From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id F2AED618E2 for ; Mon, 7 Sep 2020 10:44:09 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id DD88B8DF4 for ; Mon, 7 Sep 2020 10:43:39 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [212.186.127.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 11D3D8DE5 for ; Mon, 7 Sep 2020 10:43:38 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id C1E2444A77 for ; Mon, 7 Sep 2020 10:43:37 +0200 (CEST) Date: Mon, 7 Sep 2020 10:42:54 +0200 (CEST) From: Wolfgang Link To: Proxmox VE development discussion , Dominik Csapak Message-ID: <2106163366.840.1599468174228@webmail.proxmox.com> In-Reply-To: <9f102575-138a-d839-94d4-4ef98482decf@proxmox.com> References: <20200903083620.66529-1-w.link@proxmox.com> <9f102575-138a-d839-94d4-4ef98482decf@proxmox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Priority: 3 Importance: Normal X-Mailer: Open-Xchange Mailer v7.10.3-Rev21 X-Originating-Client: open-xchange-appsuite X-SPAM-LEVEL: Spam detection results: 0 AWL 0.691 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_DNSWL_MED -2.3 Sender listed at https://www.dnswl.org/, medium trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pve-devel] [Patch v2 access-control] fix #2947 login name for the LDAP/AD realm can be case-insensitive X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Sep 2020 08:44:10 -0000 No I missed your mail. Will fix it and resend it. > On 09/07/2020 10:20 AM Dominik Csapak wrote: > > > one comment inline > > On 9/3/20 10:36 AM, Wolfgang Link wrote: > > This is an optional for LDAP and AD realm. > > The default behavior is case-sensitive. > > > > Signed-off-by: Wolfgang Link > > --- > > v1 -> v2: * naming of paramenter > > * use grep instead of a loop, to avoid login errors > > with ambiguous usernames > > > > PVE/API2/AccessControl.pm | 23 +++++++++++++++++++++++ > > PVE/Auth/AD.pm | 1 + > > PVE/Auth/LDAP.pm | 7 +++++++ > > 3 files changed, 31 insertions(+) > > > > diff --git a/PVE/API2/AccessControl.pm b/PVE/API2/AccessControl.pm > > index fd27786..3155d67 100644 > > --- a/PVE/API2/AccessControl.pm > > +++ b/PVE/API2/AccessControl.pm > > @@ -226,6 +226,28 @@ __PACKAGE__->register_method ({ > > returns => { type => "null" }, > > code => sub { return undef; }}); > > > > +sub lookup_username { > > + my ($username) = @_; > > + > > + $username =~ /@(.+)/; > > i do not know if you saw my last mail, but we have to do a > better regex here, since the username can contain an '@' > > so foo@bar@pve is a valid username (:-S) > and the realm here would parse to 'bar@pve' > > so a better regex would be > /@([^@]+)$/ > > > + > > + my $realm = $1; > > + my $domain_cfg = cfs_read_file("domains.cfg"); > > + my $casesensitive = $domain_cfg->{ids}->{$realm}->{'case-sensitive'} // 1; > > + my $usercfg = cfs_read_file('user.cfg'); > > + > > + if (!$casesensitive) { > > + my @matches = grep { lc $username eq lc $_ } (keys %{$usercfg->{users}}); > > + > > + die "ambiguous case insensitive match of username '$username', cannot safely grant access!\n" > > + if scalar @matches > 1; > > + > > + return $matches[0] > > + } > > + > > + return $username; > > +}; > > + > > __PACKAGE__->register_method ({ > > name => 'create_ticket', > > path => 'ticket', > > @@ -292,6 +314,7 @@ __PACKAGE__->register_method ({ > > my $username = $param->{username}; > > $username .= "\@$param->{realm}" if $param->{realm}; > > > > + $username = lookup_username($username); > > my $rpcenv = PVE::RPCEnvironment::get(); > > > > my $res; > > diff --git a/PVE/Auth/AD.pm b/PVE/Auth/AD.pm > > index 4d64c20..88b2098 100755 > > --- a/PVE/Auth/AD.pm > > +++ b/PVE/Auth/AD.pm > > @@ -94,6 +94,7 @@ sub options { > > group_classes => { optional => 1 }, > > 'sync-defaults-options' => { optional => 1 }, > > mode => { optional => 1 }, > > + 'case-sensitive' => { optional => 1 }, > > }; > > } > > > > diff --git a/PVE/Auth/LDAP.pm b/PVE/Auth/LDAP.pm > > index 09b2202..97d0778 100755 > > --- a/PVE/Auth/LDAP.pm > > +++ b/PVE/Auth/LDAP.pm > > @@ -129,6 +129,12 @@ sub properties { > > optional => 1, > > default => 'ldap', > > }, > > + 'case-sensitive' => { > > + description => "username is case-sensitive", > > + type => 'boolean', > > + optional => 1, > > + default => 1, > > + } > > }; > > } > > > > @@ -159,6 +165,7 @@ sub options { > > group_classes => { optional => 1 }, > > 'sync-defaults-options' => { optional => 1 }, > > mode => { optional => 1 }, > > + 'case-sensitive' => { optional => 1 }, > > }; > > } > > > > > > > > _______________________________________________ > pve-devel mailing list > pve-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel