From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id D769893067 for ; Tue, 3 Jan 2023 15:23:17 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id BF1D7BCC2 for ; Tue, 3 Jan 2023 15:23:17 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Tue, 3 Jan 2023 15:23:15 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 6558B441E0 for ; Tue, 3 Jan 2023 15:23:15 +0100 (CET) From: Lukas Wagner To: pbs-devel@lists.proxmox.com Date: Tue, 3 Jan 2023 15:22:51 +0100 Message-Id: <20230103142308.656240-1-l.wagner@proxmox.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.205 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [auth.rs, acl.rs, proxmox-backup-manager.rs, proxmox.com, conf.py, user.rs, lib.rs, docgen.rs, domains.rs, domain.rs, mod.rs, ldap.rs] Subject: [pbs-devel] [PATCH-SERIES proxmox-{backup, widget-toolkit} 00/17] add LDAP realm support X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jan 2023 14:23:17 -0000 This patch-series adds support for adding LDAP realms, including user sync. The configuration scheme in `pbs-api-types` is based on the one from PVE, with some slight differences: * consistent use of kebab-case for properties * only support `mode` instead of the deprecated `secure` property * `certificate-path` is used to directly point to a root CA that should be trusted, in addition to the default ones in `/etc/ssl/certs`. In PVE, the `capath` parameter is a directory that replaces the default of `/etc/ssl/certs`. The GUI is mostly based on the implementation from PVE, with some slight adaptations - for details, please refer to the commit messages. The GUI components were added to the widget-toolkit repo, at some point PVE could be adapted to use the same implemention as PBS. The patches require the `ldap3` and `lber` (a dependency of ldap3, contained in the same repo) to be packaged. Packaging should hopefully be unproblematic - some dependencies of ldap3/lber need to be patched to a lower version though, or, alternatively, newer versions of the dependencies need to be packaged. In this version of this patch series, we depend on `ldap3` v0.11-beta1. v0.11 is a direct response to my inquiry to upstream to update the `nom` dependency to a more recent version, so we don't have to pull in a second version of `nom` into our graph of dependencies. I hope, upstream will release v0.11 soon. The implementation was tested against the following LDAP servers: * slapd 2.5.13 on Ubuntu Server 22.04 (LDAP, LDAPS, STARTTLS) * Windows Server 2022 Active Directory (LDAP) * glauth 2.1.0 (LDAP, LDAPS) Some notes for patch reviewers/testers: * For testing of this patch series before both aforementioned crates are packaged, I've created a fork of ldap3 at https://github.com/lwagner94/ldap3 The fork can be cloned and added as a local override in Cargo.toml to make the project compile, e.g. ldap3 = { path = "../ldap3"} The fork is based on `0.11-beta1`, and has its dependencies patched so that it is compatible with our package versions. * I can recommend `glauth` for testing: It is an LDAP server implementation in a statically-compiled Go binary that can be configured using a single, simple to understand configuration file. I can share my config if needed. Note: This patch series includes a cherry-picked commit from Hannes' series from https://lists.proxmox.com/pipermail/pbs-devel/2022-December/005774.html . The functionality was needed for user sync. proxmox-backup: Hannes Laimer (1): pbs-config: add delete_authid to ACL-tree Lukas Wagner (12): ui: add 'realm' field in user edit api-types: add LDAP configuration type api: add routes for managing LDAP realms auth: add LDAP module auth: add LDAP realm authenticator api-types: add config options for LDAP user sync server: add LDAP realm sync job manager: add LDAP commands manager: add sync command for LDAP realms docs: add configuration file reference for domains.cfg docs: add documentation for LDAP realms auth ldap: add `certificate-path` option Cargo.toml | 4 + docs/Makefile | 6 +- docs/command-syntax.rst | 1 + docs/conf.py | 1 + docs/config/domains/format.rst | 27 ++ docs/config/domains/man5.rst | 21 ++ docs/configuration-files.rst | 16 + docs/user-management.rst | 58 +++ pbs-api-types/src/ldap.rs | 196 +++++++++++ pbs-api-types/src/lib.rs | 5 + pbs-api-types/src/user.rs | 2 +- pbs-config/src/acl.rs | 71 ++++ pbs-config/src/domains.rs | 28 +- src/api2/access/domain.rs | 85 ++++- src/api2/config/access/ldap.rs | 353 +++++++++++++++++++ src/api2/config/access/mod.rs | 7 +- src/auth.rs | 72 +++- src/auth_helpers.rs | 51 +++ src/bin/docgen.rs | 1 + src/bin/proxmox-backup-manager.rs | 1 + src/bin/proxmox_backup_manager/ldap.rs | 178 ++++++++++ src/bin/proxmox_backup_manager/mod.rs | 2 + src/server/ldap.rs | 348 ++++++++++++++++++ src/server/mod.rs | 5 + src/server/realm_sync_job.rs | 469 +++++++++++++++++++++++++ www/OnlineHelpInfo.js | 8 + www/Utils.js | 4 +- www/window/UserEdit.js | 95 ++++- 28 files changed, 2085 insertions(+), 30 deletions(-) create mode 100644 docs/config/domains/format.rst create mode 100644 docs/config/domains/man5.rst create mode 100644 pbs-api-types/src/ldap.rs create mode 100644 src/api2/config/access/ldap.rs create mode 100644 src/bin/proxmox_backup_manager/ldap.rs create mode 100644 src/server/ldap.rs create mode 100644 src/server/realm_sync_job.rs proxmox-widget-toolkit: Lukas Wagner (4): auth ui: add LDAP realm edit panel auth ui: add LDAP sync UI auth ui: add `onlineHelp` for AuthEditLDAP auth ui: add `firstname` and `lastname` sync-attribute fields src/Makefile | 2 + src/Schema.js | 12 ++ src/panel/AuthView.js | 24 +++ src/window/AuthEditLDAP.js | 367 +++++++++++++++++++++++++++++++++++++ src/window/SyncWindow.js | 192 +++++++++++++++++++ 5 files changed, 597 insertions(+) create mode 100644 src/window/AuthEditLDAP.js create mode 100644 src/window/SyncWindow.js -- 2.30.2