[pbs-devel] [PATCH v4 proxmox-widget-toolkit 0/5] add LDAP realm support UI

[pbs-devel] [PATCH v4 proxmox-widget-toolkit 0/5] add LDAP realm support UI

[Lukas Wagner]

This patch series adds support for adding LDAP realms, including user sync.

The GUI is mostly based on the implementation from PVE, with some slight
adaptations - for details, please refer to the commit messages.
The GUI components were added to the widget-toolkit repo, at some point PVE
could be adapted to use the same implemention as PBS.

Changes v3 --> v4:
  * Only include the widget-toolkit patches, since the rest has already been
    applied.
  * use the `let me = this` pattern in the sync ui - strictly it is not needed,
    but it may prevent errors if the code is ever modified.
  * Fix bug reported by Friedrich [1], where a particular combination of
    attributes could trigger a `value not defined in enumeration` error

Changes v2 --> v3:
  * Dropped the `Ldap` prefix for structs from the `proxmox-ldap` crate
  * minor clippy fixes
  * added a `OpenIdAuthenticator` that implements dummy-implements
    `ProxmoxAuthenticator` - otherwise, manually adding users to
    OpenId realms does not work
  * Changed the naming of the different authenticators in `auth.rs`
    e.g PAM --> PamAuthenticator, LDAP --> LdapAuthenticator
    This allows us to drop some clippy-allow directives

Changes v1 --> v2:
  * add pbs_config::exists helper function
  * Remove now unused `password` field from `LdapRealmConfig`, add
    additional password paramter to routes which need it
  * Only log a warning instead of failing completely when removing a
    stored password does not work
  * Proper naming for `DeleteableProperty` struct
  * Document that the domain config lock must be held when
    the LDAP password helper functions are called.
    Also added a &BackupLockGuard as a parameter, to make sure that
    at least *something* is locked.
  * moved `handle_worker` function to the `proxmox_rest_server` crate,
    so that it is usable for both, the LDAP management CLI and the debug
    CLI.
  * Made user authentication async,
   `ProxmoxAuthenticator::authenticate_user` now returns a boxed future
  * Promoted `src/server/ldap.rs` to be its own crate - this will be
    useful when PVE uses the same LDAP implemenation via perlmod one
    day.


[1] https://lists.proxmox.com/pipermail/pbs-devel/2023-February/005938.html

Lukas Wagner (5):
  auth ui: add LDAP realm edit panel
  auth ui: add LDAP sync UI
  auth ui: add `onlineHelp` for AuthEditLDAP
  auth ui: add `firstname` and `lastname` sync-attribute fields
  auth ui: fix `value not defined in enumeration` error

 src/Makefile               |   2 +
 src/Schema.js              |  12 ++
 src/panel/AuthView.js      |  24 +++
 src/window/AuthEditLDAP.js | 376 +++++++++++++++++++++++++++++++++++++
 src/window/SyncWindow.js   | 192 +++++++++++++++++++
 5 files changed, 606 insertions(+)
 create mode 100644 src/window/AuthEditLDAP.js
 create mode 100644 src/window/SyncWindow.js

-- 
2.30.2

[pbs-devel] [PATCH v4 proxmox-widget-toolkit 1/5] auth ui: add LDAP realm edit panel

[Lukas Wagner]

The panel was mostly taken from from PVE, but altered slightly:
  - bind-dn and bind-password are displayed under "General"
    and not under "Sync". For some servers, we need to be bound
    to lookup a user's domain from a given user id attribute.
    In PVE, the bind-dn and bind-password fields are under
    "Sync", which is a bit confusing if a user is not interested
    in automatic user syncing.

  - There is a 'anonymous search' checkbox. The value is not persisted
    in the configuration, it merely enables/disables the
    bind-dn and bind-password fiels to make their intent a bit more
    clear.

  - Instead of a 'secure' checkbox, a combobox for TLS mode is shown.
    This way users can select between LDAP, STARTLS and LDAPS.
    In PVE, the 'secure' config parameter is deprecated anyway, so
    I took the opportunity to replace it with the 'mode' parameter
    as described.

  - Parameters now consistently use kebab-case for naming. If
    PVE is modified to use the same panel, some sort of adapter
    will be needed.

Signed-off-by: Lukas Wagner <l.wagner@proxmox.com>
---
 src/Makefile               |   1 +
 src/Schema.js              |   8 ++
 src/window/AuthEditLDAP.js | 194 +++++++++++++++++++++++++++++++++++++
 3 files changed, 203 insertions(+)
 create mode 100644 src/window/AuthEditLDAP.js

diff --git a/src/Makefile b/src/Makefile
index 95da5aa..a24ae43 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -83,6 +83,7 @@ JSSRC=					\
 	window/FileBrowser.js		\
 	window/AuthEditBase.js		\
 	window/AuthEditOpenId.js	\
+	window/AuthEditLDAP.js		\
 	window/TfaWindow.js		\
 	window/AddTfaRecovery.js	\
 	window/AddTotp.js		\
diff --git a/src/Schema.js b/src/Schema.js
index d414845..372af89 100644
--- a/src/Schema.js
+++ b/src/Schema.js
@@ -17,6 +17,14 @@ Ext.define('Proxmox.Schema', { // a singleton
 	    pwchange: false,
 	    iconCls: 'pmx-itype-icon-openid-logo',
 	},
+	ldap: {
+	    name: gettext('LDAP Server'),
+	    ipanel: 'pmxAuthLDAPPanel',
+	    add: true,
+	    edit: true,
+	    tfa: true,
+	    pwchange: false,
+	},
     },
     // to add or change existing for product specific ones
     overrideAuthDomains: function(extra) {
diff --git a/src/window/AuthEditLDAP.js b/src/window/AuthEditLDAP.js
new file mode 100644
index 0000000..a44c536
--- /dev/null
+++ b/src/window/AuthEditLDAP.js
@@ -0,0 +1,194 @@
+
+Ext.define('Proxmox.panel.LDAPInputPanelViewModel', {
+    extend: 'Ext.app.ViewModel',
+
+    alias: 'viewmodel.pmxAuthLDAPPanel',
+
+    data: {
+	mode: 'ldap',
+	anonymous_search: 1,
+    },
+
+    formulas: {
+	tls_enabled: function(get) {
+	    return get('mode') !== 'ldap';
+	},
+    },
+
+});
+
+
+Ext.define('Proxmox.panel.LDAPInputPanel', {
+    extend: 'Proxmox.panel.InputPanel',
+    xtype: 'pmxAuthLDAPPanel',
+    mixins: ['Proxmox.Mixin.CBind'],
+
+    viewModel: {
+	type: 'pmxAuthLDAPPanel',
+    },
+
+    type: 'ldap',
+
+    onGetValues: function(values) {
+	if (this.isCreate) {
+	    values.type = this.type;
+	}
+
+	if (values.anonymous_search) {
+	    if (!values.delete) {
+		values.delete = [];
+	    }
+
+	    if (!Array.isArray(values.delete)) {
+		let tmp = values.delete;
+		values.delete = [];
+		values.delete.push(tmp);
+	    }
+
+	    values.delete.push("bind-dn");
+	    values.delete.push("password");
+	}
+
+	delete values.anonymous_search;
+
+	return values;
+    },
+
+    onSetValues: function(values) {
+	values.anonymous_search = values["bind-dn"] ? 0 : 1;
+
+	return values;
+    },
+
+
+    column1: [
+	{
+	    xtype: 'pmxDisplayEditField',
+	    name: 'realm',
+	    cbind: {
+		value: '{realm}',
+		editable: '{isCreate}',
+	    },
+	    fieldLabel: gettext('Realm'),
+	    allowBlank: false,
+	},
+	{
+	    xtype: 'proxmoxtextfield',
+	    fieldLabel: gettext('Base Domain Name'),
+	    name: 'base-dn',
+	    allowBlank: false,
+	    emptyText: 'cn=Users,dc=company,dc=net',
+	},
+	{
+	    xtype: 'proxmoxtextfield',
+	    fieldLabel: gettext('User Attribute Name'),
+	    name: 'user-attr',
+	    allowBlank: false,
+	    emptyText: 'uid / sAMAccountName',
+	},
+	{
+	    xtype: 'proxmoxcheckbox',
+	    fieldLabel: gettext('Anonymous Search'),
+	    name: 'anonymous_search',
+	    bind: '{anonymous_search}',
+	},
+	{
+	    xtype: 'proxmoxtextfield',
+	    fieldLabel: gettext('Bind Domain Name'),
+	    name: 'bind-dn',
+	    allowBlank: false,
+	    emptyText: 'cn=user,dc=company,dc=net',
+	    bind: {
+		disabled: "{anonymous_search}",
+	    },
+	},
+	{
+	    xtype: 'proxmoxtextfield',
+	    inputType: 'password',
+	    fieldLabel: gettext('Bind Password'),
+	    name: 'password',
+	    allowBlank: true,
+	    cbind: {
+		emptyText: get => !get('isCreate') ? gettext('Unchanged') : '',
+	    },
+	    bind: {
+		disabled: "{anonymous_search}",
+	    },
+	},
+    ],
+
+    column2: [
+	{
+	    xtype: 'proxmoxtextfield',
+	    name: 'server1',
+	    fieldLabel: gettext('Server'),
+	    allowBlank: false,
+	},
+	{
+	    xtype: 'proxmoxtextfield',
+	    name: 'server2',
+	    fieldLabel: gettext('Fallback Server'),
+	    submitEmpty: false,
+	    cbind: {
+		deleteEmpty: '{!isCreate}',
+	    },
+	},
+	{
+	    xtype: 'proxmoxintegerfield',
+	    name: 'port',
+	    fieldLabel: gettext('Port'),
+	    minValue: 1,
+	    maxValue: 65535,
+	    emptyText: gettext('Default'),
+	    submitEmptyText: false,
+	    deleteEmpty: true,
+	},
+	{
+	    xtype: 'proxmoxKVComboBox',
+	    name: 'mode',
+	    fieldLabel: gettext('Mode'),
+	    editable: false,
+	    comboItems: [
+		['ldap', 'LDAP'],
+		['ldap+starttls', 'STARTTLS'],
+		['ldaps', 'LDAPS'],
+	    ],
+	    bind: "{mode}",
+	    cbind: {
+		deleteEmpty: '{!isCreate}',
+		value: get => get('isCreate') ? 'ldap' : 'LDAP',
+	    },
+	},
+	{
+	    xtype: 'proxmoxcheckbox',
+	    fieldLabel: gettext('Verify Certificate'),
+	    name: 'verify',
+	    value: 0,
+	    cbind: {
+		deleteEmpty: '{!isCreate}',
+	    },
+
+	    bind: {
+		disabled: '{!tls_enabled}',
+	    },
+	    autoEl: {
+		tag: 'div',
+		'data-qtip': gettext('Verify TLS certificate of the server'),
+	    },
+
+	},
+    ],
+
+    columnB: [
+	{
+	    xtype: 'textfield',
+	    name: 'comment',
+	    fieldLabel: gettext('Comment'),
+	    cbind: {
+		deleteEmpty: '{!isCreate}',
+	    },
+	},
+    ],
+
+});
+
-- 
2.30.2

[pbs-devel] [PATCH v4 proxmox-widget-toolkit 2/5] auth ui: add LDAP sync UI

[Lukas Wagner]

Taken and adapted from PVE.
Changes:
  - Removed fields that are irrelevant for PBS for now (PBS has no
    groups yet). If PVE is adapted to use the implementation from the
    widget toolkit, the fields can simply be readded and somehow
    feature-gated so that the fields are only visible/editable on PVE

Signed-off-by: Lukas Wagner <l.wagner@proxmox.com>
---
 src/Makefile               |   1 +
 src/Schema.js              |   4 +
 src/panel/AuthView.js      |  24 +++++
 src/window/AuthEditLDAP.js | 165 +++++++++++++++++++++++++++++++
 src/window/SyncWindow.js   | 192 +++++++++++++++++++++++++++++++++++++
 5 files changed, 386 insertions(+)
 create mode 100644 src/window/SyncWindow.js

diff --git a/src/Makefile b/src/Makefile
index a24ae43..458ae93 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -91,6 +91,7 @@ JSSRC=					\
 	window/AddYubico.js		\
 	window/TfaEdit.js		\
 	window/NotesEdit.js		\
+	window/SyncWindow.js		\
 	node/APT.js			\
 	node/APTRepositories.js		\
 	node/NetworkEdit.js		\
diff --git a/src/Schema.js b/src/Schema.js
index 372af89..b247b1e 100644
--- a/src/Schema.js
+++ b/src/Schema.js
@@ -7,6 +7,7 @@ Ext.define('Proxmox.Schema', { // a singleton
 	    add: false,
 	    edit: false,
 	    pwchange: true,
+	    sync: false,
 	},
 	openid: {
 	    name: gettext('OpenID Connect Server'),
@@ -15,15 +16,18 @@ Ext.define('Proxmox.Schema', { // a singleton
 	    edit: true,
 	    tfa: false,
 	    pwchange: false,
+	    sync: false,
 	    iconCls: 'pmx-itype-icon-openid-logo',
 	},
 	ldap: {
 	    name: gettext('LDAP Server'),
 	    ipanel: 'pmxAuthLDAPPanel',
+	    syncipanel: 'pmxAuthLDAPSyncPanel',
 	    add: true,
 	    edit: true,
 	    tfa: true,
 	    pwchange: false,
+	    sync: true,
 	},
     },
     // to add or change existing for product specific ones
diff --git a/src/panel/AuthView.js b/src/panel/AuthView.js
index 69fe1a5..52b6cac 100644
--- a/src/panel/AuthView.js
+++ b/src/panel/AuthView.js
@@ -75,6 +75,23 @@ Ext.define('Proxmox.panel.AuthView', {
 	me.openEditWindow(rec.data.type, rec.data.realm);
     },
 
+    open_sync_window: function() {
+	let rec = this.getSelection()[0];
+	if (!rec) {
+	    return;
+	}
+	if (!Proxmox.Schema.authDomains[rec.data.type].sync) {
+	    return;
+	}
+	Ext.create('Proxmox.window.SyncWindow', {
+	    type: rec.data.type,
+	    realm: rec.data.realm,
+	    listeners: {
+		destroy: () => this.reload(),
+	    },
+	}).show();
+    },
+
     initComponent: function() {
 	var me = this;
 
@@ -115,6 +132,13 @@ Ext.define('Proxmox.panel.AuthView', {
 		enableFn: (rec) => Proxmox.Schema.authDomains[rec.data.type].add,
 		callback: () => me.reload(),
 	    },
+	    {
+		xtype: 'proxmoxButton',
+		text: gettext('Sync'),
+		disabled: true,
+		enableFn: (rec) => Proxmox.Schema.authDomains[rec.data.type].sync,
+		handler: () => me.open_sync_window(),
+	    },
 	];
 
 	if (me.extraButtons) {
diff --git a/src/window/AuthEditLDAP.js b/src/window/AuthEditLDAP.js
index a44c536..e62b514 100644
--- a/src/window/AuthEditLDAP.js
+++ b/src/window/AuthEditLDAP.js
@@ -192,3 +192,168 @@ Ext.define('Proxmox.panel.LDAPInputPanel', {
 
 });
 
+
+Ext.define('Proxmox.panel.LDAPSyncInputPanel', {
+    extend: 'Proxmox.panel.InputPanel',
+    xtype: 'pmxAuthLDAPSyncPanel',
+    mixins: ['Proxmox.Mixin.CBind'],
+
+    editableAttributes: ['email'],
+    editableDefaults: ['scope', 'enable-new'],
+    default_opts: {},
+    sync_attributes: {},
+
+    type: 'ldap',
+
+    // (de)construct the sync-attributes from the list above,
+    // not touching all others
+    onGetValues: function(values) {
+	let me = this;
+
+	me.editableDefaults.forEach((attr) => {
+	    if (values[attr]) {
+		me.default_opts[attr] = values[attr];
+		delete values[attr];
+	    } else {
+		delete me.default_opts[attr];
+	    }
+	});
+	let vanished_opts = [];
+	['acl', 'entry', 'properties'].forEach((prop) => {
+	    if (values[`remove-vanished-${prop}`]) {
+		vanished_opts.push(prop);
+	    }
+	    delete values[`remove-vanished-${prop}`];
+	});
+	me.default_opts['remove-vanished'] = vanished_opts.join(';');
+
+	values['sync-defaults-options'] = Proxmox.Utils.printPropertyString(me.default_opts);
+	me.editableAttributes.forEach((attr) => {
+	    if (values[attr]) {
+		me.sync_attributes[attr] = values[attr];
+		delete values[attr];
+	    } else {
+		delete me.sync_attributes[attr];
+	    }
+	});
+	values['sync-attributes'] = Proxmox.Utils.printPropertyString(me.sync_attributes);
+
+	Proxmox.Utils.delete_if_default(values, 'sync-defaults-options');
+	Proxmox.Utils.delete_if_default(values, 'sync-attributes');
+
+	if (me.isCreate) {
+	    delete values.delete; // on create we cannot delete values
+	}
+
+	return values;
+    },
+
+    setValues: function(values) {
+	let me = this;
+
+	if (values['sync-attributes']) {
+	    me.sync_attributes = Proxmox.Utils.parsePropertyString(values['sync-attributes']);
+	    delete values['sync-attributes'];
+	    me.editableAttributes.forEach((attr) => {
+		if (me.sync_attributes[attr]) {
+		    values[attr] = me.sync_attributes[attr];
+		}
+	    });
+	}
+	if (values['sync-defaults-options']) {
+	    me.default_opts = Proxmox.Utils.parsePropertyString(values['sync-defaults-options']);
+	    delete values.default_opts;
+	    me.editableDefaults.forEach((attr) => {
+		if (me.default_opts[attr]) {
+		    values[attr] = me.default_opts[attr];
+		}
+	    });
+
+	    if (me.default_opts['remove-vanished']) {
+		let opts = me.default_opts['remove-vanished'].split(';');
+		for (const opt of opts) {
+		    values[`remove-vanished-${opt}`] = 1;
+		}
+	    }
+	}
+	return me.callParent([values]);
+    },
+
+    column1: [
+	{
+	    xtype: 'proxmoxtextfield',
+	    name: 'email',
+	    fieldLabel: gettext('E-Mail attribute'),
+	},
+	{
+	    xtype: 'displayfield',
+	    value: gettext('Default Sync Options'),
+	},
+	{
+	    xtype: 'proxmoxKVComboBox',
+	    value: '__default__',
+	    deleteEmpty: false,
+	    comboItems: [
+		[
+		    '__default__',
+		    Ext.String.format(
+			gettext("{0} ({1})"),
+			Proxmox.Utils.yesText,
+			Proxmox.Utils.defaultText,
+		    ),
+		],
+		['true', Proxmox.Utils.yesText],
+		['false', Proxmox.Utils.noText],
+	    ],
+	    name: 'enable-new',
+	    fieldLabel: gettext('Enable new users'),
+	},
+    ],
+
+    column2: [
+	{
+	    xtype: 'proxmoxtextfield',
+	    name: 'user-classes',
+	    fieldLabel: gettext('User classes'),
+	    deleteEmpty: true,
+	    emptyText: 'inetorgperson, posixaccount, person, user',
+	    autoEl: {
+		tag: 'div',
+		'data-qtip': gettext('Default user classes: inetorgperson, posixaccount, person, user'),
+	    },
+	},
+	{
+	    xtype: 'proxmoxtextfield',
+	    name: 'filter',
+	    fieldLabel: gettext('User Filter'),
+	    deleteEmpty: true,
+	},
+    ],
+
+    columnB: [
+	{
+	    xtype: 'fieldset',
+	    title: gettext('Remove Vanished Options'),
+	    items: [
+		{
+		    xtype: 'proxmoxcheckbox',
+		    fieldLabel: gettext('ACL'),
+		    name: 'remove-vanished-acl',
+		    boxLabel: gettext('Remove ACLs of vanished users'),
+		},
+		{
+		    xtype: 'proxmoxcheckbox',
+		    fieldLabel: gettext('Entry'),
+		    name: 'remove-vanished-entry',
+		    boxLabel: gettext('Remove vanished user'),
+		},
+		{
+		    xtype: 'proxmoxcheckbox',
+		    fieldLabel: gettext('Properties'),
+		    name: 'remove-vanished-properties',
+		    boxLabel: gettext('Remove vanished properties from synced users.'),
+		},
+	    ],
+	},
+    ],
+});
diff --git a/src/window/SyncWindow.js b/src/window/SyncWindow.js
new file mode 100644
index 0000000..449782a
--- /dev/null
+++ b/src/window/SyncWindow.js
@@ -0,0 +1,192 @@
+Ext.define('Proxmox.window.SyncWindow', {
+    extend: 'Ext.window.Window',
+
+    title: gettext('Realm Sync'),
+
+    width: 600,
+    bodyPadding: 10,
+    modal: true,
+    resizable: false,
+
+    controller: {
+	xclass: 'Ext.app.ViewController',
+
+	control: {
+	    'form': {
+		validitychange: function(field, valid) {
+		    this.lookup('preview_btn').setDisabled(!valid);
+		    this.lookup('sync_btn').setDisabled(!valid);
+		},
+	    },
+	    'button': {
+		click: function(btn) {
+		    this.sync_realm(btn.reference === 'preview_btn');
+		},
+	    },
+	},
+
+	sync_realm: function(is_preview) {
+	    let view = this.getView();
+	    let ipanel = this.lookup('ipanel');
+	    let params = ipanel.getValues();
+
+	    let vanished_opts = [];
+	    ['acl', 'entry', 'properties'].forEach((prop) => {
+		if (params[`remove-vanished-${prop}`]) {
+		    vanished_opts.push(prop);
+		}
+		delete params[`remove-vanished-${prop}`];
+	    });
+	    if (vanished_opts.length > 0) {
+		params['remove-vanished'] = vanished_opts.join(';');
+	    }
+
+	    params['dry-run'] = is_preview ? 1 : 0;
+	    Proxmox.Utils.API2Request({
+		url: `/access/domains/${view.realm}/sync`,
+		waitMsgTarget: view,
+		method: 'POST',
+		params,
+		failure: (response) => {
+		    view.show();
+		    Ext.Msg.alert(gettext('Error'), response.htmlStatus);
+		},
+		success: (response) => {
+		    view.hide();
+		    Ext.create('Proxmox.window.TaskViewer', {
+			upid: response.result.data,
+			listeners: {
+			    destroy: () => {
+				if (is_preview) {
+				    view.show();
+				} else {
+				    view.close();
+				}
+			    },
+			},
+		    }).show();
+		},
+	    });
+	},
+    },
+
+    items: [
+	{
+	    xtype: 'form',
+	    reference: 'form',
+	    border: false,
+	    fieldDefaults: {
+		labelWidth: 100,
+		anchor: '100%',
+	    },
+	    items: [{
+		xtype: 'inputpanel',
+		reference: 'ipanel',
+		column1: [
+		    {
+			xtype: 'proxmoxKVComboBox',
+			value: 'true',
+			deleteEmpty: false,
+			allowBlank: false,
+			comboItems: [
+			    ['true', Proxmox.Utils.yesText],
+			    ['false', Proxmox.Utils.noText],
+			],
+			name: 'enable-new',
+			fieldLabel: gettext('Enable new'),
+		    },
+		],
+
+		column2: [
+		],
+
+		columnB: [
+		    {
+			xtype: 'fieldset',
+			title: gettext('Remove Vanished Options'),
+			items: [
+			    {
+				xtype: 'proxmoxcheckbox',
+				fieldLabel: gettext('ACL'),
+				name: 'remove-vanished-acl',
+				boxLabel: gettext('Remove ACLs of vanished users and groups.'),
+			    },
+			    {
+				xtype: 'proxmoxcheckbox',
+				fieldLabel: gettext('Entry'),
+				name: 'remove-vanished-entry',
+				boxLabel: gettext('Remove vanished user and group entries.'),
+			    },
+			    {
+				xtype: 'proxmoxcheckbox',
+				fieldLabel: gettext('Properties'),
+				name: 'remove-vanished-properties',
+				boxLabel: gettext('Remove vanished properties from synced users.'),
+			    },
+			],
+		    },
+		    {
+			xtype: 'displayfield',
+			reference: 'defaulthint',
+			value: gettext('Default sync options can be set by editing the realm.'),
+			userCls: 'pmx-hint',
+			hidden: true,
+		    },
+		],
+	    }],
+	},
+    ],
+
+    buttons: [
+	'->',
+	{
+	    text: gettext('Preview'),
+	    reference: 'preview_btn',
+	},
+	{
+	    text: gettext('Sync'),
+	    reference: 'sync_btn',
+	},
+    ],
+
+    initComponent: function() {
+	if (!this.realm) {
+	    throw "no realm defined";
+	}
+
+	if (!this.type) {
+	    throw "no realm type defined";
+	}
+
+	this.callParent();
+
+	Proxmox.Utils.API2Request({
+	    url: `/config/access/${this.type}/${this.realm}`,
+	    waitMsgTarget: this,
+	    method: 'GET',
+	    failure: (response) => {
+		Ext.Msg.alert(gettext('Error'), response.htmlStatus);
+		this.close();
+	    },
+	    success: (response) => {
+		let default_options = response.result.data['sync-defaults-options'];
+		if (default_options) {
+		    let options = Proxmox.Utils.parsePropertyString(default_options);
+		    if (options['remove-vanished']) {
+			let opts = options['remove-vanished'].split(';');
+			for (const opt of opts) {
+			    options[`remove-vanished-${opt}`] = 1;
+			}
+		    }
+		    let ipanel = this.lookup('ipanel');
+		    ipanel.setValues(options);
+		} else {
+		    this.lookup('defaulthint').setVisible(true);
+		}
+
+		// check validity for button state
+		this.lookup('form').isValid();
+	    },
+	});
+    },
+});
-- 
2.30.2

[pbs-devel] [PATCH v4 proxmox-widget-toolkit 3/5] auth ui: add `onlineHelp` for AuthEditLDAP

[Lukas Wagner]

Signed-off-by: Lukas Wagner <l.wagner@proxmox.com>
---
 src/window/AuthEditLDAP.js | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/window/AuthEditLDAP.js b/src/window/AuthEditLDAP.js
index e62b514..506ba02 100644
--- a/src/window/AuthEditLDAP.js
+++ b/src/window/AuthEditLDAP.js
@@ -29,6 +29,8 @@ Ext.define('Proxmox.panel.LDAPInputPanel', {
 
     type: 'ldap',
 
+    onlineHelp: 'user-realms-ldap',
+
     onGetValues: function(values) {
 	if (this.isCreate) {
 	    values.type = this.type;
-- 
2.30.2

[pbs-devel] [PATCH v4 proxmox-widget-toolkit 4/5] auth ui: add `firstname` and `lastname` sync-attribute fields

[Lukas Wagner]

This allows the user to set up a mapping for `firstname` and `lastname`
attributes for LDAP user syncs.

Signed-off-by: Lukas Wagner <l.wagner@proxmox.com>
---
 src/window/AuthEditLDAP.js | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/window/AuthEditLDAP.js b/src/window/AuthEditLDAP.js
index 506ba02..aa85c5d 100644
--- a/src/window/AuthEditLDAP.js
+++ b/src/window/AuthEditLDAP.js
@@ -200,7 +200,7 @@ Ext.define('Proxmox.panel.LDAPSyncInputPanel', {
     xtype: 'pmxAuthLDAPSyncPanel',
     mixins: ['Proxmox.Mixin.CBind'],
 
-    editableAttributes: ['email'],
+    editableAttributes: ['firstname', 'lastname', 'email'],
     editableDefaults: ['scope', 'enable-new'],
     default_opts: {},
     sync_attributes: {},
@@ -282,6 +282,16 @@ Ext.define('Proxmox.panel.LDAPSyncInputPanel', {
     },
 
     column1: [
+	{
+	    xtype: 'proxmoxtextfield',
+	    name: 'firstname',
+	    fieldLabel: gettext('First Name attribute'),
+	},
+	{
+	    xtype: 'proxmoxtextfield',
+	    name: 'lastname',
+	    fieldLabel: gettext('Last Name attribute'),
+	},
 	{
 	    xtype: 'proxmoxtextfield',
 	    name: 'email',
-- 
2.30.2

[pbs-devel] [PATCH v4 proxmox-widget-toolkit 5/5] auth ui: fix `value not defined in enumeration` error

[Lukas Wagner]

...when editing LDAP realm sync settings and only a single property is
empty and thus to be deleted (e.g. values.delete = "filter").

If `delete` is a simple string and not an array,
`Proxmox.Utils.delete_if_default` simply creates a comma-separated list,
(e.g. value.delete = "filter,sync-attributes").

When the properties from the other panel are evaluated and added to the
the `delete` property, comma-separated list format is not considered,
leading to a final value for `delete` that could look like this:
  value.delete = {
    "server2",
    "comment",
    "filter,sync-attributes"
  }

This commit fixes this by splitting `delete` in case it is a string.

Reported-by: Friedrich Weber <f.weber@proxmox.com>
Signed-off-by: Lukas Wagner <l.wagner@proxmox.com>
---
 src/window/AuthEditLDAP.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/window/AuthEditLDAP.js b/src/window/AuthEditLDAP.js
index aa85c5d..3e8ce88 100644
--- a/src/window/AuthEditLDAP.js
+++ b/src/window/AuthEditLDAP.js
@@ -243,6 +243,11 @@ Ext.define('Proxmox.panel.LDAPSyncInputPanel', {
 	Proxmox.Utils.delete_if_default(values, 'sync-defaults-options');
 	Proxmox.Utils.delete_if_default(values, 'sync-attributes');
 
+	// Force values.delete to be an array
+	if (typeof values.delete === 'string') {
+	   values.delete = values.delete.split(',');
+	}
+
 	if (me.isCreate) {
 	    delete values.delete; // on create we cannot delete values
 	}
-- 
2.30.2

Re: [pbs-devel] [PATCH v4 proxmox-widget-toolkit 5/5] auth ui: fix `value not defined in enumeration` error

[Friedrich Weber]

Can confirm that the error is gone now, and the realm settings are saved 
as expected. Consider this

Tested-by: Friedrich Weber <f.weber@proxmox.com>

On 14/02/2023 14:26, Lukas Wagner wrote:
> ...when editing LDAP realm sync settings and only a single property is
> empty and thus to be deleted (e.g. values.delete = "filter").
> 
> If `delete` is a simple string and not an array,
> `Proxmox.Utils.delete_if_default` simply creates a comma-separated list,
> (e.g. value.delete = "filter,sync-attributes").
> 
> When the properties from the other panel are evaluated and added to the
> the `delete` property, comma-separated list format is not considered,
> leading to a final value for `delete` that could look like this:
>    value.delete = {
>      "server2",
>      "comment",
>      "filter,sync-attributes"
>    }
> 
> This commit fixes this by splitting `delete` in case it is a string.
> 
> Reported-by: Friedrich Weber <f.weber@proxmox.com>
> Signed-off-by: Lukas Wagner <l.wagner@proxmox.com>
> ---
>   src/window/AuthEditLDAP.js | 5 +++++
>   1 file changed, 5 insertions(+)
> 
> diff --git a/src/window/AuthEditLDAP.js b/src/window/AuthEditLDAP.js
> index aa85c5d..3e8ce88 100644
> --- a/src/window/AuthEditLDAP.js
> +++ b/src/window/AuthEditLDAP.js
> @@ -243,6 +243,11 @@ Ext.define('Proxmox.panel.LDAPSyncInputPanel', {
>   	Proxmox.Utils.delete_if_default(values, 'sync-defaults-options');
>   	Proxmox.Utils.delete_if_default(values, 'sync-attributes');
>   
> +	// Force values.delete to be an array
> +	if (typeof values.delete === 'string') {
> +	   values.delete = values.delete.split(',');
> +	}
> +
>   	if (me.isCreate) {
>   	    delete values.delete; // on create we cannot delete values
>   	}

Re: [pbs-devel] [PATCH v4 proxmox-widget-toolkit 0/5] add LDAP realm support UI

[Lukas Wagner]

On 2/14/23 14:26, Lukas Wagner wrote:
> This patch series adds support for adding LDAP realms, including user sync.
> 
> The GUI is mostly based on the implementation from PVE, with some slight
> adaptations - for details, please refer to the commit messages.
> The GUI components were added to the widget-toolkit repo, at some point PVE
> could be adapted to use the same implemention as PBS.
> 

Ping. The PBS parts for LDAP realm support have already been merged, so it would be nice to get
these UI patches in before the next release :) .


-- 
- Lukas