From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 077C28585 for ; Thu, 27 Jul 2023 11:54:41 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id E53C69B95 for ; Thu, 27 Jul 2023 11:54:40 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Thu, 27 Jul 2023 11:54:40 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 52ABA40E4F for ; Thu, 27 Jul 2023 11:54:40 +0200 (CEST) Message-ID: <730340c2-3598-8837-d490-2a62c7cb8850@proxmox.com> Date: Thu, 27 Jul 2023 11:54:39 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: de-AT, en-US To: Proxmox VE development discussion , Christoph Heiss References: <20230724090408.221672-1-c.heiss@proxmox.com> From: Lukas Wagner In-Reply-To: <20230724090408.221672-1-c.heiss@proxmox.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.055 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: Re: [pve-devel] [PATCH common/access-control v2 0/5] improve LDAP DN and bind creds checking on creation/change X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Jul 2023 09:54:41 -0000 On 7/24/23 11:03, Christoph Heiss wrote: > tl;dr implements the result of the discussion in [0]. > > First, this removes the dreaded LDAP DN regex, replacing it instead with > a proper schema format, which does validation using > Net::LDAP::Util::canonical_dn(). > Already discussed off-list, but for the sake of completeness: I'd say we can just do the same thing as in PBS, were we only verify the settings by connecting to the server, but nothing else. If we drop the check through `canonical_dn()`, then we actually improve the AD realm implementation, which is also based on the LDAP code. AD not only supports the regular DN syntax, but also: Domain\Administrator Administrator@Domain However, these two formats are not accepted by `canonical_dn`. If we just drop the check, then these alternative forms will work automatically (I've actually tested this against a real AD server) -- - Lukas