From f486f8485c832b6c56de7fa20ca7d049f8a25946 Mon Sep 17 00:00:00 2001
From: Stefan Sterz <s.sterz@proxmox.com>
Date: Mon, 26 Jun 2023 15:17:46 +0200
Subject: [PATCH] access: ldap check connection on creation and change

this commit makes the ldap realm endpoints check whether a new or
updated configuration works correctly. it uses the new
`check_connection` function to make sure that a configuration can be
successfully used to connect to and query an ldap directory.

doing so allows us to remove the ldap domain regex. instead of relying
on a regex to make sure that a given distinguished name (dn) could be
correct, we simply let the ldap directory tell us whether it accepts
it. this should also aid with usability as a dn that looks correct
could still be invalid.

this also implicitly removes unauthenticated binds, since the new
`check_connection` function does not support those. it will simply
bail out of the check if a `bind_dn` but no password is configured.
therefore, this is a breaking change.

Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
---
 pbs-api-types/src/ldap.rs | 26 ++------------------------
 1 file changed, 2 insertions(+), 24 deletions(-)

diff --git a/pbs-api-types/src/ldap.rs b/pbs-api-types/src/ldap.rs
index 762f560a..f3df90a0 100644
--- a/pbs-api-types/src/ldap.rs
+++ b/pbs-api-types/src/ldap.rs
@@ -1,8 +1,6 @@
 use serde::{Deserialize, Serialize};
 
-use proxmox_schema::{
-    api, const_regex, ApiStringFormat, ApiType, ArraySchema, Schema, StringSchema, Updater,
-};
+use proxmox_schema::{api, ApiStringFormat, ApiType, ArraySchema, Schema, StringSchema, Updater};
 
 use super::{REALM_ID_SCHEMA, SINGLE_LINE_COMMENT_SCHEMA};
 
@@ -142,27 +140,7 @@ pub enum RemoveVanished {
     Properties,
 }
 
-macro_rules! DOMAIN_PART_REGEX {
-    () => {
-        r#"("[^"]+"|[^ ,+"/<>;=#][^,+"/<>;=]*[^ ,+"/<>;=]|[^ ,+"/<>;=#])"#
-    };
-}
-
-const_regex! {
-    pub LDAP_DOMAIN_REGEX = concat!(
-        r#"^\w+="#,
-        DOMAIN_PART_REGEX!(),
-        r#"(,\s*\w+="#,
-        DOMAIN_PART_REGEX!(),
-        ")*$"
-    );
-}
-
-pub const LDAP_DOMAIN_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&LDAP_DOMAIN_REGEX);
-
-pub const LDAP_DOMAIN_SCHEMA: Schema = StringSchema::new("LDAP Domain")
-    .format(&LDAP_DOMAIN_FORMAT)
-    .schema();
+pub const LDAP_DOMAIN_SCHEMA: Schema = StringSchema::new("LDAP Domain").schema();
 
 pub const SYNC_DEFAULTS_STRING_SCHEMA: Schema = StringSchema::new("sync defaults options")
     .format(&ApiStringFormat::PropertyString(