Proxmox-Port/proxmox
1
0
Fork 0
forked from proxmox-mirrors/proxmox
Code Pull Requests Activity

access: ldap check connection on creation and change

Browse Source 
this commit makes the ldap realm endpoints check whether a new or
updated configuration works correctly. it uses the new
`check_connection` function to make sure that a configuration can be
successfully used to connect to and query an ldap directory.

doing so allows us to remove the ldap domain regex. instead of relying
on a regex to make sure that a given distinguished name (dn) could be
correct, we simply let the ldap directory tell us whether it accepts
it. this should also aid with usability as a dn that looks correct
could still be invalid.

this also implicitly removes unauthenticated binds, since the new
`check_connection` function does not support those. it will simply
bail out of the check if a `bind_dn` but no password is configured.
therefore, this is a breaking change.

Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
This commit is contained in:
Stefan Sterz 2023-06-26 15:17:46 +02:00 committed by Wolfgang Bumiller
parent 053e83c3c7
commit f486f8485c
1 changed files with 2 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
pbs-api-types/src/ldap.rs
View File

@ -1,8 +1,6 @@
use serde::{Deserialize, Serialize}; use serde::{Deserialize, Serialize};
use proxmox_schema::{ use proxmox_schema::{api, ApiStringFormat, ApiType, ArraySchema, Schema, StringSchema, Updater};
api, const_regex, ApiStringFormat, ApiType, ArraySchema, Schema, StringSchema, Updater,
};
use super::{REALM_ID_SCHEMA, SINGLE_LINE_COMMENT_SCHEMA}; use super::{REALM_ID_SCHEMA, SINGLE_LINE_COMMENT_SCHEMA};
@ -142,27 +140,7 @@ pub enum RemoveVanished {
Properties, Properties,
} }
macro_rules! DOMAIN_PART_REGEX { pub const LDAP_DOMAIN_SCHEMA: Schema = StringSchema::new("LDAP Domain").schema();
() => {
r#"("[^"]+"|[^ ,+"/<>;=#][^,+"/<>;=]*[^ ,+"/<>;=]|[^ ,+"/<>;=#])"#
};
}
const_regex! {
pub LDAP_DOMAIN_REGEX = concat!(
r#"^\w+="#,
DOMAIN_PART_REGEX!(),
r#"(,\s*\w+="#,
DOMAIN_PART_REGEX!(),
")*$"
);
}
pub const LDAP_DOMAIN_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&LDAP_DOMAIN_REGEX);
pub const LDAP_DOMAIN_SCHEMA: Schema = StringSchema::new("LDAP Domain")
.format(&LDAP_DOMAIN_FORMAT)
.schema();
pub const SYNC_DEFAULTS_STRING_SCHEMA: Schema = StringSchema::new("sync defaults options") pub const SYNC_DEFAULTS_STRING_SCHEMA: Schema = StringSchema::new("sync defaults options")
.format(&ApiStringFormat::PropertyString( .format(&ApiStringFormat::PropertyString(