From: Dominik Csapak <d.csapak@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: Re: [pve-devel] [access-contorl] fix #2947 login name for the LDAP/AD realm can be case-insensitive
Date: Mon, 31 Aug 2020 15:05:52 +0200 [thread overview]
Message-ID: <05d5b9b8-d79b-84e9-2d6e-23fbfec6b5ae@proxmox.com> (raw)
In-Reply-To: <20200828111943.26450-1-w.link@proxmox.com>
just found something small that thomas did not mention (inline)
On 8/28/20 1:19 PM, Wolfgang Link wrote:
> This is an optional for LDAP and AD realm.
> The default behavior is case-sensitive.
>
> Signed-off-by: Wolfgang Link <w.link@proxmox.com>
> ---
> PVE/API2/AccessControl.pm | 20 ++++++++++++++++++++
> PVE/Auth/LDAP.pm | 7 +++++++
> 2 files changed, 27 insertions(+)
>
> diff --git a/PVE/API2/AccessControl.pm b/PVE/API2/AccessControl.pm
> index fd27786..4b4d0be 100644
> --- a/PVE/API2/AccessControl.pm
> +++ b/PVE/API2/AccessControl.pm
> @@ -226,6 +226,25 @@ __PACKAGE__->register_method ({
> returns => { type => "null" },
> code => sub { return undef; }});
>
> +sub lookup_username {
> + my ($username) = @_;
> +
> + $username =~ /@(.+)/;
the user part of the user name can contain an @
(e.g. foo@bar@pve) so we have to correctly match after the last @
/@([^@]+)$/
> +
> + my $realm = $1;
> + my $domain_cfg = cfs_read_file("domains.cfg");
> + my $casesensitive = $domain_cfg->{ids}->{$realm}->{casesensitive} // 1;
> + my $usercfg = cfs_read_file('user.cfg');
> +
> + if ($casesensitive == 0) {
> + foreach my $user_name (keys %{$usercfg->{users}}) {
> + return $user_name if lc $username eq lc $user_name;
> + }
> + }
> +
> + return $username;
> +};
> +
> __PACKAGE__->register_method ({
> name => 'create_ticket',
> path => 'ticket',
> @@ -292,6 +311,7 @@ __PACKAGE__->register_method ({
> my $username = $param->{username};
> $username .= "\@$param->{realm}" if $param->{realm};
>
> + $username = lookup_username($username);
> my $rpcenv = PVE::RPCEnvironment::get();
>
> my $res;
> diff --git a/PVE/Auth/LDAP.pm b/PVE/Auth/LDAP.pm
> index 09b2202..75cce0f 100755
> --- a/PVE/Auth/LDAP.pm
> +++ b/PVE/Auth/LDAP.pm
> @@ -129,6 +129,12 @@ sub properties {
> optional => 1,
> default => 'ldap',
> },
> + casesensitive => {
> + description => "username is case-sensitive",
> + type => 'boolean',
> + optional => 1,
> + default => 1,
> + }
> };
> }
>
> @@ -159,6 +165,7 @@ sub options {
> group_classes => { optional => 1 },
> 'sync-defaults-options' => { optional => 1 },
> mode => { optional => 1 },
> + casesensitive => { optional => 1 },
> };
> }
>
>
prev parent reply other threads:[~2020-08-31 13:05 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-28 11:19 Wolfgang Link
2020-08-28 12:39 ` Thomas Lamprecht
2020-08-28 12:41 ` Thomas Lamprecht
2020-08-31 13:05 ` Dominik Csapak [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=05d5b9b8-d79b-84e9-2d6e-23fbfec6b5ae@proxmox.com \
--to=d.csapak@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox