public inbox for pbs-devel@lists.proxmox.com
 help / color / mirror / Atom feed
* [pbs-devel] [PATCH proxmox/proxmox-backup/pwt v3 00/13] add Active Directory realm support
@ 2024-01-12 16:15 Christoph Heiss
  2024-01-12 16:15 ` [pbs-devel] [PATCH proxmox v3 01/13] ldap: avoid superfluous allocation when calling .search() Christoph Heiss
                   ` (16 more replies)
  0 siblings, 17 replies; 18+ messages in thread
From: Christoph Heiss @ 2024-01-12 16:15 UTC (permalink / raw)
  To: pbs-devel

This series adds Active Directory realm support to PBS, much like it
already exists in PVE. The logic matches it as closely as possible.

Patches #1 through #6 are purely preparatory.

The API, authenticator and realm sync job implementations are partly
simply copied from LDAP, replacing structs and changing some things as
needed. The realm sync job simply reuses the existing LDAP
implementation for the most part, other than setting up some things
differently.

As for the UI, the existing panel for LDAP realms was generic enough
such that it only needed a few conditionals as what input boxes to show.

One thing to note is that - unlike PVE - you don't have to specify a
domain name when creating an AD realm. This is due to `proxmox-ldap`
already figuring out the correct, full DN of bind and login users
itself. That is the only use of the domain name in PVE anyway, thus it
is not present here.

The base DN is automatically determined from the `defaultNamingContext`
attribute of the root DSE object. It can be set manually in the config
if the need should arise. So that should be treated more like an
implementation detail.

Testing
-------
I have tested this series using:

 * slapd 2.5.13+dfsg-5 as LDAP server to ensure no regressions
 * Samba 4.18.5 as an Linux-based LDAP and AD server, with and without
   (START)TLS.
 * AD on Windows Server 2022 to make sure that works as well

For slapd and MS AD, I tested both anonymous binds and authenticated
binds, with Samba only authenticated binds (since there seems to way to
turn on anonymous binds in Samba, at least that I could find ..) as well
as dry-running and actual syncing of users. Further, then also logging
into PBS with a sync'd user.

History
-------
v1: https://lists.proxmox.com/pipermail/pbs-devel/2023-August/006410.html
v2: https://lists.proxmox.com/pipermail/pbs-devel/2023-August/006461.html

Notable changes v1 -> v2:
  * Applied various review comments pointed out by Lukas & Wolfgang
  * Fully implemented case-insensitive support (as separate patches)

Notable changes v2 -> v3:
  * Rebased against latest master.
  * Improved documentation per suggestions
  * Dropped RFC'd case-insensitive patches.
    This needs a lot more work to properly (retro-)fit into the existing
    PBS authenication infrastructe, thus postpone it for now. A note in
    the docs indicate the current status.

[0] https://bugzilla.proxmox.com/show_bug.cgi?id=2947
[1] https://forum.proxmox.com/threads/ad-sync-authentication.74547/

proxmox:

Christoph Heiss (3):
  ldap: avoid superfluous allocation when calling .search()
  ldap: add method for retrieving root DSE attributes
  auth-api: implement `Display` for `Realm{, Ref}`

 proxmox-auth-api/src/types.rs        | 12 +++++++++++
 proxmox-ldap/src/lib.rs              | 31 +++++++++++++++++++++-------
 proxmox-ldap/tests/assets/glauth.cfg |  1 +
 proxmox-ldap/tests/glauth.rs         | 16 ++++++++++++++
 4 files changed, 53 insertions(+), 7 deletions(-)

proxmox-backup:

Christoph Heiss (8):
  api-types: factor out `LdapMode` -> `ConnectionMode` conversion into
    own fn
  auth: factor out CA store and cert lookup into own fn
  realm sync: generic-ify `LdapSyncSettings` and `GeneralSyncSettings`
  api: access: add routes for managing AD realms
  config: domains: add new "ad" section type for AD realms
  realm sync: add sync job for AD realms
  manager: add subcommand for managing AD realms
  docs: user-management: add section about AD realm support

 docs/config/domains/format.rst         |   4 +-
 docs/user-management.rst               |  59 ++++-
 pbs-api-types/src/ad.rs                |  98 +++++++
 pbs-api-types/src/lib.rs               |   8 +
 pbs-config/src/domains.rs              |  11 +-
 src/api2/access/domain.rs              |  18 +-
 src/api2/config/access/ad.rs           | 348 +++++++++++++++++++++++++
 src/api2/config/access/mod.rs          |   2 +
 src/auth.rs                            | 120 +++++++--
 src/bin/proxmox-backup-manager.rs      |   1 +
 src/bin/proxmox_backup_manager/ad.rs   | 105 ++++++++
 src/bin/proxmox_backup_manager/ldap.rs |   2 +-
 src/bin/proxmox_backup_manager/mod.rs  |   2 +
 src/server/realm_sync_job.rs           | 111 ++++++--
 14 files changed, 831 insertions(+), 58 deletions(-)
 create mode 100644 pbs-api-types/src/ad.rs
 create mode 100644 src/api2/config/access/ad.rs
 create mode 100644 src/bin/proxmox_backup_manager/ad.rs

proxmox-widget-toolkit:

Christoph Heiss (2):
  window: add Active Directory auth panel
  window: ldap: add tooltips for firstname, lastname and email
    attributes

 src/Makefile               |  1 +
 src/Schema.js              | 10 ++++++++++
 src/window/AuthEditAD.js   | 14 ++++++++++++++
 src/window/AuthEditLDAP.js | 39 +++++++++++++++++++++++++++++++++++---
 4 files changed, 61 insertions(+), 3 deletions(-)
 create mode 100644 src/window/AuthEditAD.js

--
2.41.0





^ permalink raw reply	[flat|nested] 18+ messages in thread

end of thread, other threads:[~2024-04-24 19:26 UTC | newest]

Thread overview: 18+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-01-12 16:15 [pbs-devel] [PATCH proxmox/proxmox-backup/pwt v3 00/13] add Active Directory realm support Christoph Heiss
2024-01-12 16:15 ` [pbs-devel] [PATCH proxmox v3 01/13] ldap: avoid superfluous allocation when calling .search() Christoph Heiss
2024-01-12 16:15 ` [pbs-devel] [PATCH proxmox v3 02/13] ldap: add method for retrieving root DSE attributes Christoph Heiss
2024-01-12 16:15 ` [pbs-devel] [PATCH proxmox v3 03/13] auth-api: implement `Display` for `Realm{, Ref}` Christoph Heiss
2024-01-12 16:15 ` [pbs-devel] [PATCH proxmox-backup v3 04/13] api-types: factor out `LdapMode` -> `ConnectionMode` conversion into own fn Christoph Heiss
2024-01-12 16:16 ` [pbs-devel] [PATCH proxmox-backup v3 05/13] auth: factor out CA store and cert lookup " Christoph Heiss
2024-01-12 16:16 ` [pbs-devel] [PATCH proxmox-backup v3 06/13] realm sync: generic-ify `LdapSyncSettings` and `GeneralSyncSettings` Christoph Heiss
2024-01-12 16:16 ` [pbs-devel] [PATCH proxmox-backup v3 07/13] api: access: add routes for managing AD realms Christoph Heiss
2024-01-12 16:16 ` [pbs-devel] [PATCH proxmox-backup v3 08/13] config: domains: add new "ad" section type for " Christoph Heiss
2024-01-12 16:16 ` [pbs-devel] [PATCH proxmox-backup v3 09/13] realm sync: add sync job " Christoph Heiss
2024-01-12 16:16 ` [pbs-devel] [PATCH proxmox-backup v3 10/13] manager: add subcommand for managing " Christoph Heiss
2024-01-12 16:16 ` [pbs-devel] [PATCH proxmox-backup v3 11/13] docs: user-management: add section about AD realm support Christoph Heiss
2024-01-12 16:16 ` [pbs-devel] [PATCH widget-toolkit v3 12/13] window: add Active Directory auth panel Christoph Heiss
2024-01-12 16:16 ` [pbs-devel] [PATCH widget-toolkit v3 13/13] window: ldap: add tooltips for firstname, lastname and email attributes Christoph Heiss
2024-01-17 11:05 ` [pbs-devel] [PATCH proxmox/proxmox-backup/pwt v3 00/13] add Active Directory realm support Lukas Wagner
2024-03-21 15:58 ` Christoph Heiss
2024-03-25 16:19 ` [pbs-devel] partially-applied: " Thomas Lamprecht
2024-04-24 19:26 ` [pbs-devel] applied: " Thomas Lamprecht

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal