From: Shannon Sterz <s.sterz@proxmox.com>
To: pdm-devel@lists.proxmox.com
Subject: [PATCH datacenter-manager v2 1/2] fix #7182: server: auth: add dummy openid authenticator
Date: Mon, 9 Feb 2026 10:43:48 +0100 [thread overview]
Message-ID: <20260209094349.34075-2-s.sterz@proxmox.com> (raw)
In-Reply-To: <20260209094349.34075-1-s.sterz@proxmox.com>
when manually adding users from an openid realm, the api checks
whether the realm exists. so at least a dummy implementation is needed
here.
Fixes: https://bugzilla.proxmox.com/show_bug.cgi?id=7182
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
server/src/auth/mod.rs | 61 ++++++++++++++++++++++++++++++++++--------
1 file changed, 50 insertions(+), 11 deletions(-)
diff --git a/server/src/auth/mod.rs b/server/src/auth/mod.rs
index 82425e8..312ed72 100644
--- a/server/src/auth/mod.rs
+++ b/server/src/auth/mod.rs
@@ -16,10 +16,10 @@ use proxmox_auth_api::types::Authid;
use proxmox_auth_api::{HMACKey, Keyring};
use proxmox_ldap::types::{AdRealmConfig, LdapRealmConfig};
use proxmox_rest_server::AuthError;
-use proxmox_router::UserInformation;
+use proxmox_router::{http_bail, UserInformation};
use proxmox_tfa::api::{OpenUserChallengeData, TfaConfig};
-use pdm_api_types::{RealmRef, Userid};
+use pdm_api_types::{OpenIdRealmConfig, RealmRef, Userid, UsernameRef};
pub mod certs;
pub mod csrf;
@@ -189,17 +189,17 @@ pub(crate) fn lookup_authenticator(
lock_filename: pdm_buildcfg::configdir!("/access/shadow.json.lock"),
})),
realm => {
- if let Ok((domains, _digest)) = pdm_config::domains::config() {
- if let Ok(config) = domains.lookup::<LdapRealmConfig>("ldap", realm) {
- return Ok(Box::new(LdapAuthenticator::new(config)));
- }
+ let (domains, _digest) = pdm_config::domains::config()?;
- if let Ok(config) = domains.lookup::<AdRealmConfig>("ad", realm) {
- return Ok(Box::new(AdAuthenticator::new(config)));
- }
+ if let Ok(config) = domains.lookup::<LdapRealmConfig>("ldap", realm) {
+ Ok(Box::new(LdapAuthenticator::new(config)))
+ } else if let Ok(config) = domains.lookup::<AdRealmConfig>("ad", realm) {
+ Ok(Box::new(AdAuthenticator::new(config)))
+ } else if domains.lookup::<OpenIdRealmConfig>("openid", realm).is_ok() {
+ Ok(Box::new(OpenIdAuthenticator()))
+ } else {
+ bail!("unknwon realm {realm}");
}
-
- bail!("unknwon realm {realm}");
}
}
}
@@ -234,3 +234,42 @@ impl LockedTfaConfig for PdmLockedTfaConfig {
tfa::write(&self.config)
}
}
+
+struct OpenIdAuthenticator();
+/// When a user is manually added, the lookup_authenticator is called to verify that
+/// the realm exists. Thus, it is necessary to have an (empty) implementation for
+/// OpendID as well.
+impl Authenticator for OpenIdAuthenticator {
+ fn authenticate_user<'a>(
+ &'a self,
+ _username: &'a UsernameRef,
+ _password: &'a str,
+ _client_ip: Option<&'a IpAddr>,
+ ) -> Pin<Box<dyn Future<Output = Result<(), Error>> + Send + 'a>> {
+ Box::pin(async move {
+ http_bail!(
+ NOT_IMPLEMENTED,
+ "password authentication is not implemented for OpenID realms"
+ );
+ })
+ }
+
+ fn store_password(
+ &self,
+ _username: &UsernameRef,
+ _password: &str,
+ _client_ip: Option<&IpAddr>,
+ ) -> Result<(), Error> {
+ http_bail!(
+ NOT_IMPLEMENTED,
+ "storing passwords is not implemented for OpenID realms"
+ );
+ }
+
+ fn remove_password(&self, _username: &UsernameRef) -> Result<(), Error> {
+ http_bail!(
+ NOT_IMPLEMENTED,
+ "storing passwords is not implemented for OpenID realms"
+ );
+ }
+}
--
2.47.3
next prev parent reply other threads:[~2026-02-09 9:43 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-09 9:43 [PATCH datacenter-manager v2 0/2] fix adding users manually for openid/ldap/ad realms Shannon Sterz
2026-02-09 9:43 ` Shannon Sterz [this message]
2026-02-09 9:43 ` [PATCH datacenter-manager v2 2/2] ui: set product realm so that the add user dialogs are rendered properly Shannon Sterz
2026-02-12 13:18 ` [PATCH datacenter-manager v2 0/2] fix adding users manually for openid/ldap/ad realms Lukas Wagner
2026-02-13 8:34 ` applied: " Dominik Csapak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260209094349.34075-2-s.sterz@proxmox.com \
--to=s.sterz@proxmox.com \
--cc=pdm-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.