From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pdm-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
	by lore.proxmox.com (Postfix) with ESMTPS id 8BFDF1FF139
	for <inbox@lore.proxmox.com>; Mon, 12 Jan 2026 13:24:25 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 4E1241D7B5;
	Mon, 12 Jan 2026 13:24:26 +0100 (CET)
From: Shannon Sterz <s.sterz@proxmox.com>
To: pdm-devel@lists.proxmox.com
Date: Mon, 12 Jan 2026 13:24:18 +0100
Message-ID: <20260112122420.228501-3-s.sterz@proxmox.com>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <20260112122420.228501-1-s.sterz@proxmox.com>
References: <20260112122420.228501-1-s.sterz@proxmox.com>
MIME-Version: 1.0
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1768220618789
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.088 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: [pdm-devel] [PATCH datacenter-manager 1/3] fix #7182: server: auth:
 add dummy openid authenticator
X-BeenThere: pdm-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Datacenter Manager development discussion
 <pdm-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pdm-devel>, 
 <mailto:pdm-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pdm-devel/>
List-Post: <mailto:pdm-devel@lists.proxmox.com>
List-Help: <mailto:pdm-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel>, 
 <mailto:pdm-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox Datacenter Manager development discussion
 <pdm-devel@lists.proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pdm-devel-bounces@lists.proxmox.com
Sender: "pdm-devel" <pdm-devel-bounces@lists.proxmox.com>

when manually adding users from an openid realm, the api checks
whether the realm exists. so at least a dummy implementation is needed
here.

Fixes: https://bugzilla.proxmox.com/show_bug.cgi?id=7182
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
 server/src/auth/mod.rs | 61 ++++++++++++++++++++++++++++++++++--------
 1 file changed, 50 insertions(+), 11 deletions(-)

diff --git a/server/src/auth/mod.rs b/server/src/auth/mod.rs
index 82425e8..312ed72 100644
--- a/server/src/auth/mod.rs
+++ b/server/src/auth/mod.rs
@@ -16,10 +16,10 @@ use proxmox_auth_api::types::Authid;
 use proxmox_auth_api::{HMACKey, Keyring};
 use proxmox_ldap::types::{AdRealmConfig, LdapRealmConfig};
 use proxmox_rest_server::AuthError;
-use proxmox_router::UserInformation;
+use proxmox_router::{http_bail, UserInformation};
 use proxmox_tfa::api::{OpenUserChallengeData, TfaConfig};
 
-use pdm_api_types::{RealmRef, Userid};
+use pdm_api_types::{OpenIdRealmConfig, RealmRef, Userid, UsernameRef};
 
 pub mod certs;
 pub mod csrf;
@@ -189,17 +189,17 @@ pub(crate) fn lookup_authenticator(
             lock_filename: pdm_buildcfg::configdir!("/access/shadow.json.lock"),
         })),
         realm => {
-            if let Ok((domains, _digest)) = pdm_config::domains::config() {
-                if let Ok(config) = domains.lookup::<LdapRealmConfig>("ldap", realm) {
-                    return Ok(Box::new(LdapAuthenticator::new(config)));
-                }
+            let (domains, _digest) = pdm_config::domains::config()?;
 
-                if let Ok(config) = domains.lookup::<AdRealmConfig>("ad", realm) {
-                    return Ok(Box::new(AdAuthenticator::new(config)));
-                }
+            if let Ok(config) = domains.lookup::<LdapRealmConfig>("ldap", realm) {
+                Ok(Box::new(LdapAuthenticator::new(config)))
+            } else if let Ok(config) = domains.lookup::<AdRealmConfig>("ad", realm) {
+                Ok(Box::new(AdAuthenticator::new(config)))
+            } else if domains.lookup::<OpenIdRealmConfig>("openid", realm).is_ok() {
+                Ok(Box::new(OpenIdAuthenticator()))
+            } else {
+                bail!("unknwon realm {realm}");
             }
-
-            bail!("unknwon realm {realm}");
         }
     }
 }
@@ -234,3 +234,42 @@ impl LockedTfaConfig for PdmLockedTfaConfig {
         tfa::write(&self.config)
     }
 }
+
+struct OpenIdAuthenticator();
+/// When a user is manually added, the lookup_authenticator is called to verify that
+/// the realm exists. Thus, it is necessary to have an (empty) implementation for
+/// OpendID as well.
+impl Authenticator for OpenIdAuthenticator {
+    fn authenticate_user<'a>(
+        &'a self,
+        _username: &'a UsernameRef,
+        _password: &'a str,
+        _client_ip: Option<&'a IpAddr>,
+    ) -> Pin<Box<dyn Future<Output = Result<(), Error>> + Send + 'a>> {
+        Box::pin(async move {
+            http_bail!(
+                NOT_IMPLEMENTED,
+                "password authentication is not implemented for OpenID realms"
+            );
+        })
+    }
+
+    fn store_password(
+        &self,
+        _username: &UsernameRef,
+        _password: &str,
+        _client_ip: Option<&IpAddr>,
+    ) -> Result<(), Error> {
+        http_bail!(
+            NOT_IMPLEMENTED,
+            "storing passwords is not implemented for OpenID realms"
+        );
+    }
+
+    fn remove_password(&self, _username: &UsernameRef) -> Result<(), Error> {
+        http_bail!(
+            NOT_IMPLEMENTED,
+            "storing passwords is not implemented for OpenID realms"
+        );
+    }
+}
-- 
2.47.3



_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel