From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id A79888685 for ; Thu, 27 Jul 2023 15:34:16 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 8DC1BBFCB for ; Thu, 27 Jul 2023 15:33:46 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Thu, 27 Jul 2023 15:33:45 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id C499940858 for ; Thu, 27 Jul 2023 15:33:44 +0200 (CEST) From: Christoph Heiss To: pve-devel@lists.proxmox.com Date: Thu, 27 Jul 2023 15:33:16 +0200 Message-ID: <20230727133341.1009881-1-c.heiss@proxmox.com> X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.047 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: [pve-devel] [PATCH access-control/manager 0/2] ldap: check bind connection on realm add/update X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Jul 2023 13:34:16 -0000 First of, this removes the dreaded LDAP DN regex. Further, upon saving a LDAP realm in the UI, it tries to connect & bind using the provided credentials, providing the user with immediate feedback whether they are valid or not. The same approach is already implemented in PBS [0], and I'll plan to implement the same for PMG too, if & when the PVE side is done. Testing ------- Changes were tested against slapd 2.5.13+dfsg-5, using both the web UI and `pveum` to create and update realms with different combinations of valid and invalid parameters, mixed with using new `check-connection` parameter. Prior art --------- This completely supersedes the previous series [1]. This series is a complete new approach to it (also why this also isn't marked as v3), which previously tried to solve this using a new schema format by validated DNs using Net::LDAP::Util::canonical_dn(). But this has the problem that it does not support AD-specific DN syntax. After a off-list discussion with Lukas (summary [2]), it was decided to rather implement it much like PBS does it - simply drop the explicit validation of DN parameters, instead just trying to connect & bind to the target server - although I'm always open for other/better suggestions to tackle this. [0] https://git.proxmox.com/?p=proxmox-backup.git;a=commitdiff;h=5210f3b5 [1] https://lists.proxmox.com/pipermail/pve-devel/2023-July/058392.html [2] https://lists.proxmox.com/pipermail/pve-devel/2023-July/058540.html -- 2.41.0