From: Lukas Wagner <l.wagner@proxmox.com>
To: Proxmox Backup Server development discussion
<pbs-devel@lists.proxmox.com>,
Christoph Heiss <c.heiss@proxmox.com>
Subject: Re: [pbs-devel] [PATCH proxmox/proxmox-backup/pwt v3 00/13] add Active Directory realm support
Date: Wed, 17 Jan 2024 12:05:34 +0100 [thread overview]
Message-ID: <2b6917cd-232f-4528-9e6b-6fb319822c90@proxmox.com> (raw)
In-Reply-To: <20240112161614.1012311-1-c.heiss@proxmox.com>
On 1/12/24 17:15, Christoph Heiss wrote:
> This series adds Active Directory realm support to PBS, much like it
> already exists in PVE. The logic matches it as closely as possible.
>
> Patches #1 through #6 are purely preparatory.
>
> The API, authenticator and realm sync job implementations are partly
> simply copied from LDAP, replacing structs and changing some things as
> needed. The realm sync job simply reuses the existing LDAP
> implementation for the most part, other than setting up some things
> differently.
>
> As for the UI, the existing panel for LDAP realms was generic enough
> such that it only needed a few conditionals as what input boxes to show.
>
> One thing to note is that - unlike PVE - you don't have to specify a
> domain name when creating an AD realm. This is due to `proxmox-ldap`
> already figuring out the correct, full DN of bind and login users
> itself. That is the only use of the domain name in PVE anyway, thus it
> is not present here.
>
> The base DN is automatically determined from the `defaultNamingContext`
> attribute of the root DSE object. It can be set manually in the config
> if the need should arise. So that should be treated more like an
> implementation detail.
>
> Testing
> -------
> I have tested this series using:
>
> * slapd 2.5.13+dfsg-5 as LDAP server to ensure no regressions
> * Samba 4.18.5 as an Linux-based LDAP and AD server, with and without
> (START)TLS.
> * AD on Windows Server 2022 to make sure that works as well
>
> For slapd and MS AD, I tested both anonymous binds and authenticated
> binds, with Samba only authenticated binds (since there seems to way to
> turn on anonymous binds in Samba, at least that I could find ..) as well
> as dry-running and actual syncing of users. Further, then also logging
> into PBS with a sync'd user.
>
Gave these changes another (quick) test, testing against AD on Windows
Server 2022. Also tested regular LDAP realms to make sure that these
continue to work as expected.
Everything looks good, as far as I can tell:
Tested-by: Lukas Wagner <l.wagner@proxmox.com>
Reviewed-by: Lukas Wagner <l.wagner@proxmox.com>
--
- Lukas
next prev parent reply other threads:[~2024-01-17 11:06 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-12 16:15 Christoph Heiss
2024-01-12 16:15 ` [pbs-devel] [PATCH proxmox v3 01/13] ldap: avoid superfluous allocation when calling .search() Christoph Heiss
2024-01-12 16:15 ` [pbs-devel] [PATCH proxmox v3 02/13] ldap: add method for retrieving root DSE attributes Christoph Heiss
2024-01-12 16:15 ` [pbs-devel] [PATCH proxmox v3 03/13] auth-api: implement `Display` for `Realm{, Ref}` Christoph Heiss
2024-01-12 16:15 ` [pbs-devel] [PATCH proxmox-backup v3 04/13] api-types: factor out `LdapMode` -> `ConnectionMode` conversion into own fn Christoph Heiss
2024-01-12 16:16 ` [pbs-devel] [PATCH proxmox-backup v3 05/13] auth: factor out CA store and cert lookup " Christoph Heiss
2024-01-12 16:16 ` [pbs-devel] [PATCH proxmox-backup v3 06/13] realm sync: generic-ify `LdapSyncSettings` and `GeneralSyncSettings` Christoph Heiss
2024-01-12 16:16 ` [pbs-devel] [PATCH proxmox-backup v3 07/13] api: access: add routes for managing AD realms Christoph Heiss
2024-01-12 16:16 ` [pbs-devel] [PATCH proxmox-backup v3 08/13] config: domains: add new "ad" section type for " Christoph Heiss
2024-01-12 16:16 ` [pbs-devel] [PATCH proxmox-backup v3 09/13] realm sync: add sync job " Christoph Heiss
2024-01-12 16:16 ` [pbs-devel] [PATCH proxmox-backup v3 10/13] manager: add subcommand for managing " Christoph Heiss
2024-01-12 16:16 ` [pbs-devel] [PATCH proxmox-backup v3 11/13] docs: user-management: add section about AD realm support Christoph Heiss
2024-01-12 16:16 ` [pbs-devel] [PATCH widget-toolkit v3 12/13] window: add Active Directory auth panel Christoph Heiss
2024-01-12 16:16 ` [pbs-devel] [PATCH widget-toolkit v3 13/13] window: ldap: add tooltips for firstname, lastname and email attributes Christoph Heiss
2024-01-17 11:05 ` Lukas Wagner [this message]
2024-03-21 15:58 ` [pbs-devel] [PATCH proxmox/proxmox-backup/pwt v3 00/13] add Active Directory realm support Christoph Heiss
2024-03-25 16:19 ` [pbs-devel] partially-applied: " Thomas Lamprecht
2024-04-24 19:26 ` [pbs-devel] applied: " Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2b6917cd-232f-4528-9e6b-6fb319822c90@proxmox.com \
--to=l.wagner@proxmox.com \
--cc=c.heiss@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox