From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id D4685C0DE9 for ; Fri, 12 Jan 2024 17:16:56 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id C24D9349E3 for ; Fri, 12 Jan 2024 17:16:55 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Fri, 12 Jan 2024 17:16:54 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id D1F0549130 for ; Fri, 12 Jan 2024 17:16:53 +0100 (CET) From: Christoph Heiss To: pbs-devel@lists.proxmox.com Date: Fri, 12 Jan 2024 17:15:57 +0100 Message-ID: <20240112161614.1012311-3-c.heiss@proxmox.com> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20240112161614.1012311-1-c.heiss@proxmox.com> References: <20240112161614.1012311-1-c.heiss@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.003 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [rfc-editor.org, lib.rs, glauth.rs] Subject: [pbs-devel] [PATCH proxmox v3 02/13] ldap: add method for retrieving root DSE attributes X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jan 2024 16:16:56 -0000 The root DSE holds common attributes about the LDAP server itself. Needed to e.g. support Active Directory-based LDAP servers to retrieve the base DN from the server itself, based on an valid bind. See also RFC 4512, Section 5.1 [0] for more information about this special object. [0] https://www.rfc-editor.org/rfc/rfc4512#section-5.1 Signed-off-by: Christoph Heiss --- proxmox-ldap/src/lib.rs | 22 ++++++++++++++++++++++ proxmox-ldap/tests/assets/glauth.cfg | 1 + proxmox-ldap/tests/glauth.rs | 16 ++++++++++++++++ 3 files changed, 39 insertions(+) diff --git a/proxmox-ldap/src/lib.rs b/proxmox-ldap/src/lib.rs index f9862e2..2df7409 100644 --- a/proxmox-ldap/src/lib.rs +++ b/proxmox-ldap/src/lib.rs @@ -193,6 +193,28 @@ impl Connection { Ok(()) } + /// Retrieves an attribute from the root DSE according to RFC 4512, Section 5.1 + /// https://www.rfc-editor.org/rfc/rfc4512#section-5.1 + pub async fn retrieve_root_dse_attr(&self, attr: &str) -> Result, Error> { + let mut ldap = self.create_connection().await?; + + let (entries, _res) = ldap + .search("", Scope::Base, "(objectClass=*)", &[attr]) + .await? + .success()?; + + if entries.len() > 1 { + bail!("found multiple root DSEs with attribute '{attr}'"); + } + + entries + .into_iter() + .next() + .map(SearchEntry::construct) + .and_then(|e| e.attrs.get(attr).cloned()) + .ok_or_else(|| format_err!("failed to retrieve root DSE attribute '{attr}'")) + } + /// Retrive port from LDAP configuration, otherwise use the correct default fn port_from_config(&self) -> u16 { self.config.port.unwrap_or_else(|| { diff --git a/proxmox-ldap/tests/assets/glauth.cfg b/proxmox-ldap/tests/assets/glauth.cfg index 7255169..8abbdc6 100644 --- a/proxmox-ldap/tests/assets/glauth.cfg +++ b/proxmox-ldap/tests/assets/glauth.cfg @@ -16,6 +16,7 @@ debug = true baseDN = "dc=example,dc=com" nameformat = "cn" groupformat = "ou" + anonymousdse = true # to create a passSHA256: echo -n "mysecret" | openssl dgst -sha256 diff --git a/proxmox-ldap/tests/glauth.rs b/proxmox-ldap/tests/glauth.rs index 88875d2..74720c1 100644 --- a/proxmox-ldap/tests/glauth.rs +++ b/proxmox-ldap/tests/glauth.rs @@ -191,3 +191,19 @@ fn test_check_connection() -> Result<(), Error> { Ok(()) } + +#[test] +#[ignore] +fn test_retrieve_root_dse_attr() -> Result<(), Error> { + let _glauth = GlauthServer::new("tests/assets/glauth.cfg")?; + + let connection = Connection::new(default_config()); + + let values = proxmox_async::runtime::block_on( + connection.retrieve_root_dse_attr("defaultNamingContext"), + )?; + + assert_eq!(values, vec!["dc=example,dc=com"]); + + Ok(()) +} -- 2.42.0