From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id B978C9535F for ; Wed, 18 Jan 2023 08:37:08 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 95E611C82F for ; Wed, 18 Jan 2023 08:37:08 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Wed, 18 Jan 2023 08:37:07 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 802884422A for ; Wed, 18 Jan 2023 08:37:07 +0100 (CET) From: Lukas Wagner To: pbs-devel@lists.proxmox.com Date: Wed, 18 Jan 2023 08:36:51 +0100 Message-Id: <20230118073702.588417-6-l.wagner@proxmox.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20230118073702.588417-1-l.wagner@proxmox.com> References: <20230118073702.588417-1-l.wagner@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.137 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pbs-devel] [PATCH v2 proxmox-backup 05/16] api-types: add LDAP configuration type X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2023 07:37:08 -0000 The properties are mainly based on the ones from PVE, except: * consistent use of kebab-cases * `mode` replaces deprecated `secure` Signed-off-by: Lukas Wagner --- pbs-api-types/src/ldap.rs | 78 +++++++++++++++++++++++++++++++++++++++ pbs-api-types/src/lib.rs | 5 +++ 2 files changed, 83 insertions(+) create mode 100644 pbs-api-types/src/ldap.rs diff --git a/pbs-api-types/src/ldap.rs b/pbs-api-types/src/ldap.rs new file mode 100644 index 00000000..45c7320d --- /dev/null +++ b/pbs-api-types/src/ldap.rs @@ -0,0 +1,78 @@ +use serde::{Deserialize, Serialize}; + +use proxmox_schema::{api, Updater}; + +use super::{REALM_ID_SCHEMA, SINGLE_LINE_COMMENT_SCHEMA}; + +#[api()] +#[derive(Copy, Clone, PartialEq, Eq, Serialize, Deserialize, Default)] +/// LDAP connection type +pub enum LdapMode { + /// Plaintext LDAP connection + #[serde(rename = "ldap")] + #[default] + Ldap, + /// Secure STARTTLS connection + #[serde(rename = "ldap+starttls")] + StartTls, + /// Secure LDAPS connection + #[serde(rename = "ldaps")] + Ldaps, +} + +#[api( + properties: { + "realm": { + schema: REALM_ID_SCHEMA, + }, + "comment": { + optional: true, + schema: SINGLE_LINE_COMMENT_SCHEMA, + }, + "verify": { + optional: true, + default: false, + } + }, +)] +#[derive(Serialize, Deserialize, Updater, Clone)] +#[serde(rename_all = "kebab-case")] +/// LDAP configuration properties. +pub struct LdapRealmConfig { + #[updater(skip)] + pub realm: String, + /// LDAP server address + pub server1: String, + /// Fallback LDAP server address + #[serde(skip_serializing_if = "Option::is_none")] + pub server2: Option, + /// Port + #[serde(skip_serializing_if = "Option::is_none")] + pub port: Option, + /// Base domain name. Users are searched under this domain using a `subtree search`. + pub base_dn: String, + /// Username attribute. Used to map a ``userid`` to LDAP to an LDAP ``dn``. + pub user_attr: String, + /// Comment + #[serde(skip_serializing_if = "Option::is_none")] + pub comment: Option, + /// Connection security + #[serde(skip_serializing_if = "Option::is_none")] + pub mode: Option, + /// Verify server certificate + #[serde(skip_serializing_if = "Option::is_none")] + pub verify: Option, + /// CA certificate to use for the server. The path can point to + /// either a file, or a directory. If it points to a file, + /// the PEM-formatted X.509 certificate stored at the path + /// will be added as a trusted certificate. + /// If the path points to a directory, + /// the directory replaces the system's default certificate + /// store at `/etc/ssl/certs` - Every file in the directory + /// will be loaded as a trusted certificate. + #[serde(skip_serializing_if = "Option::is_none")] + pub capath: Option, + /// Bind domain to use for looking up users + #[serde(skip_serializing_if = "Option::is_none")] + pub bind_dn: Option, +} diff --git a/pbs-api-types/src/lib.rs b/pbs-api-types/src/lib.rs index 5e043954..0479b637 100644 --- a/pbs-api-types/src/lib.rs +++ b/pbs-api-types/src/lib.rs @@ -108,6 +108,9 @@ pub mod file_restore; mod openid; pub use openid::*; +mod ldap; +pub use ldap::*; + mod remote; pub use remote::*; @@ -502,6 +505,8 @@ pub enum RealmType { Pbs, /// An OpenID Connect realm OpenId, + /// An LDAP realm + Ldap, } #[api( -- 2.30.2