From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <d.csapak@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id DD6946975B
 for <pve-devel@lists.proxmox.com>; Mon, 31 Aug 2020 15:05:54 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id D37FB144EC
 for <pve-devel@lists.proxmox.com>; Mon, 31 Aug 2020 15:05:54 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [212.186.127.180])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS id 8D0BB144DC
 for <pve-devel@lists.proxmox.com>; Mon, 31 Aug 2020 15:05:53 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 55D7D44960
 for <pve-devel@lists.proxmox.com>; Mon, 31 Aug 2020 15:05:53 +0200 (CEST)
To: pve-devel@lists.proxmox.com
References: <20200828111943.26450-1-w.link@proxmox.com>
From: Dominik Csapak <d.csapak@proxmox.com>
Message-ID: <05d5b9b8-d79b-84e9-2d6e-23fbfec6b5ae@proxmox.com>
Date: Mon, 31 Aug 2020 15:05:52 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:80.0) Gecko/20100101
 Thunderbird/80.0
MIME-Version: 1.0
In-Reply-To: <20200828111943.26450-1-w.link@proxmox.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.745 Adjusted score from AWL reputation of From: address
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 NICE_REPLY_A           -0.207 Looks like a legit reply (A)
 RCVD_IN_DNSWL_MED        -2.3 Sender listed at https://www.dnswl.org/,
 medium trust
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [accesscontrol.pm, ldap.pm]
Subject: Re: [pve-devel] [access-contorl] fix #2947 login name for the
 LDAP/AD realm can be case-insensitive
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Mon, 31 Aug 2020 13:05:54 -0000

just found something small that thomas did not mention (inline)

On 8/28/20 1:19 PM, Wolfgang Link wrote:
> This is an optional for LDAP and AD realm.
> The default behavior is case-sensitive.
> 
> Signed-off-by: Wolfgang Link <w.link@proxmox.com>
> ---
>   PVE/API2/AccessControl.pm | 20 ++++++++++++++++++++
>   PVE/Auth/LDAP.pm          |  7 +++++++
>   2 files changed, 27 insertions(+)
> 
> diff --git a/PVE/API2/AccessControl.pm b/PVE/API2/AccessControl.pm
> index fd27786..4b4d0be 100644
> --- a/PVE/API2/AccessControl.pm
> +++ b/PVE/API2/AccessControl.pm
> @@ -226,6 +226,25 @@ __PACKAGE__->register_method ({
>       returns => { type => "null" },
>       code => sub { return undef; }});
>   
> +sub lookup_username {
> +    my ($username) = @_;
> +
> +    $username =~ /@(.+)/;

the user part of the user name can contain an @
(e.g. foo@bar@pve) so we have to correctly match after the last @

/@([^@]+)$/


> +
> +    my $realm = $1;
> +    my $domain_cfg = cfs_read_file("domains.cfg");
> +    my $casesensitive = $domain_cfg->{ids}->{$realm}->{casesensitive} // 1;
> +    my $usercfg = cfs_read_file('user.cfg');
> +
> +    if ($casesensitive == 0) {
> +	foreach my $user_name (keys %{$usercfg->{users}}) {
> +	    return $user_name if lc $username eq lc $user_name;
> +	}
> +    }
> +
> +    return $username;
> +};
> +
>   __PACKAGE__->register_method ({
>       name => 'create_ticket',
>       path => 'ticket',
> @@ -292,6 +311,7 @@ __PACKAGE__->register_method ({
>   	my $username = $param->{username};
>   	$username .= "\@$param->{realm}" if $param->{realm};
>   
> +	$username = lookup_username($username);
>   	my $rpcenv = PVE::RPCEnvironment::get();
>   
>   	my $res;
> diff --git a/PVE/Auth/LDAP.pm b/PVE/Auth/LDAP.pm
> index 09b2202..75cce0f 100755
> --- a/PVE/Auth/LDAP.pm
> +++ b/PVE/Auth/LDAP.pm
> @@ -129,6 +129,12 @@ sub properties {
>   	    optional => 1,
>   	    default => 'ldap',
>   	},
> +        casesensitive => {
> +	    description => "username is case-sensitive",
> +	    type => 'boolean',
> +	    optional => 1,
> +	    default => 1,
> +	}
>       };
>   }
>   
> @@ -159,6 +165,7 @@ sub options {
>   	group_classes => { optional => 1 },
>   	'sync-defaults-options' => { optional => 1 },
>   	mode => { optional => 1 },
> +	casesensitive => { optional => 1 },
>       };
>   }
>   
>