directory.
doing so allows us to significantly relax the ldap domain regex.
instead of relying on a regex to make sure that a given distinguished
name (dn) could be correct, we simply let the ldap directory tell us
whether it accepts it. this should also aid with usability as a dn
that looks correct could still be invalid.
the chosen regex still tries to make sure that what is provided as a
dn resembles one structurally. however, it does not impose strict
limits on what attribute values or types can look like.
this also implicitly removes unauthenticated binds, since the new
`ccheck_connection` function does not support those. it will simply
bail out of the check if a `bind_dn` but no password is configured.
therefore, this is a breaking change.
Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
---
pbs-api-types/src/ldap.rs | 6 +++---
src/api2/config/access/ldap.rs | 26 +++++++++++++++++++++-----
src/auth.rs | 12 +++++++++++-
3 files changed, 35 insertions(+), 9 deletions(-)
diff --git a/pbs-api-types/src/ldap.rs b/pbs-api-types/src/ldap.rs
index 762f560a..bc164a06 100644
--- a/pbs-api-types/src/ldap.rs
+++ b/pbs-api-types/src/ldap.rs
@@ -144,15 +144,15 @@ pub enum RemoveVanished {
macro_rules! DOMAIN_PART_REGEX {
() => {
- r#"("[^"]+"|[^ ,+"/<>;=#][^,+"/<>;=]*[^ ,+"/<>;=]|[^ ,+"/<>;=#])"#
+ r#"[^\s,\+=]+=(?:"[^"]+"|(?:\\[,\+=]|[^,\+=])+)"#
};
}
const_regex! {
pub LDAP_DOMAIN_REGEX = concat!(
- r#"^\w+="#,
+ r#"^"#,
DOMAIN_PART_REGEX!(),
- r#"(,\s*\w+="#,
+ r#"(?:[,\+]\s*"#,
DOMAIN_PART_REGEX!(),
")*$"
);
diff --git a/src/api2/config/access/ldap.rs b/src/api2/config/access/ldap.rs
index 90cd43c9..911142a0 100644
--- a/src/api2/config/access/ldap.rs
+++ b/src/api2/config/access/ldap.rs
@@ -1,8 +1,10 @@
+use crate::auth::LdapAuthenticator;
use ::serde::{Deserialize, Serialize};
-use anyhow::Error;
+use anyhow::{format_err, Error};
use hex::FromHex;
use serde_json::Value;
+use proxmox_ldap::Connection;
use proxmox_router::{http_bail, Permission, Router, RpcEnvironment};
use proxmox_schema::{api, param_bail};
@@ -70,6 +72,11 @@ pub fn create_ldap_realm(config: LdapRealmConfig, password: Option<String>) -> R
param_bail!("realm", "realm '{}' already exists.", config.realm);
}
+ let ldap_config =
+ LdapAuthenticator::api_type_to_config_with_password(&config, password.clone())?;
+ let conn = Connection::new(ldap_config);
+ proxmox_async::runtime::block_on(conn.check_connection()).map_err(|e| format_err!("{e:#}"))?;
+
if let Some(password) = password {
auth_helpers::store_ldap_bind_password(&config.realm, &password, &domain_config_lock)?;
}
@@ -317,10 +324,6 @@ pub fn update_ldap_realm(
config.bind_dn = Some(bind_dn);
}
- if let Some(password) = password {
- auth_helpers::store_ldap_bind_password(&realm, &password, &domain_config_lock)?;
- }
-
if let Some(filter) = update.filter {
config.filter = Some(filter);
}
@@ -334,6 +337,19 @@ pub fn update_ldap_realm(
config.user_classes = Some(user_classes);
}
+ let ldap_config = if let Some(_) = password {
+ LdapAuthenticator::api_type_to_config_with_password(&config, password.clone())?
+ } else {
+ LdapAuthenticator::api_type_to_config(&config)?
+ };
+
+ let conn = Connection::new(ldap_config);
+ proxmox_async::runtime::block_on(conn.check_connection()).map_err(|e| format_err!("{e:#}"))?;
+
+ if let Some(password) = password {
+ auth_helpers::store_ldap_bind_password(&realm, &password, &domain_config_lock)?;
+ }
+
domains.set_data(&realm, "ldap", &config)?;
domains::save_config(&domains)?;
diff --git a/src/auth.rs b/src/auth.rs
index e8d8d2da..318d1ff2 100644
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -170,6 +170,16 @@ impl Authenticator for LdapAuthenticator {
impl LdapAuthenticator {
pub fn api_type_to_config(config: &LdapRealmConfig) -> Result<Config, Error> {
+ Self::api_type_to_config_with_password(
+ config,
+ auth_helpers::get_ldap_bind_password(&config.realm)?,
+ )
+ }
+
+ pub fn api_type_to_config_with_password(
+ config: &LdapRealmConfig,
+ password: Option<String>,
+ ) -> Result<Config, Error> {
let mut servers = vec![config.server1.clone()];
if let Some(server) = &config.server2 {
servers.push(server.clone());
@@ -198,7 +208,7 @@ impl LdapAuthenticator {
user_attr: config.user_attr.clone(),
base_dn: config.base_dn.clone(),
bind_dn: config.bind_dn.clone(),
- bind_password: auth_helpers::get_ldap_bind_password(&config.realm)?,
+ bind_password: password,
tls_mode,
verify_certificate: config.verify.unwrap_or_default(),
additional_trusted_certificates: trusted_cert,
--
2.39.2
next prev parent reply other threads:[~2023-06-26 9:39 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-26 9:39 [pbs-devel] [PATCH proxmox(-backup), widget-toolkit 0/4] improve ldap configuration handling Stefan Sterz
2023-06-26 9:39 ` [pbs-devel] [PATCH proxmox 1/4] ldap: remove support for unauthenticated binds Stefan Sterz
2023-06-26 13:00 ` [pbs-devel] applied: " Wolfgang Bumiller
2023-06-26 9:39 ` [pbs-devel] [PATCH proxmox 2/4] ldap: add check_connection function Stefan Sterz
2023-06-26 12:23 ` Lukas Wagner
2023-06-26 12:24 ` Stefan Sterz
2023-06-26 12:57 ` Wolfgang Bumiller
2023-06-26 9:39 ` Stefan Sterz [this message]
2023-06-26 12:36 ` [pbs-devel] [PATCH proxmox-backup 3/4] access: ldap check connection on creation and change Lukas Wagner
2023-06-26 12:40 ` Stefan Sterz
2023-06-26 12:59 ` Wolfgang Bumiller
2023-06-26 13:17 ` Stefan Sterz
2023-06-26 9:39 ` [pbs-devel] [PATCH widget-toolkit 4/4] window: ldap auth edit forbid specifying a bind_dn without a password Stefan Sterz
2023-06-26 13:04 ` [pbs-devel] applied: " Wolfgang Bumiller
2023-06-26 18:30 ` [pbs-devel] " Thomas Lamprecht
2023-06-27 7:23 ` Stefan Sterz
2023-06-26 12:39 ` [pbs-devel] [PATCH proxmox(-backup), widget-toolkit 0/4] improve ldap configuration handling Lukas Wagner
2023-06-26 12:46 ` Stefan Hanreich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230626093916.701659-4-s.sterz@proxmox.com \
--to=s.sterz@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.