From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <c.heiss@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits))
(No client certificate requested)
by lists.proxmox.com (Postfix) with ESMTPS id DBBFFBAD9C
for <pbs-devel@lists.proxmox.com>; Thu, 21 Mar 2024 16:58:39 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
by firstgate.proxmox.com (Proxmox) with ESMTP id B4577318D0
for <pbs-devel@lists.proxmox.com>; Thu, 21 Mar 2024 16:58:09 +0100 (CET)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
[94.136.29.106])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits))
(No client certificate requested)
by firstgate.proxmox.com (Proxmox) with ESMTPS
for <pbs-devel@lists.proxmox.com>; Thu, 21 Mar 2024 16:58:08 +0100 (CET)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
by proxmox-new.maurer-it.com (Proxmox) with ESMTP id BAF39415DF
for <pbs-devel@lists.proxmox.com>; Thu, 21 Mar 2024 16:58:08 +0100 (CET)
Date: Thu, 21 Mar 2024 16:58:07 +0100
From: Christoph Heiss <c.heiss@proxmox.com>
To: Proxmox Backup Server development discussion <pbs-devel@lists.proxmox.com>
Message-ID: <ue37ptl4jlrbwhe7zty6ccaxvnutdqip3nf4jwkl5cjd77mrln@7fd57wh7u3b6>
References: <20240112161614.1012311-1-c.heiss@proxmox.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20240112161614.1012311-1-c.heiss@proxmox.com>
X-SPAM-LEVEL: Spam detection results: 0
AWL 0.005 Adjusted score from AWL reputation of From: address
BAYES_00 -1.9 Bayes spam probability is 0 to 1%
DMARC_MISSING 0.1 Missing DMARC policy
KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record
SPF_PASS -0.001 SPF: sender matches SPF record
T_SCC_BODY_TEXT_LINE -0.01 -
Subject: Re: [pbs-devel] [PATCH proxmox/proxmox-backup/pwt v3 00/13] add
Active Directory realm support
X-BeenThere: pbs-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Backup Server development discussion
<pbs-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pbs-devel>,
<mailto:pbs-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pbs-devel/>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel>,
<mailto:pbs-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Thu, 21 Mar 2024 15:58:39 -0000
Ping, still applies (on all three repos).
On Fri, Jan 12, 2024 at 05:15:55PM +0100, Christoph Heiss wrote:
> This series adds Active Directory realm support to PBS, much like it
> already exists in PVE. The logic matches it as closely as possible.
>
> Patches #1 through #6 are purely preparatory.
>
> The API, authenticator and realm sync job implementations are partly
> simply copied from LDAP, replacing structs and changing some things as
> needed. The realm sync job simply reuses the existing LDAP
> implementation for the most part, other than setting up some things
> differently.
>
> As for the UI, the existing panel for LDAP realms was generic enough
> such that it only needed a few conditionals as what input boxes to show.
>
> One thing to note is that - unlike PVE - you don't have to specify a
> domain name when creating an AD realm. This is due to `proxmox-ldap`
> already figuring out the correct, full DN of bind and login users
> itself. That is the only use of the domain name in PVE anyway, thus it
> is not present here.
>
> The base DN is automatically determined from the `defaultNamingContext`
> attribute of the root DSE object. It can be set manually in the config
> if the need should arise. So that should be treated more like an
> implementation detail.
>
> Testing
> -------
> I have tested this series using:
>
> * slapd 2.5.13+dfsg-5 as LDAP server to ensure no regressions
> * Samba 4.18.5 as an Linux-based LDAP and AD server, with and without
> (START)TLS.
> * AD on Windows Server 2022 to make sure that works as well
>
> For slapd and MS AD, I tested both anonymous binds and authenticated
> binds, with Samba only authenticated binds (since there seems to way to
> turn on anonymous binds in Samba, at least that I could find ..) as well
> as dry-running and actual syncing of users. Further, then also logging
> into PBS with a sync'd user.
>
> History
> -------
> v1: https://lists.proxmox.com/pipermail/pbs-devel/2023-August/006410.html
> v2: https://lists.proxmox.com/pipermail/pbs-devel/2023-August/006461.html
>
> Notable changes v1 -> v2:
> * Applied various review comments pointed out by Lukas & Wolfgang
> * Fully implemented case-insensitive support (as separate patches)
>
> Notable changes v2 -> v3:
> * Rebased against latest master.
> * Improved documentation per suggestions
> * Dropped RFC'd case-insensitive patches.
> This needs a lot more work to properly (retro-)fit into the existing
> PBS authenication infrastructe, thus postpone it for now. A note in
> the docs indicate the current status.
>
> [0] https://bugzilla.proxmox.com/show_bug.cgi?id=2947
> [1] https://forum.proxmox.com/threads/ad-sync-authentication.74547/
>
> proxmox:
>
> Christoph Heiss (3):
> ldap: avoid superfluous allocation when calling .search()
> ldap: add method for retrieving root DSE attributes
> auth-api: implement `Display` for `Realm{, Ref}`
>
> proxmox-auth-api/src/types.rs | 12 +++++++++++
> proxmox-ldap/src/lib.rs | 31 +++++++++++++++++++++-------
> proxmox-ldap/tests/assets/glauth.cfg | 1 +
> proxmox-ldap/tests/glauth.rs | 16 ++++++++++++++
> 4 files changed, 53 insertions(+), 7 deletions(-)
>
> proxmox-backup:
>
> Christoph Heiss (8):
> api-types: factor out `LdapMode` -> `ConnectionMode` conversion into
> own fn
> auth: factor out CA store and cert lookup into own fn
> realm sync: generic-ify `LdapSyncSettings` and `GeneralSyncSettings`
> api: access: add routes for managing AD realms
> config: domains: add new "ad" section type for AD realms
> realm sync: add sync job for AD realms
> manager: add subcommand for managing AD realms
> docs: user-management: add section about AD realm support
>
> docs/config/domains/format.rst | 4 +-
> docs/user-management.rst | 59 ++++-
> pbs-api-types/src/ad.rs | 98 +++++++
> pbs-api-types/src/lib.rs | 8 +
> pbs-config/src/domains.rs | 11 +-
> src/api2/access/domain.rs | 18 +-
> src/api2/config/access/ad.rs | 348 +++++++++++++++++++++++++
> src/api2/config/access/mod.rs | 2 +
> src/auth.rs | 120 +++++++--
> src/bin/proxmox-backup-manager.rs | 1 +
> src/bin/proxmox_backup_manager/ad.rs | 105 ++++++++
> src/bin/proxmox_backup_manager/ldap.rs | 2 +-
> src/bin/proxmox_backup_manager/mod.rs | 2 +
> src/server/realm_sync_job.rs | 111 ++++++--
> 14 files changed, 831 insertions(+), 58 deletions(-)
> create mode 100644 pbs-api-types/src/ad.rs
> create mode 100644 src/api2/config/access/ad.rs
> create mode 100644 src/bin/proxmox_backup_manager/ad.rs
>
> proxmox-widget-toolkit:
>
> Christoph Heiss (2):
> window: add Active Directory auth panel
> window: ldap: add tooltips for firstname, lastname and email
> attributes
>
> src/Makefile | 1 +
> src/Schema.js | 10 ++++++++++
> src/window/AuthEditAD.js | 14 ++++++++++++++
> src/window/AuthEditLDAP.js | 39 +++++++++++++++++++++++++++++++++++---
> 4 files changed, 61 insertions(+), 3 deletions(-)
> create mode 100644 src/window/AuthEditAD.js
>
> --
> 2.41.0
>
>
>
> _______________________________________________
> pbs-devel mailing list
> pbs-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
>
>