From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 8C686ED53 for ; Thu, 20 Jul 2023 14:42:13 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 6CB8212CB5 for ; Thu, 20 Jul 2023 14:42:13 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Thu, 20 Jul 2023 14:42:11 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 9866D41F83 for ; Thu, 20 Jul 2023 14:42:11 +0200 (CEST) Message-ID: <7e04b1df-0c19-f44c-bfaa-66d35890602d@proxmox.com> Date: Thu, 20 Jul 2023 14:42:10 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0 Content-Language: en-US To: Proxmox VE development discussion , Christoph Heiss References: <20230719155157.696828-1-c.heiss@proxmox.com> From: Friedrich Weber In-Reply-To: <20230719155157.696828-1-c.heiss@proxmox.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.219 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment NICE_REPLY_A -0.089 Looks like a legit reply (A) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: Re: [pve-devel] [PATCH common/access-control 0/5] improve LDAP DN and bind creds checking on creation/change X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Jul 2023 12:42:13 -0000 Tested against slapd 2.4.47+dfsg-3+deb10u6. I quite like the connection check when creating/updating the realm, and also, it seems sensible to delegate DN validation to Net::LDAP. I noticed one bug: Weirdly, updating the realm via CLI or manually via API now errors out for me (the connection details are correct): $ cat /etc/pve/domains.cfg pam: pam comment Linux PAM standard authentication pve: pve comment Proxmox VE authentication server default 0 ldap: ldap comment foo base_dn dc=example,dc=com server1 [...] user_attr uid bind_dn cn=admin,dc=example,dc=com default 0 secure 0 $ pveum realm modify ldap -comment foo update auth server failed: Expected 'PeerHost' at /usr/share/perl5/Net/LDAP.pm line 173. $ http --verify no PUT 'https://[...]:8006/api2/json/access/domains/ldap' comment=foo [...] HTTP/1.1 500 update auth server failed: Expected 'PeerHost' at /usr/share/perl5/Net/LDAP.pm line 173. On 19/07/2023 17:51, Christoph Heiss wrote: > tl;dr implements the result of the discussion in [0]. > > First, this removes the dreaded LDAP DN regex, replacing it instead with > a proper schema format, which does validation using > Net::LDAP::Util::canonical_dn(). > > Further, upon saving a LDAP realm in the UI, it tries to connect & bind > using the provided credentials, providing the user with immediate > feedback whether they are valid or not. > > The same approach is already implemented in PBS [1]. > > Changes was done against slapd 2.5.13+dfsg-5. > > [0] https://lists.proxmox.com/pipermail/pve-devel/2023-May/056839.html > [1] https://git.proxmox.com/?p=proxmox-backup.git;a=commitdiff;h=5210f3b5 > [1] https://lists.proxmox.com/pipermail/pbs-devel/2023-June/006237.html > > pve-common: > > Christoph Heiss (3): > schema: add `ldap-dn` format for validating LDAP distinguished names > test: add test cases for new 'ldap-dn' schema format > ldap: handle errors explicitly everywhere instead of simply `die`ing > > debian/control | 2 ++ > src/PVE/JSONSchema.pm | 12 +++++++++ > src/PVE/LDAP.pm | 11 ++++---- > test/Makefile | 9 +++++++ > test/ldap_dn_format_test.pl | 54 +++++++++++++++++++++++++++++++++++++ > 5 files changed, 83 insertions(+), 5 deletions(-) > > pve-access-control: > > Christoph Heiss (2): > ldap: validate LDAP DNs using the `ldap-dn` schema format > ldap: check bind credentials with LDAP directory directly on change > > src/PVE/Auth/LDAP.pm | 28 ++++++++++++++++------------ > 1 file changed, 16 insertions(+), 12 deletions(-) > > -- > 2.41.0 > > > > _______________________________________________ > pve-devel mailing list > pve-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel > >