access: ldap check connection on creation and change

this commit makes the ldap realm endpoints check whether a new or
updated configuration works correctly. it uses the new
`check_connection` function to make sure that a configuration can be
successfully used to connect to and query an ldap directory.

doing so allows us to remove the ldap domain regex. instead of relying
on a regex to make sure that a given distinguished name (dn) could be
correct, we simply let the ldap directory tell us whether it accepts
it. this should also aid with usability as a dn that looks correct
could still be invalid.

this also implicitly removes unauthenticated binds, since the new
`check_connection` function does not support those. it will simply
bail out of the check if a `bind_dn` but no password is configured.
therefore, this is a breaking change.

Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
This commit is contained in:
Stefan Sterz 2023-06-26 15:17:46 +02:00 committed by Wolfgang Bumiller
parent 053e83c3c7
commit f486f8485c

View File

@ -1,8 +1,6 @@
use serde::{Deserialize, Serialize};
use proxmox_schema::{
api, const_regex, ApiStringFormat, ApiType, ArraySchema, Schema, StringSchema, Updater,
};
use proxmox_schema::{api, ApiStringFormat, ApiType, ArraySchema, Schema, StringSchema, Updater};
use super::{REALM_ID_SCHEMA, SINGLE_LINE_COMMENT_SCHEMA};
@ -142,27 +140,7 @@ pub enum RemoveVanished {
Properties,
}
macro_rules! DOMAIN_PART_REGEX {
() => {
r#"("[^"]+"|[^ ,+"/<>;=#][^,+"/<>;=]*[^ ,+"/<>;=]|[^ ,+"/<>;=#])"#
};
}
const_regex! {
pub LDAP_DOMAIN_REGEX = concat!(
r#"^\w+="#,
DOMAIN_PART_REGEX!(),
r#"(,\s*\w+="#,
DOMAIN_PART_REGEX!(),
")*$"
);
}
pub const LDAP_DOMAIN_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&LDAP_DOMAIN_REGEX);
pub const LDAP_DOMAIN_SCHEMA: Schema = StringSchema::new("LDAP Domain")
.format(&LDAP_DOMAIN_FORMAT)
.schema();
pub const LDAP_DOMAIN_SCHEMA: Schema = StringSchema::new("LDAP Domain").schema();
pub const SYNC_DEFAULTS_STRING_SCHEMA: Schema = StringSchema::new("sync defaults options")
.format(&ApiStringFormat::PropertyString(