[PATCH datacenter-manager v2 0/2] fix adding users manually for openid/ldap/ad realms

[PATCH datacenter-manager v2 0/2] fix adding users manually for openid/ldap/ad realms

[Shannon Sterz]

currently, when adding a new user manually through the ui, a password
needs to be entered for all realms but the pam realm. however, only for
the pdm/product realm itself do we store a password. so don't require
these fields for any other realm.

also adds a dummy authenticator implementation for openid realms. this
is necessary, because looking up whether an authenticator is present is
used for validating that a realm exists when adding a user. so add a
dummy authenticator for openid realms.

changes since v1

* dropped a `cargo fmt` commit that is no longer necessary
* patch 1/1 of the original series was applied to yew-comp already, so i
  dropped it here
* fixed a typo in the commit message of 2/2

proxmox-datacenter-manager:

Shannon Sterz (2):
  fix #7182: server: auth: add dummy openid authenticator
  ui: set product realm so that the add user dialogs are rendered
    properly

 server/src/auth/mod.rs      | 61 ++++++++++++++++++++++++++++++-------
 ui/src/configuration/mod.rs |  2 +-
 2 files changed, 51 insertions(+), 12 deletions(-)


Summary over all repositories:
  2 files changed, 51 insertions(+), 12 deletions(-)

--
Generated by git-murpp 0.8.1

[PATCH datacenter-manager v2 1/2] fix #7182: server: auth: add dummy openid authenticator

[Shannon Sterz]

when manually adding users from an openid realm, the api checks
whether the realm exists. so at least a dummy implementation is needed
here.

Fixes: https://bugzilla.proxmox.com/show_bug.cgi?id=7182
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
 server/src/auth/mod.rs | 61 ++++++++++++++++++++++++++++++++++--------
 1 file changed, 50 insertions(+), 11 deletions(-)

diff --git a/server/src/auth/mod.rs b/server/src/auth/mod.rs
index 82425e8..312ed72 100644
--- a/server/src/auth/mod.rs
+++ b/server/src/auth/mod.rs
@@ -16,10 +16,10 @@ use proxmox_auth_api::types::Authid;
 use proxmox_auth_api::{HMACKey, Keyring};
 use proxmox_ldap::types::{AdRealmConfig, LdapRealmConfig};
 use proxmox_rest_server::AuthError;
-use proxmox_router::UserInformation;
+use proxmox_router::{http_bail, UserInformation};
 use proxmox_tfa::api::{OpenUserChallengeData, TfaConfig};
 
-use pdm_api_types::{RealmRef, Userid};
+use pdm_api_types::{OpenIdRealmConfig, RealmRef, Userid, UsernameRef};
 
 pub mod certs;
 pub mod csrf;
@@ -189,17 +189,17 @@ pub(crate) fn lookup_authenticator(
             lock_filename: pdm_buildcfg::configdir!("/access/shadow.json.lock"),
         })),
         realm => {
-            if let Ok((domains, _digest)) = pdm_config::domains::config() {
-                if let Ok(config) = domains.lookup::<LdapRealmConfig>("ldap", realm) {
-                    return Ok(Box::new(LdapAuthenticator::new(config)));
-                }
+            let (domains, _digest) = pdm_config::domains::config()?;
 
-                if let Ok(config) = domains.lookup::<AdRealmConfig>("ad", realm) {
-                    return Ok(Box::new(AdAuthenticator::new(config)));
-                }
+            if let Ok(config) = domains.lookup::<LdapRealmConfig>("ldap", realm) {
+                Ok(Box::new(LdapAuthenticator::new(config)))
+            } else if let Ok(config) = domains.lookup::<AdRealmConfig>("ad", realm) {
+                Ok(Box::new(AdAuthenticator::new(config)))
+            } else if domains.lookup::<OpenIdRealmConfig>("openid", realm).is_ok() {
+                Ok(Box::new(OpenIdAuthenticator()))
+            } else {
+                bail!("unknwon realm {realm}");
             }
-
-            bail!("unknwon realm {realm}");
         }
     }
 }
@@ -234,3 +234,42 @@ impl LockedTfaConfig for PdmLockedTfaConfig {
         tfa::write(&self.config)
     }
 }
+
+struct OpenIdAuthenticator();
+/// When a user is manually added, the lookup_authenticator is called to verify that
+/// the realm exists. Thus, it is necessary to have an (empty) implementation for
+/// OpendID as well.
+impl Authenticator for OpenIdAuthenticator {
+    fn authenticate_user<'a>(
+        &'a self,
+        _username: &'a UsernameRef,
+        _password: &'a str,
+        _client_ip: Option<&'a IpAddr>,
+    ) -> Pin<Box<dyn Future<Output = Result<(), Error>> + Send + 'a>> {
+        Box::pin(async move {
+            http_bail!(
+                NOT_IMPLEMENTED,
+                "password authentication is not implemented for OpenID realms"
+            );
+        })
+    }
+
+    fn store_password(
+        &self,
+        _username: &UsernameRef,
+        _password: &str,
+        _client_ip: Option<&IpAddr>,
+    ) -> Result<(), Error> {
+        http_bail!(
+            NOT_IMPLEMENTED,
+            "storing passwords is not implemented for OpenID realms"
+        );
+    }
+
+    fn remove_password(&self, _username: &UsernameRef) -> Result<(), Error> {
+        http_bail!(
+            NOT_IMPLEMENTED,
+            "storing passwords is not implemented for OpenID realms"
+        );
+    }
+}
-- 
2.47.3

[PATCH datacenter-manager v2 2/2] ui: set product realm so that the add user dialogs are rendered properly

[Shannon Sterz]

without setting this the add user dialog won't display the fields for
the password and confirming the password anymore, even for pdm realm.

Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
 ui/src/configuration/mod.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ui/src/configuration/mod.rs b/ui/src/configuration/mod.rs
index 18fc396..6ffb64b 100644
--- a/ui/src/configuration/mod.rs
+++ b/ui/src/configuration/mod.rs
@@ -68,7 +68,7 @@ pub fn access_control() -> Html {
                 Container::new()
                     .class("pwt-content-spacer")
                     .class(pwt::css::FlexFit)
-                    .with_child(UserPanel::new())
+                    .with_child(UserPanel::new().product_realm(AttrValue::from("pdm")))
                     // forces a reload when the tab becomes visible again
                     .key(format!(
                         "user-management-{}",
-- 
2.47.3

Re: [PATCH datacenter-manager v2 0/2] fix adding users manually for openid/ldap/ad realms

[Lukas Wagner]

On Mon Feb 9, 2026 at 10:43 AM CET, Shannon Sterz wrote:
> currently, when adding a new user manually through the ui, a password
> needs to be entered for all realms but the pam realm. however, only for
> the pdm/product realm itself do we store a password. so don't require
> these fields for any other realm.
>
> also adds a dummy authenticator implementation for openid realms. this
> is necessary, because looking up whether an authenticator is present is
> used for validating that a realm exists when adding a user. so add a
> dummy authenticator for openid realms.
>
> changes since v1
>
> * dropped a `cargo fmt` commit that is no longer necessary
> * patch 1/1 of the original series was applied to yew-comp already, so i
>   dropped it here
> * fixed a typo in the commit message of 2/2
>
> proxmox-datacenter-manager:
>
> Shannon Sterz (2):
>   fix #7182: server: auth: add dummy openid authenticator
>   ui: set product realm so that the add user dialogs are rendered
>     properly
>
>  server/src/auth/mod.rs      | 61 ++++++++++++++++++++++++++++++-------
>  ui/src/configuration/mod.rs |  2 +-
>  2 files changed, 51 insertions(+), 12 deletions(-)
>
>
> Summary over all repositories:
>   2 files changed, 51 insertions(+), 12 deletions(-)
>
> --
> Generated by git-murpp 0.8.1


Looks good to me. Tested it against a locally running keycloak server.

Reviewed-by: Lukas Wagner <l.wagner@proxmox.com>
Tested-by: Lukas Wagner <l.wagner@proxmox.com>

applied: [PATCH datacenter-manager v2 0/2] fix adding users manually for openid/ldap/ad realms

[Dominik Csapak]

On Mon, 09 Feb 2026 10:43:47 +0100, Shannon Sterz wrote:
> currently, when adding a new user manually through the ui, a password
> needs to be entered for all realms but the pam realm. however, only for
> the pdm/product realm itself do we store a password. so don't require
> these fields for any other realm.
> 
> also adds a dummy authenticator implementation for openid realms. this
> is necessary, because looking up whether an authenticator is present is
> used for validating that a realm exists when adding a user. so add a
> dummy authenticator for openid realms.
> 
> [...]

Applied, thanks!

[1/2] fix #7182: server: auth: add dummy openid authenticator
      commit: dba24ae3540ccfba4fee94db45cacbcbc0f57d43
[2/2] ui: set product realm so that the add user dialogs are rendered properly
      commit: 464a106d3865f940dec6eefda7d17b3758fc3cd4