From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 5D65DF9AE for ; Mon, 24 Jul 2023 11:04:52 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 1384CBD55 for ; Mon, 24 Jul 2023 11:04:22 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Mon, 24 Jul 2023 11:04:21 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 023B1439A3 for ; Mon, 24 Jul 2023 11:04:21 +0200 (CEST) From: Christoph Heiss To: pve-devel@lists.proxmox.com Date: Mon, 24 Jul 2023 11:03:50 +0200 Message-ID: <20230724090408.221672-6-c.heiss@proxmox.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20230724090408.221672-1-c.heiss@proxmox.com> References: <20230724090408.221672-1-c.heiss@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.053 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: [pve-devel] [PATCH access-control v2 5/5] ldap: check bind credentials with LDAP directory directly on change X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Jul 2023 09:04:52 -0000 Instead of letting a sync fail on the first try due to e.g. bad bind credentials, give the user some direct feedback when trying to save a LDAP realm in the UI. This is part of the result of a previous discussion [0], and the same approach is already implemented for PBS [1]. [0] https://lists.proxmox.com/pipermail/pve-devel/2023-May/056839.html [1] https://lists.proxmox.com/pipermail/pbs-devel/2023-June/006237.html Signed-off-by: Christoph Heiss --- Changes v1 -> v2: * Fixed updating a LDAP realm via pveum/pvesh/etc (thanks Friedrich!) Summary: $plugin->on_update_hook() was passed only the updated parameters, meaning if only e.g. the `comment` field was updated, other options like `server1` were missing and thus the connect/bind would fail - it worked via the GUI, as that always passes all set options. * Replaced ternary operator with simplier short-circuit || One thing to note might be that this "regresses" the UI in that you cannot create or change realm settings, if the target LDAP server cannot be reached. After a short off-list discussion with Sterzy, a 'force' API parameter (and accompanying checkbox in the UI) could be added to bypass this "restriction", although open to discussion how useful that even would be. src/PVE/API2/Domains.pm | 7 +++++-- src/PVE/Auth/LDAP.pm | 19 +++++++++++++------ 2 files changed, 18 insertions(+), 8 deletions(-) diff --git a/src/PVE/API2/Domains.pm b/src/PVE/API2/Domains.pm index 9332aa7..68e3c7d 100644 --- a/src/PVE/API2/Domains.pm +++ b/src/PVE/API2/Domains.pm @@ -231,10 +231,13 @@ __PACKAGE__->register_method ({ } my $opts = $plugin->options(); + + # Some update hooks, like e.g. LDAP, which tries to connect and bind to the target + # server, need the rest of config too => use the already-merged config if ($delete_pw || defined($password)) { - $plugin->on_update_hook($realm, $config, password => $password); + $plugin->on_update_hook($realm, $ids->{$realm}, password => $password); } else { - $plugin->on_update_hook($realm, $config); + $plugin->on_update_hook($realm, $ids->{$realm}); } cfs_write_file($domainconfigfile, $cfg); diff --git a/src/PVE/Auth/LDAP.pm b/src/PVE/Auth/LDAP.pm index e0ead1b..ec4cd31 100755 --- a/src/PVE/Auth/LDAP.pm +++ b/src/PVE/Auth/LDAP.pm @@ -181,7 +181,7 @@ sub get_scheme_and_port { } sub connect_and_bind { - my ($class, $config, $realm) = @_; + my ($class, $config, $realm, $param) = @_; my $servers = [$config->{server1}]; push @$servers, $config->{server2} if $config->{server2}; @@ -212,7 +212,7 @@ sub connect_and_bind { if ($config->{bind_dn}) { my $bind_dn = $config->{bind_dn}; - my $bind_pass = ldap_get_credentials($realm); + my $bind_pass = $param->{password} || ldap_get_credentials($realm); die "missing password for realm $realm\n" if !defined($bind_pass); PVE::LDAP::ldap_bind($ldap, $bind_dn, $bind_pass); } elsif ($config->{cert} && $config->{certkey}) { @@ -427,20 +427,27 @@ sub on_add_hook { my ($class, $realm, $config, %param) = @_; if (defined($param{password})) { + $class->connect_and_bind($config, $realm, \%param); ldap_set_credentials($param{password}, $realm); } else { - ldap_delete_credentials($realm); + # Still validate the bind credentials, even if no user/password is given + $class->connect_and_bind($config, $realm); } } sub on_update_hook { my ($class, $realm, $config, %param) = @_; - return if !exists($param{password}); - - if (defined($param{password})) { + if (!exists($param{password})) { + # Password wasn't changed, login still needs to be validated in case bind_dn changed + $class->connect_and_bind($config, $realm); + } elsif (defined($param{password})) { + # Password was updated, validate the login and only then store it + $class->connect_and_bind($config, $realm, \%param); ldap_set_credentials($param{password}, $realm); } else { + # Otherwise, the password was removed, so delete it + $class->connect_and_bind($config, $realm, \%param); ldap_delete_credentials($realm); } } -- 2.41.0