From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 3A1AAAFC4 for ; Tue, 8 Aug 2023 14:22:51 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 204399A5F for ; Tue, 8 Aug 2023 14:22:51 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Tue, 8 Aug 2023 14:22:50 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id F2C24437E0 for ; Tue, 8 Aug 2023 14:22:49 +0200 (CEST) From: Christoph Heiss To: pbs-devel@lists.proxmox.com Date: Tue, 8 Aug 2023 14:22:02 +0200 Message-ID: <20230808122239.1025524-1-c.heiss@proxmox.com> X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.048 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pbs-devel] [PATCH proxmox/proxmox-backup/pwt 0/12] add Active Directory realm support X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Aug 2023 12:22:51 -0000 This series adds Active Directory realm support to PBS, much like it already exists in PVE. The logic matches it as closely as possible. Patches #1 through #6 are purely preparatory. A lot of functionality from the existing LDAP realm implementation can be re-used, esp. the realm sync. The API, authenticator and realm sync job implementations are partly simply copied from LDAP, replacing structs and changing some things as needed. The realm sync job simply reuses the existing LDAP implementation for the most part, other than setting up some things differently. As for the UI, the existing panel for LDAP realms was also generic enough such that it only needed a few conditionals as what input boxes to show. One thing to note is that - unlike PVE - you don't have to specify a domain name when creating an AD realm. This is due to `proxmox-ldap` already figuring out the correct, full DN of bind and login users itself. That is the only use of the domain name in PVE anyway, thus it is not present here. The base DN is automatically determined from the `defaultNamingContext` attribute of the root DSE object. It can be set manually in the config if the need should arise. So that should be treated more like an implementation detail. Testing ------- I have tested this series using: * slapd 2.5.13+dfsg-5 as LDAP server to ensure no regressions * Samba 4.18.5 as an Linux-based AD server and * AD on Windows Server 2022 to make sure that works as well For slapd and MS AD, I tested both anonymous binds and authenticated binds, with Samba only authenticated binds (since there seems to way to turn on anonymous binds in Samba, at least that I could find ..) as well as dry-running and actual syncing of users. Further, then also logging into PBS with a sync'd user. proxmox: Christoph Heiss (2): ldap: add method for retrieving root DSE attributes auth-api: implement `Display` for `Realm{,Ref}` proxmox-auth-api/src/types.rs | 12 ++++++++++++ proxmox-ldap/src/lib.rs | 22 ++++++++++++++++++++++ proxmox-ldap/tests/assets/glauth.cfg | 1 + proxmox-ldap/tests/glauth.rs | 16 ++++++++++++++++ 4 files changed, 51 insertions(+) proxmox-backup: Christoph Heiss (9): api-types: implement `LdapMode` -> `ConnectionMode` conversion auth: factor out CA store and cert lookup into own function api-types: implement `Display`, `FromStr` for `RealmType` realm sync: generic-ify `LdapSyncSettings` and `GeneralSyncSettings` api: access: add routes for managing AD realms config: domains: add new "ad" section type for AD realms realm sync: add sync job for AD realms manager: add subcommand for managing AD realms docs: user-management: add section about AD realm support docs/user-management.rst | 40 +++- pbs-api-types/Cargo.toml | 1 + pbs-api-types/src/ad.rs | 101 ++++++++ pbs-api-types/src/ldap.rs | 11 + pbs-api-types/src/lib.rs | 38 +++ pbs-config/src/domains.rs | 11 +- src/api2/access/domain.rs | 16 +- src/api2/config/access/ad.rs | 314 +++++++++++++++++++++++++ src/api2/config/access/mod.rs | 2 + src/auth.rs | 114 +++++++-- src/bin/proxmox-backup-manager.rs | 1 + src/bin/proxmox_backup_manager/ad.rs | 105 +++++++++ src/bin/proxmox_backup_manager/ldap.rs | 2 +- src/bin/proxmox_backup_manager/mod.rs | 2 + src/server/realm_sync_job.rs | 111 +++++++-- 15 files changed, 818 insertions(+), 51 deletions(-) create mode 100644 pbs-api-types/src/ad.rs create mode 100644 src/api2/config/access/ad.rs create mode 100644 src/bin/proxmox_backup_manager/ad.rs proxmox-widget-toolkit: Christoph Heiss (1): window: add Active Directory auth panel src/Makefile | 1 + src/Schema.js | 10 ++++++++++ src/window/AuthEditAD.js | 14 ++++++++++++++ src/window/AuthEditLDAP.js | 28 ++++++++++++++++++++++++++-- 4 files changed, 51 insertions(+), 2 deletions(-) create mode 100644 src/window/AuthEditAD.js -- 2.41.0