From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id DBBFFBAD9C for ; Thu, 21 Mar 2024 16:58:39 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id B4577318D0 for ; Thu, 21 Mar 2024 16:58:09 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Thu, 21 Mar 2024 16:58:08 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id BAF39415DF for ; Thu, 21 Mar 2024 16:58:08 +0100 (CET) Date: Thu, 21 Mar 2024 16:58:07 +0100 From: Christoph Heiss To: Proxmox Backup Server development discussion Message-ID: References: <20240112161614.1012311-1-c.heiss@proxmox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240112161614.1012311-1-c.heiss@proxmox.com> X-SPAM-LEVEL: Spam detection results: 0 AWL 0.005 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: Re: [pbs-devel] [PATCH proxmox/proxmox-backup/pwt v3 00/13] add Active Directory realm support X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Mar 2024 15:58:39 -0000 Ping, still applies (on all three repos). On Fri, Jan 12, 2024 at 05:15:55PM +0100, Christoph Heiss wrote: > This series adds Active Directory realm support to PBS, much like it > already exists in PVE. The logic matches it as closely as possible. > > Patches #1 through #6 are purely preparatory. > > The API, authenticator and realm sync job implementations are partly > simply copied from LDAP, replacing structs and changing some things as > needed. The realm sync job simply reuses the existing LDAP > implementation for the most part, other than setting up some things > differently. > > As for the UI, the existing panel for LDAP realms was generic enough > such that it only needed a few conditionals as what input boxes to show. > > One thing to note is that - unlike PVE - you don't have to specify a > domain name when creating an AD realm. This is due to `proxmox-ldap` > already figuring out the correct, full DN of bind and login users > itself. That is the only use of the domain name in PVE anyway, thus it > is not present here. > > The base DN is automatically determined from the `defaultNamingContext` > attribute of the root DSE object. It can be set manually in the config > if the need should arise. So that should be treated more like an > implementation detail. > > Testing > ------- > I have tested this series using: > > * slapd 2.5.13+dfsg-5 as LDAP server to ensure no regressions > * Samba 4.18.5 as an Linux-based LDAP and AD server, with and without > (START)TLS. > * AD on Windows Server 2022 to make sure that works as well > > For slapd and MS AD, I tested both anonymous binds and authenticated > binds, with Samba only authenticated binds (since there seems to way to > turn on anonymous binds in Samba, at least that I could find ..) as well > as dry-running and actual syncing of users. Further, then also logging > into PBS with a sync'd user. > > History > ------- > v1: https://lists.proxmox.com/pipermail/pbs-devel/2023-August/006410.html > v2: https://lists.proxmox.com/pipermail/pbs-devel/2023-August/006461.html > > Notable changes v1 -> v2: > * Applied various review comments pointed out by Lukas & Wolfgang > * Fully implemented case-insensitive support (as separate patches) > > Notable changes v2 -> v3: > * Rebased against latest master. > * Improved documentation per suggestions > * Dropped RFC'd case-insensitive patches. > This needs a lot more work to properly (retro-)fit into the existing > PBS authenication infrastructe, thus postpone it for now. A note in > the docs indicate the current status. > > [0] https://bugzilla.proxmox.com/show_bug.cgi?id=2947 > [1] https://forum.proxmox.com/threads/ad-sync-authentication.74547/ > > proxmox: > > Christoph Heiss (3): > ldap: avoid superfluous allocation when calling .search() > ldap: add method for retrieving root DSE attributes > auth-api: implement `Display` for `Realm{, Ref}` > > proxmox-auth-api/src/types.rs | 12 +++++++++++ > proxmox-ldap/src/lib.rs | 31 +++++++++++++++++++++------- > proxmox-ldap/tests/assets/glauth.cfg | 1 + > proxmox-ldap/tests/glauth.rs | 16 ++++++++++++++ > 4 files changed, 53 insertions(+), 7 deletions(-) > > proxmox-backup: > > Christoph Heiss (8): > api-types: factor out `LdapMode` -> `ConnectionMode` conversion into > own fn > auth: factor out CA store and cert lookup into own fn > realm sync: generic-ify `LdapSyncSettings` and `GeneralSyncSettings` > api: access: add routes for managing AD realms > config: domains: add new "ad" section type for AD realms > realm sync: add sync job for AD realms > manager: add subcommand for managing AD realms > docs: user-management: add section about AD realm support > > docs/config/domains/format.rst | 4 +- > docs/user-management.rst | 59 ++++- > pbs-api-types/src/ad.rs | 98 +++++++ > pbs-api-types/src/lib.rs | 8 + > pbs-config/src/domains.rs | 11 +- > src/api2/access/domain.rs | 18 +- > src/api2/config/access/ad.rs | 348 +++++++++++++++++++++++++ > src/api2/config/access/mod.rs | 2 + > src/auth.rs | 120 +++++++-- > src/bin/proxmox-backup-manager.rs | 1 + > src/bin/proxmox_backup_manager/ad.rs | 105 ++++++++ > src/bin/proxmox_backup_manager/ldap.rs | 2 +- > src/bin/proxmox_backup_manager/mod.rs | 2 + > src/server/realm_sync_job.rs | 111 ++++++-- > 14 files changed, 831 insertions(+), 58 deletions(-) > create mode 100644 pbs-api-types/src/ad.rs > create mode 100644 src/api2/config/access/ad.rs > create mode 100644 src/bin/proxmox_backup_manager/ad.rs > > proxmox-widget-toolkit: > > Christoph Heiss (2): > window: add Active Directory auth panel > window: ldap: add tooltips for firstname, lastname and email > attributes > > src/Makefile | 1 + > src/Schema.js | 10 ++++++++++ > src/window/AuthEditAD.js | 14 ++++++++++++++ > src/window/AuthEditLDAP.js | 39 +++++++++++++++++++++++++++++++++++--- > 4 files changed, 61 insertions(+), 3 deletions(-) > create mode 100644 src/window/AuthEditAD.js > > -- > 2.41.0 > > > > _______________________________________________ > pbs-devel mailing list > pbs-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel > >