From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 9EB4FBC01 for ; Thu, 10 Aug 2023 14:37:17 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 86A2F1A83 for ; Thu, 10 Aug 2023 14:37:17 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Thu, 10 Aug 2023 14:37:16 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 676F944984 for ; Thu, 10 Aug 2023 14:37:16 +0200 (CEST) From: Christoph Heiss To: pve-devel@lists.proxmox.com Date: Thu, 10 Aug 2023 14:37:07 +0200 Message-ID: <20230810123710.949260-4-c.heiss@proxmox.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20230810123710.949260-1-c.heiss@proxmox.com> References: <20230810123710.949260-1-c.heiss@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.043 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [proxmox.com, ldap.pm] Subject: [pve-devel] [PATCH access-control v3 3/4] ldap: add opt-in `check-connection` param to perform a bind check X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Aug 2023 12:37:17 -0000 Removes the dreaded DN regex, instead introducing a optional connect/bind check on creation/update, aligning it with the way PBS does it. Additionally, it has the benefit that instead of letting a sync fail on the first try due to e.g. bad bind credentials, it gives the user some direct feedback when trying to add/update a LDAP realm, if enabled. Should be rather a corner case, but it's the easiest way for us to accomodate and the most versatile for users needing this. This is part of the result of a previous discussion [0], and the same approach is already implemented for PBS [1]. [0] https://lists.proxmox.com/pipermail/pve-devel/2023-May/056839.html [1] https://lists.proxmox.com/pipermail/pbs-devel/2023-June/006237.html Signed-off-by: Christoph Heiss --- N.B.: Needs a version bump of libpve-common-perl for the base properties parameter on {create,update}Schema(). Changes v2 -> v3: * Move 'check-connection' out of schema definition to extra param Pointed out by Wolfgang, it should not be part of the (stored) config schema if never stored. [2] Changes v1 -> v2: * Do not store the 'check-connection' parameter in the realm config The decision to put this behind an optional (off-by-default) parameter was made during an off-list discussion with Lukas. The summary of that can be found as a follow-up on the previous series [3] [4]. Note that the `base_dn`/`group_dn` now goes completely unvalided - but again, that is how it works in PBS. [2] https://lists.proxmox.com/pipermail/pve-devel/2023-August/058724.html [3] https://lists.proxmox.com/pipermail/pve-devel/2023-July/058540.html [4] https://lists.proxmox.com/pipermail/pve-devel/2023-August/058582.html src/PVE/API2/Domains.pm | 36 +++++++++++++++++++++++++++++++++--- src/PVE/Auth/LDAP.pm | 18 +++++++++--------- src/PVE/Auth/Plugin.pm | 8 ++++++++ 3 files changed, 50 insertions(+), 12 deletions(-) diff --git a/src/PVE/API2/Domains.pm b/src/PVE/API2/Domains.pm index 9332aa7..e7b7d39 100644 --- a/src/PVE/API2/Domains.pm +++ b/src/PVE/API2/Domains.pm @@ -117,7 +117,14 @@ __PACKAGE__->register_method ({ check => ['perm', '/access/realm', ['Realm.Allocate']], }, description => "Add an authentication server.", - parameters => PVE::Auth::Plugin->createSchema(), + parameters => PVE::Auth::Plugin->createSchema(0, { + 'check-connection' => { + description => 'Check bind connection to the server.', + type => 'boolean', + optional => 1, + default => 0, + }, + }), returns => { type => 'null' }, code => sub { my ($param) = @_; @@ -133,6 +140,7 @@ __PACKAGE__->register_method ({ my $realm = extract_param($param, 'realm'); my $type = $param->{type}; + my $check_connection = extract_param($param, 'check-connection'); die "domain '$realm' already exists\n" if $ids->{$realm}; @@ -143,6 +151,9 @@ __PACKAGE__->register_method ({ die "unable to create builtin type '$type'\n" if ($type eq 'pam' || $type eq 'pve'); + die "'check-connection' parameter can only be set for realms of type 'ldap' or 'ad'\n" + if defined($check_connection) && !($type eq 'ldap' || $type eq 'ad'); + if ($type eq 'ad' || $type eq 'ldap') { $map_sync_default_options->($param, 1); } @@ -165,6 +176,10 @@ __PACKAGE__->register_method ({ } $plugin->on_add_hook($realm, $config, password => $password); + # Only for LDAP/AD, implied through the existence of the 'check-connection' param + $plugin->check_connection($realm, $config, password => $password) + if $check_connection; + cfs_write_file($domainconfigfile, $cfg); }, "add auth server failed"); @@ -180,7 +195,14 @@ __PACKAGE__->register_method ({ }, description => "Update authentication server settings.", protected => 1, - parameters => PVE::Auth::Plugin->updateSchema(), + parameters => PVE::Auth::Plugin->updateSchema(0, { + 'check-connection' => { + description => 'Check bind connection to the server.', + type => 'boolean', + optional => 1, + default => 0, + }, + }), returns => { type => 'null' }, code => sub { my ($param) = @_; @@ -198,10 +220,15 @@ __PACKAGE__->register_method ({ PVE::SectionConfig::assert_if_modified($cfg, $digest); my $realm = extract_param($param, 'realm'); + my $type = $ids->{$realm}->{type}; + my $check_connection = extract_param($param, 'check-connection'); die "domain '$realm' does not exist\n" if !$ids->{$realm}; + die "'check-connection' parameter can only be set for realms of type 'ldap' or 'ad'\n" + if defined($check_connection) && !($type eq 'ldap' || $type eq 'ad'); + my $delete_str = extract_param($param, 'delete'); die "no options specified\n" if !$delete_str && !scalar(keys %$param) && !defined($password); @@ -212,7 +239,6 @@ __PACKAGE__->register_method ({ $delete_pw = 1 if $opt eq 'password'; } - my $type = $ids->{$realm}->{type}; if ($type eq 'ad' || $type eq 'ldap') { $map_sync_default_options->($param, 1); } @@ -237,6 +263,10 @@ __PACKAGE__->register_method ({ $plugin->on_update_hook($realm, $config); } + # Only for LDAP/AD, implied through the existence of the 'check-connection' param + $plugin->check_connection($realm, $ids->{$realm}, password => $password) + if $check_connection; + cfs_write_file($domainconfigfile, $cfg); }, "update auth server failed"); diff --git a/src/PVE/Auth/LDAP.pm b/src/PVE/Auth/LDAP.pm index fc82a17..b958f2b 100755 --- a/src/PVE/Auth/LDAP.pm +++ b/src/PVE/Auth/LDAP.pm @@ -10,9 +10,6 @@ use PVE::Tools; use base qw(PVE::Auth::Plugin); -my $dn_part_regex = qr!("[^"]+"|[^ ,+"/<>;=#][^,+"/<>;=]*[^ ,+"/<>;=]|[^ ,+"/<>;=#])!; -our $dn_regex = qr!\w+=${dn_part_regex}(,\s*\w+=${dn_part_regex})*!; - sub type { return 'ldap'; } @@ -22,7 +19,6 @@ sub properties { base_dn => { description => "LDAP base domain name", type => 'string', - pattern => $dn_regex, optional => 1, maxLength => 256, }, @@ -36,7 +32,6 @@ sub properties { bind_dn => { description => "LDAP bind domain name", type => 'string', - pattern => $dn_regex, optional => 1, maxLength => 256, }, @@ -94,7 +89,6 @@ sub properties { description => "LDAP base domain name for group sync. If not set, the" ." base_dn will be used.", type => 'string', - pattern => $dn_regex, optional => 1, maxLength => 256, }, @@ -137,7 +131,7 @@ sub properties { type => 'boolean', optional => 1, default => 1, - } + }, }; } @@ -184,7 +178,7 @@ sub get_scheme_and_port { } sub connect_and_bind { - my ($class, $config, $realm) = @_; + my ($class, $config, $realm, $param) = @_; my $servers = [$config->{server1}]; push @$servers, $config->{server2} if $config->{server2}; @@ -215,7 +209,7 @@ sub connect_and_bind { if ($config->{bind_dn}) { my $bind_dn = $config->{bind_dn}; - my $bind_pass = ldap_get_credentials($realm); + my $bind_pass = $param->{password} || ldap_get_credentials($realm); die "missing password for realm $realm\n" if !defined($bind_pass); PVE::LDAP::ldap_bind($ldap, $bind_dn, $bind_pass); } elsif ($config->{cert} && $config->{certkey}) { @@ -454,4 +448,10 @@ sub on_delete_hook { ldap_delete_credentials($realm); } +sub check_connection { + my ($class, $realm, $config, %param) = @_; + + $class->connect_and_bind($config, $realm, \%param); +} + 1; diff --git a/src/PVE/Auth/Plugin.pm b/src/PVE/Auth/Plugin.pm index 2f64a13..429bc88 100755 --- a/src/PVE/Auth/Plugin.pm +++ b/src/PVE/Auth/Plugin.pm @@ -317,4 +317,12 @@ sub on_delete_hook { # do nothing by default } +# called during addition and updates of realms (before the new domain config gets written) +# die to abort addition/update in case the connection/bind fails +# NOTE: runs in a storage config *locked* context +sub check_connection { + my ($class, $realm, $config, %param) = @_; + # do nothing by default +} + 1; -- 2.41.0