[pbs-devel] [PATCH-SERIES proxmox-{backup, widget-toolkit} 00/17] add LDAP realm support

[Lukas Wagner <l.wagner@proxmox.com>]

This patch-series adds support for adding LDAP realms, including user sync.

The configuration scheme in `pbs-api-types` is based on the one from PVE,
with some slight differences:
  * consistent use of kebab-case for properties
  * only support `mode` instead of the deprecated `secure` property
  * `certificate-path` is used to directly point to a root CA that should be
    trusted, in addition to the default ones in `/etc/ssl/certs`.
    In PVE, the `capath` parameter is a directory that replaces the default
    of `/etc/ssl/certs`.

The GUI is mostly based on the implementation from PVE, with some slight
adaptations - for details, please refer to the commit messages.
The GUI components were added to the widget-toolkit repo, at some point PVE
could be adapted to use the same implemention as PBS.

The patches require the `ldap3` and `lber` (a dependency of ldap3, contained in
the same repo) to be packaged.
Packaging should hopefully be unproblematic - some dependencies of ldap3/lber
need to be patched to a lower version though, or, alternatively, newer versions
of the dependencies need to be packaged.

In this version of this patch series, we depend on `ldap3` v0.11-beta1.
v0.11 is a direct response to my inquiry to upstream to update the `nom`
dependency to a more recent version, so we don't have to pull in a second
version of `nom` into our graph of dependencies. I hope, upstream will
release v0.11 soon.

The implementation was tested against the following LDAP servers:
  * slapd 2.5.13 on Ubuntu Server 22.04 (LDAP, LDAPS, STARTTLS)
  * Windows Server 2022 Active Directory (LDAP)
  * glauth 2.1.0 (LDAP, LDAPS)

Some notes for patch reviewers/testers:
  * For testing of this patch series before both aforementioned crates are
    packaged, I've created a fork of ldap3 at https://github.com/lwagner94/ldap3
    The fork can be cloned and added as a local override in Cargo.toml to make
    the project compile, e.g.

    ldap3 = { path = "../ldap3"}

    The fork is based on `0.11-beta1`, and has
    its dependencies patched so that it is compatible with our package versions.

  * I can recommend `glauth` for testing: It is an LDAP server implementation
    in a statically-compiled Go binary that can be configured using a single,
    simple to understand configuration file. I can share my config if needed.


Note: This patch series includes a cherry-picked commit from Hannes' series from
https://lists.proxmox.com/pipermail/pbs-devel/2022-December/005774.html .
The functionality was needed for user sync.


proxmox-backup:

Hannes Laimer (1):
  pbs-config: add delete_authid to ACL-tree

Lukas Wagner (12):
  ui: add 'realm' field in user edit
  api-types: add LDAP configuration type
  api: add routes for managing LDAP realms
  auth: add LDAP module
  auth: add LDAP realm authenticator
  api-types: add config options for LDAP user sync
  server: add LDAP realm sync job
  manager: add LDAP commands
  manager: add sync command for LDAP realms
  docs: add configuration file reference for domains.cfg
  docs: add documentation for LDAP realms
  auth ldap: add `certificate-path` option

 Cargo.toml                             |   4 +
 docs/Makefile                          |   6 +-
 docs/command-syntax.rst                |   1 +
 docs/conf.py                           |   1 +
 docs/config/domains/format.rst         |  27 ++
 docs/config/domains/man5.rst           |  21 ++
 docs/configuration-files.rst           |  16 +
 docs/user-management.rst               |  58 +++
 pbs-api-types/src/ldap.rs              | 196 +++++++++++
 pbs-api-types/src/lib.rs               |   5 +
 pbs-api-types/src/user.rs              |   2 +-
 pbs-config/src/acl.rs                  |  71 ++++
 pbs-config/src/domains.rs              |  28 +-
 src/api2/access/domain.rs              |  85 ++++-
 src/api2/config/access/ldap.rs         | 353 +++++++++++++++++++
 src/api2/config/access/mod.rs          |   7 +-
 src/auth.rs                            |  72 +++-
 src/auth_helpers.rs                    |  51 +++
 src/bin/docgen.rs                      |   1 +
 src/bin/proxmox-backup-manager.rs      |   1 +
 src/bin/proxmox_backup_manager/ldap.rs | 178 ++++++++++
 src/bin/proxmox_backup_manager/mod.rs  |   2 +
 src/server/ldap.rs                     | 348 ++++++++++++++++++
 src/server/mod.rs                      |   5 +
 src/server/realm_sync_job.rs           | 469 +++++++++++++++++++++++++
 www/OnlineHelpInfo.js                  |   8 +
 www/Utils.js                           |   4 +-
 www/window/UserEdit.js                 |  95 ++++-
 28 files changed, 2085 insertions(+), 30 deletions(-)
 create mode 100644 docs/config/domains/format.rst
 create mode 100644 docs/config/domains/man5.rst
 create mode 100644 pbs-api-types/src/ldap.rs
 create mode 100644 src/api2/config/access/ldap.rs
 create mode 100644 src/bin/proxmox_backup_manager/ldap.rs
 create mode 100644 src/server/ldap.rs
 create mode 100644 src/server/realm_sync_job.rs

proxmox-widget-toolkit:

Lukas Wagner (4):
  auth ui: add LDAP realm edit panel
  auth ui: add LDAP sync UI
  auth ui: add `onlineHelp` for AuthEditLDAP
  auth ui: add `firstname` and `lastname` sync-attribute fields

 src/Makefile               |   2 +
 src/Schema.js              |  12 ++
 src/panel/AuthView.js      |  24 +++
 src/window/AuthEditLDAP.js | 367 +++++++++++++++++++++++++++++++++++++
 src/window/SyncWindow.js   | 192 +++++++++++++++++++
 5 files changed, 597 insertions(+)
 create mode 100644 src/window/AuthEditLDAP.js
 create mode 100644 src/window/SyncWindow.js

-- 
2.30.2