From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <s.sterz@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id ED08099AF
 for <pbs-devel@lists.proxmox.com>; Mon, 26 Jun 2023 11:39:58 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id CB48025E13
 for <pbs-devel@lists.proxmox.com>; Mon, 26 Jun 2023 11:39:28 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS
 for <pbs-devel@lists.proxmox.com>; Mon, 26 Jun 2023 11:39:28 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id E8B0443D16
 for <pbs-devel@lists.proxmox.com>; Mon, 26 Jun 2023 11:39:27 +0200 (CEST)
From: Stefan Sterz <s.sterz@proxmox.com>
To: pbs-devel@lists.proxmox.com
Date: Mon, 26 Jun 2023 11:39:14 +0200
Message-Id: <20230626093916.701659-3-s.sterz@proxmox.com>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <20230626093916.701659-1-s.sterz@proxmox.com>
References: <20230626093916.701659-1-s.sterz@proxmox.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results:  0
 AWL -0.095 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 T_SCC_BODY_TEXT_LINE    -0.01 -
Subject: [pbs-devel] [PATCH proxmox 2/4] ldap: add check_connection function
X-BeenThere: pbs-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Backup Server development discussion
 <pbs-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pbs-devel/>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Mon, 26 Jun 2023 09:39:59 -0000

this function checks if a given connection could work. it uses the
current config to connect to an ldap directory and perform a search
with the provided base_dn. this enables us to verify a connection
before storing it in a more meaningful way than with a regex.

Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
---
 proxmox-ldap/src/lib.rs | 50 ++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 49 insertions(+), 1 deletion(-)

diff --git a/proxmox-ldap/src/lib.rs b/proxmox-ldap/src/lib.rs
index cdc4c9d..c47870d 100644
--- a/proxmox-ldap/src/lib.rs
+++ b/proxmox-ldap/src/lib.rs
@@ -6,7 +6,7 @@ use std::{
     time::Duration,
 };
 
-use anyhow::{bail, format_err, Error};
+use anyhow::{bail, format_err, Context, Error};
 use ldap3::adapters::{Adapter, EntriesOnly, PagedResults};
 use ldap3::{Ldap, LdapConnAsync, LdapConnSettings, LdapResult, Scope, SearchEntry};
 use native_tls::{Certificate, TlsConnector, TlsConnectorBuilder};
@@ -158,6 +158,54 @@ impl Connection {
         Ok(results)
     }
 
+    /// Helper to check if a connection with the current configuration is possible.
+    ///
+    /// This performs a search with the current configuration. If the search succeeds `Ok(()) is
+    /// returned, otherwise an `Error` is returned.
+    pub async fn check_connection(&self) -> Result<(), Error> {
+        let mut ldap = self.create_connection().await?;
+
+        if let Some(bind_dn) = self.config.bind_dn.as_deref() {
+            let password = self
+                .config
+                .bind_password
+                .as_deref()
+                .ok_or_else(|| format_err!("Missing bind password for {bind_dn}"))?;
+
+            let _: LdapResult = ldap
+                .simple_bind(bind_dn, password)
+                .await?
+                .success()
+                .context("LDAP bind failed, bind_dn or password could be incorrect")?;
+
+            let (_, _) = ldap
+                .search(
+                    &self.config.base_dn,
+                    Scope::Subtree,
+                    "(objectClass=*)",
+                    vec!["*"],
+                )
+                .await?
+                .success()
+                .context("Could not search LDAP realm, base_dn could be incorrect")?;
+
+            let _: Result<(), _> = ldap.unbind().await; // ignore errors, search succeeded already
+        } else {
+            let (_, _) = ldap
+                .search(
+                    &self.config.base_dn,
+                    Scope::Subtree,
+                    "(objectClass=*)",
+                    vec!["*"],
+                )
+                .await?
+                .success()
+                .context("Could not search LDAP realm, base_dn could be incorrect")?;
+        }
+
+        Ok(())
+    }
+
     /// Retrive port from LDAP configuration, otherwise use the correct default
     fn port_from_config(&self) -> u16 {
         self.config.port.unwrap_or_else(|| {
-- 
2.39.2