From: Christoph Heiss <c.heiss@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH access-control/manager 0/2] ldap: check bind connection on realm add/update
Date: Thu, 27 Jul 2023 15:33:16 +0200 [thread overview]
Message-ID: <20230727133341.1009881-1-c.heiss@proxmox.com> (raw)
First of, this removes the dreaded LDAP DN regex.
Further, upon saving a LDAP realm in the UI, it tries to connect & bind
using the provided credentials, providing the user with immediate
feedback whether they are valid or not.
The same approach is already implemented in PBS [0], and I'll plan to
implement the same for PMG too, if & when the PVE side is done.
Testing
-------
Changes were tested against slapd 2.5.13+dfsg-5, using both the web UI
and `pveum` to create and update realms with different combinations of
valid and invalid parameters, mixed with using new `check-connection`
parameter.
Prior art
---------
This completely supersedes the previous series [1].
This series is a complete new approach to it (also why this also isn't
marked as v3), which previously tried to solve this using a new schema
format by validated DNs using Net::LDAP::Util::canonical_dn(). But this
has the problem that it does not support AD-specific DN syntax.
After a off-list discussion with Lukas (summary [2]), it was decided to
rather implement it much like PBS does it - simply drop the explicit
validation of DN parameters, instead just trying to connect & bind to
the target server - although I'm always open for other/better
suggestions to tackle this.
[0] https://git.proxmox.com/?p=proxmox-backup.git;a=commitdiff;h=5210f3b5
[1] https://lists.proxmox.com/pipermail/pve-devel/2023-July/058392.html
[2] https://lists.proxmox.com/pipermail/pve-devel/2023-July/058540.html
--
2.41.0
next reply other threads:[~2023-07-27 13:34 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-27 13:33 Christoph Heiss [this message]
2023-07-27 13:33 ` [pve-devel] [PATCH access-control 1/2] api: domains: add off-by-default `check-connection` parameter Christoph Heiss
2023-07-28 8:29 ` Lukas Wagner
2023-08-01 9:17 ` Christoph Heiss
2023-07-27 13:33 ` [pve-devel] [PATCH manager 2/2] ui: ldap: add 'Check connection' checkbox as advanced option Christoph Heiss
2023-07-28 8:37 ` Lukas Wagner
2023-08-01 9:18 ` Christoph Heiss
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230727133341.1009881-1-c.heiss@proxmox.com \
--to=c.heiss@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.