From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <l.wagner@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 23B5093114
 for <pbs-devel@lists.proxmox.com>; Tue,  3 Jan 2023 15:23:26 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 0C542BDF9
 for <pbs-devel@lists.proxmox.com>; Tue,  3 Jan 2023 15:23:26 +0100 (CET)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS
 for <pbs-devel@lists.proxmox.com>; Tue,  3 Jan 2023 15:23:24 +0100 (CET)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id B45AF443F9
 for <pbs-devel@lists.proxmox.com>; Tue,  3 Jan 2023 15:23:24 +0100 (CET)
From: Lukas Wagner <l.wagner@proxmox.com>
To: pbs-devel@lists.proxmox.com
Date: Tue,  3 Jan 2023 15:23:04 +0100
Message-Id: <20230103142308.656240-14-l.wagner@proxmox.com>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20230103142308.656240-1-l.wagner@proxmox.com>
References: <20230103142308.656240-1-l.wagner@proxmox.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.174 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [auth.rs, ldap.rs]
Subject: [pbs-devel] [PATCH proxmox-backup 13/17] auth ldap: add
 `certificate-path` option
X-BeenThere: pbs-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Backup Server development discussion
 <pbs-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pbs-devel/>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Tue, 03 Jan 2023 14:23:26 -0000

This allows adding a custom root CA for TLS-encrypted
LDAP connections.

Note: this commit adds a direct depedencency to
the `native-tls` crate, on which we already dependeded
transitively.

Signed-off-by: Lukas Wagner <l.wagner@proxmox.com>
---
 Cargo.toml                |  2 ++
 pbs-api-types/src/ldap.rs |  5 +++++
 src/auth.rs               |  7 +++++++
 src/server/ldap.rs        | 15 +++++++++++++--
 4 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/Cargo.toml b/Cargo.toml
index c9f1f185..7837bf39 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -122,6 +122,7 @@ ldap3 = { version = "0.11.0-beta.1", default_features=false, features=["tls"]}
 libc = "0.2"
 log = "0.4.17"
 nix = "0.24"
+native-tls = "0.2.8"
 nom = "7"
 num-traits = "0.2"
 once_cell = "1.3.1"
@@ -174,6 +175,7 @@ ldap3.workspace = true
 libc.workspace = true
 log.workspace = true
 nix.workspace = true
+native-tls.workspace = true
 nom.workspace = true
 num-traits.workspace = true
 once_cell.workspace = true
diff --git a/pbs-api-types/src/ldap.rs b/pbs-api-types/src/ldap.rs
index 672c81cd..99196c04 100644
--- a/pbs-api-types/src/ldap.rs
+++ b/pbs-api-types/src/ldap.rs
@@ -74,6 +74,11 @@ pub struct LdapRealmConfig {
     /// Verify server certificate
     #[serde(skip_serializing_if = "Option::is_none")]
     pub verify: Option<bool>,
+    /// CA certificate to use for the server. If set,
+    /// the certificate stored at the given path will
+    /// be added to the set of trusted root CAs.
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub certificate_path: Option<String>,
     /// Bind domain to use for looking up users
     #[serde(skip_serializing_if = "Option::is_none")]
     pub bind_dn: Option<String>,
diff --git a/src/auth.rs b/src/auth.rs
index 101bec0e..46d6c56c 100644
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -185,6 +185,12 @@ pub fn ldap_api_type_to_ldap_config(config: &LdapRealmConfig) -> Result<LdapConf
         LdapMode::Ldaps => LdapConnectionMode::Ldaps,
     };
 
+    let root_certificate = if let Some(path) = config.certificate_path.as_ref() {
+        Some(proxmox_sys::fs::file_read_string(path)?)
+    } else {
+        None
+    };
+
     Ok(LdapConfig {
         servers,
         port: config.port,
@@ -194,5 +200,6 @@ pub fn ldap_api_type_to_ldap_config(config: &LdapRealmConfig) -> Result<LdapConf
         bind_password: auth_helpers::get_ldap_bind_password(&config.realm)?,
         tls_mode,
         verify_certificate: config.verify.unwrap_or_default(),
+        root_certificate_pem: root_certificate,
     })
 }
diff --git a/src/server/ldap.rs b/src/server/ldap.rs
index 2e218cf6..8cc35181 100644
--- a/src/server/ldap.rs
+++ b/src/server/ldap.rs
@@ -5,6 +5,7 @@ use ldap3::{
     adapters::{Adapter, EntriesOnly, PagedResults},
     Ldap, LdapConnAsync, LdapConnSettings, LdapResult, Scope, SearchEntry,
 };
+use native_tls::{Certificate, TlsConnector};
 
 #[derive(PartialEq, Eq, Clone, Copy)]
 /// LDAP connection security
@@ -36,6 +37,8 @@ pub struct LdapConfig {
     pub tls_mode: LdapConnectionMode,
     /// Verify the server's TLS certificate
     pub verify_certificate: bool,
+    /// Custom TLS root certificiate
+    pub root_certificate_pem: Option<String>,
 }
 
 pub struct LdapConnection {
@@ -163,11 +166,19 @@ impl LdapConnection {
     async fn try_connect(&self, url: &str) -> Result<(LdapConnAsync, Ldap), Error> {
         let starttls = self.config.tls_mode == LdapConnectionMode::StartTls;
 
+        let mut connector_builder = TlsConnector::builder();
+        connector_builder.danger_accept_invalid_certs(!self.config.verify_certificate);
+
+        if let Some(certificate) = self.config.root_certificate_pem.as_deref() {
+            let cert = Certificate::from_pem(certificate.as_bytes())?;
+            connector_builder.add_root_certificate(cert);
+        }
+
         LdapConnAsync::with_settings(
             LdapConnSettings::new()
-                .set_no_tls_verify(!self.config.verify_certificate)
                 .set_starttls(starttls)
-                .set_conn_timeout(Self::LDAP_CONNECTION_TIMEOUT),
+                .set_conn_timeout(Self::LDAP_CONNECTION_TIMEOUT)
+                .set_connector(connector_builder.build()?),
             url,
         )
         .await
-- 
2.30.2