proxmox-mirrors/pve-access-control
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-access-control synced 2025-08-23 21:37:05 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

ldap: Allow quoted values for DN attribute values

Browse Source 
This fixes #3748 by allowing reserved characters in `bind_dn` (and
other properties of the same format) if they are properly quoted and
adds some corresponding documentation regarding that.

This was tested by setting up a slapd server and creating a user with
the CN `Test, User` much like in the bug report, then using this user
as `bind_dn` in the sync options. I also tested some variants of that
CN, including just `TestUser`.)

One thing that still won't work is syncing of LDAP users with colons
or slashes in their CNs. In such cases, the message
> value 'Test, User@ldap' does not look like a valid user name
will pop up.

This is due to spaces and colons being explicitly disallowed in
usernames by PVE access-control's username schema. This probably
means that such names can never be allowed, which is being documented
too as separate pve-docs patch.

Note that while this is now a bit more strict for some cases too,
they should not matter in practice. For context; see RFC 2253 [0],
section 4. Interestingly, this document was obsoleted by RFC 4514 [1]
in 2006, which only mentions this in section 2.4 ("Converting an
AttributeValue from ASN.1 to a String") and appendix A ("Presentation
Issues").

But the first one seems to be the "authoritive" document on this
matter, at least looking at some other docs about LDAP DNs (RedHat,
Microsoft, ..).

[0] https://www.ietf.org/rfc/rfc2253.txt
[1] https://docs.ldap.com/specs/rfc4514.txt

Reviewed-by: Dominik Csapak <d.csapak@proxmox.com>
Tested-by: Dominik Csapak <d.csapak@proxmox.com>
Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
 [ T: added commit message ]
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This commit is contained in:
Christoph Heiss 2023-01-31 13:50:42 +01:00 committed by Thomas Lamprecht
parent 631b48745b
commit 1aa2355aed
1 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/PVE/Auth/LDAP.pm
View File

@ -10,6 +10,8 @@ use PVE::Tools;
use base qw(PVE::Auth::Plugin); use base qw(PVE::Auth::Plugin);
our $dn_regex = qr!\w+=("[\w ,+/<>;=]+"|[^ ,+"/<>;=]+)(,\s*\w+=("[\w ,+/<>;=]+"|[^ ,+"/<>;=]+))*!;
sub type { sub type {
return 'ldap'; return 'ldap';
} }
@ -19,7 +21,7 @@ sub properties {
base_dn => { base_dn => {
description => "LDAP base domain name", description => "LDAP base domain name",
type => 'string', type => 'string',
pattern => '\w+=[^,]+(,\s*\w+=[^,]+)*', pattern => $dn_regex,
optional => 1, optional => 1,
maxLength => 256, maxLength => 256,
}, },
@ -33,7 +35,7 @@ sub properties {
bind_dn => { bind_dn => {
description => "LDAP bind domain name", description => "LDAP bind domain name",
type => 'string', type => 'string',
pattern => '\w+=[^,]+(,\s*\w+=[^,]+)*', pattern => $dn_regex,
optional => 1, optional => 1,
maxLength => 256, maxLength => 256,
}, },
@ -91,7 +93,7 @@ sub properties {
description => "LDAP base domain name for group sync. If not set, the" description => "LDAP base domain name for group sync. If not set, the"
." base_dn will be used.", ." base_dn will be used.",
type => 'string', type => 'string',
pattern => '\w+=[^,]+(,\s*\w+=[^,]+)*', pattern => $dn_regex,
optional => 1, optional => 1,
maxLength => 256, maxLength => 256,
}, },