From: Christoph Heiss <c.heiss@proxmox.com>
To: Friedrich Weber <f.weber@proxmox.com>
Cc: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] [PATCH common/access-control 0/5] improve LDAP DN and bind creds checking on creation/change
Date: Thu, 20 Jul 2023 15:30:20 +0200 [thread overview]
Message-ID: <o4oc27xoom4vhpitmsqio2xaju3yuygxny6sojw5367yqg7clf@m3zwc7khwx5w> (raw)
In-Reply-To: <7e04b1df-0c19-f44c-bfaa-66d35890602d@proxmox.com>
Thanks for taking a look and testing this!
On Thu, Jul 20, 2023 at 02:42:10PM +0200, Friedrich Weber wrote:
>
> Tested against slapd 2.4.47+dfsg-3+deb10u6. I quite like the connection
> check when creating/updating the realm, and also, it seems sensible to
> delegate DN validation to Net::LDAP.
>
> I noticed one bug: Weirdly, updating the realm via CLI or manually via
> API now errors out for me (the connection details are correct):
I only tested it via the UI, definitely a good catch.
>
> $ cat /etc/pve/domains.cfg
> pam: pam
> comment Linux PAM standard authentication
>
> pve: pve
> comment Proxmox VE authentication server
> default 0
>
> ldap: ldap
> comment foo
> base_dn dc=example,dc=com
> server1 [...]
> user_attr uid
> bind_dn cn=admin,dc=example,dc=com
> default 0
> secure 0
>
> $ pveum realm modify ldap -comment foo
> update auth server failed: Expected 'PeerHost' at
> /usr/share/perl5/Net/LDAP.pm line 173.
Weird. That error doesn't really match up with anything on my machine in
that file - what version of the `libnet-ldap-perl` package do
you have installed exactly?
Because I cannot seem to reproduce that error on my machine, both
`pveum` and `pvesh` work just fine for me.
>
> $ http --verify no PUT
> 'https://[...]:8006/api2/json/access/domains/ldap' comment=foo [...]
> HTTP/1.1 500 update auth server failed: Expected 'PeerHost' at
> /usr/share/perl5/Net/LDAP.pm line 173.
>
> On 19/07/2023 17:51, Christoph Heiss wrote:
> [..]
prev parent reply other threads:[~2023-07-20 13:30 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-19 15:51 Christoph Heiss
2023-07-19 15:51 ` [pve-devel] [PATCH common 1/5] schema: add `ldap-dn` format for validating LDAP distinguished names Christoph Heiss
2023-07-19 15:51 ` [pve-devel] [PATCH common 2/5] test: add test cases for new 'ldap-dn' schema format Christoph Heiss
2023-07-19 15:51 ` [pve-devel] [PATCH common 3/5] ldap: handle errors explicitly everywhere instead of simply `die`ing Christoph Heiss
2023-07-19 15:51 ` [pve-devel] [PATCH access-control 4/5] ldap: validate LDAP DNs using the `ldap-dn` schema format Christoph Heiss
2023-07-19 15:51 ` [pve-devel] [PATCH access-control 5/5] ldap: check bind credentials with LDAP directory directly on change Christoph Heiss
2023-07-20 12:42 ` [pve-devel] [PATCH common/access-control 0/5] improve LDAP DN and bind creds checking on creation/change Friedrich Weber
2023-07-20 13:30 ` Christoph Heiss [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=o4oc27xoom4vhpitmsqio2xaju3yuygxny6sojw5367yqg7clf@m3zwc7khwx5w \
--to=c.heiss@proxmox.com \
--cc=f.weber@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.