From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id ED08099AF for ; Mon, 26 Jun 2023 11:39:58 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id CB48025E13 for ; Mon, 26 Jun 2023 11:39:28 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Mon, 26 Jun 2023 11:39:28 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id E8B0443D16 for ; Mon, 26 Jun 2023 11:39:27 +0200 (CEST) From: Stefan Sterz To: pbs-devel@lists.proxmox.com Date: Mon, 26 Jun 2023 11:39:14 +0200 Message-Id: <20230626093916.701659-3-s.sterz@proxmox.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230626093916.701659-1-s.sterz@proxmox.com> References: <20230626093916.701659-1-s.sterz@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.095 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: [pbs-devel] [PATCH proxmox 2/4] ldap: add check_connection function X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Jun 2023 09:39:59 -0000 this function checks if a given connection could work. it uses the current config to connect to an ldap directory and perform a search with the provided base_dn. this enables us to verify a connection before storing it in a more meaningful way than with a regex. Signed-off-by: Stefan Sterz --- proxmox-ldap/src/lib.rs | 50 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 49 insertions(+), 1 deletion(-) diff --git a/proxmox-ldap/src/lib.rs b/proxmox-ldap/src/lib.rs index cdc4c9d..c47870d 100644 --- a/proxmox-ldap/src/lib.rs +++ b/proxmox-ldap/src/lib.rs @@ -6,7 +6,7 @@ use std::{ time::Duration, }; -use anyhow::{bail, format_err, Error}; +use anyhow::{bail, format_err, Context, Error}; use ldap3::adapters::{Adapter, EntriesOnly, PagedResults}; use ldap3::{Ldap, LdapConnAsync, LdapConnSettings, LdapResult, Scope, SearchEntry}; use native_tls::{Certificate, TlsConnector, TlsConnectorBuilder}; @@ -158,6 +158,54 @@ impl Connection { Ok(results) } + /// Helper to check if a connection with the current configuration is possible. + /// + /// This performs a search with the current configuration. If the search succeeds `Ok(()) is + /// returned, otherwise an `Error` is returned. + pub async fn check_connection(&self) -> Result<(), Error> { + let mut ldap = self.create_connection().await?; + + if let Some(bind_dn) = self.config.bind_dn.as_deref() { + let password = self + .config + .bind_password + .as_deref() + .ok_or_else(|| format_err!("Missing bind password for {bind_dn}"))?; + + let _: LdapResult = ldap + .simple_bind(bind_dn, password) + .await? + .success() + .context("LDAP bind failed, bind_dn or password could be incorrect")?; + + let (_, _) = ldap + .search( + &self.config.base_dn, + Scope::Subtree, + "(objectClass=*)", + vec!["*"], + ) + .await? + .success() + .context("Could not search LDAP realm, base_dn could be incorrect")?; + + let _: Result<(), _> = ldap.unbind().await; // ignore errors, search succeeded already + } else { + let (_, _) = ldap + .search( + &self.config.base_dn, + Scope::Subtree, + "(objectClass=*)", + vec!["*"], + ) + .await? + .success() + .context("Could not search LDAP realm, base_dn could be incorrect")?; + } + + Ok(()) + } + /// Retrive port from LDAP configuration, otherwise use the correct default fn port_from_config(&self) -> u16 { self.config.port.unwrap_or_else(|| { -- 2.39.2