From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 92EB7BB93 for ; Thu, 10 Aug 2023 14:37:17 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 7A72B1A81 for ; Thu, 10 Aug 2023 14:37:17 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Thu, 10 Aug 2023 14:37:15 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id B0A2E44992 for ; Thu, 10 Aug 2023 14:37:15 +0200 (CEST) From: Christoph Heiss To: pve-devel@lists.proxmox.com Date: Thu, 10 Aug 2023 14:37:04 +0200 Message-ID: <20230810123710.949260-1-c.heiss@proxmox.com> X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.043 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [ldap.pm, proxmox.com, plugin.pm, domains.pm, sectionconfig.pm] Subject: [pve-devel] [PATCH common/access-control/manager v3 0/4] ldap: check bind connection on realm add/update X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Aug 2023 12:37:17 -0000 First of, remove the dreaded LDAP DN regex. Further, upon saving a LDAP realm in the UI, it tries to connect & bind using the provided credentials, providing the user with immediate feedback whether they are valid or not. The same approach is already implemented in PBS [0], and I'll plan to implement the same for PMG too, if & when the PVE side is done. Testing ------- Changes were tested against slapd 2.5.13+dfsg-5 (for LDAP), Samba 4.18.5 and Windows Server 2022 (for AD), using both the web UI and `pveum` to create and update realms with different combinations of valid and invalid parameters, mixed with using new `check-connection` parameter. Prior art --------- v2: https://lists.proxmox.com/pipermail/pve-devel/2023-August/058586.html v1: https://lists.proxmox.com/pipermail/pve-devel/2023-July/058551.html Notable changes v2 -> v3: * Move 'check-connection' param out of schema to extra param (thanks Wolfgang!) Notable changes v1 -> v2: * Added patch #1 from previous series [1], missed that in v1 * Do not store the 'check-connection' parameter in the realm config * Add "Check connection" checkbox to AD edit too This series supersedes [1], which previously solved this using a new schema format by validating DNs using Net::LDAP::Util::canonical_dn(). But this has the problem that it does not support AD-specific DN syntax. After a off-list discussion with Lukas (summary [2] [3]), it was decided to rather implement it much like PBS does it - simply drop the explicit validation of DN parameters, instead just trying to connect & bind to the target server. [0] https://git.proxmox.com/?p=proxmox-backup.git;a=commitdiff;h=5210f3b5 [1] https://lists.proxmox.com/pipermail/pve-devel/2023-July/058392.html [2] https://lists.proxmox.com/pipermail/pve-devel/2023-July/058540.html [3] https://lists.proxmox.com/pipermail/pve-devel/2023-August/058582.html pve-common: Christoph Heiss (2): ldap: handle errors explicitly everywhere instead of simply `die`ing section config: allow base properties for {create,update}Schema() src/PVE/LDAP.pm | 11 ++++++----- src/PVE/SectionConfig.pm | 8 ++++---- 2 files changed, 10 insertions(+), 9 deletions(-) pve-access-control: Christoph Heiss (1): ldap: add opt-in `check-connection` param to perform a bind check src/PVE/API2/Domains.pm | 36 +++++++++++++++++++++++++++++++++--- src/PVE/Auth/LDAP.pm | 18 +++++++++--------- src/PVE/Auth/Plugin.pm | 8 ++++++++ 3 files changed, 50 insertions(+), 12 deletions(-) pve-manager: Christoph Heiss (1): ui: ldap: add 'Check connection' checkbox as advanced option www/manager6/dc/AuthEditAD.js | 15 +++++++++++++++ www/manager6/dc/AuthEditLDAP.js | 15 +++++++++++++++ 2 files changed, 30 insertions(+) -- 2.41.0