From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 76BBF90ECB for ; Tue, 31 Jan 2023 13:50:48 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 5CB5523B31 for ; Tue, 31 Jan 2023 13:50:48 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Tue, 31 Jan 2023 13:50:47 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 53184454FC for ; Tue, 31 Jan 2023 13:50:47 +0100 (CET) From: Christoph Heiss To: pve-devel@lists.proxmox.com Date: Tue, 31 Jan 2023 13:50:41 +0100 Message-Id: <20230131125043.380402-1-c.heiss@proxmox.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.160 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [proxmox.com, ldap.pm] Subject: [pve-devel] [PATCH access-control/docs 0/2] fix #3748: Allow reserved characters in attribute values of LDAP DNs X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Jan 2023 12:50:48 -0000 This fixes #3748 [0] by allowing reserved characters in `bind_dn` (and other properties of the same format) if they are properly quoted and adds some corresponding documentation regarding that. This was tested by setting up a slapd server and creating a user with the CN `Test, User` much like in the bug report, then using this user as `bind_dn` in the sync options. I also tested some variants of that CN, including just `TestUser`.) One thing that still won't work is syncing of LDAP users with colons or slashes in their CNs. In such cases, the message value 'Test, User@ldap' does not look like a valid user name will pop up. This is due to spaces and colons being explicitly disallowed in usernames [1]. This probably means that such names can never be allowed, which is being documented too as part of patch 2. But with this series, such users can be at least used to bind for syncing. [0] https://bugzilla.proxmox.com/show_bug.cgi?id=3748 [1] https://git.proxmox.com/?p=pve-access-control.git;a=blob;f=src/PVE/Auth/Plugin.pm;hb=HEAD#l115 Christoph Heiss (1): ldap: Allow quoted values for DN attribute values src/PVE/Auth/LDAP.pm | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) Christoph Heiss (1): pveum: Document reserved characters and quoting of LDAP DNs pveum.adoc | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) -- 2.34.1