[pve-devel] [PATCH access-control v2 2/3] ldap: add opt-in `check-connection` param to perform a bind check

Wolfgang Bumiller w.bumiller at proxmox.com
Thu Aug 10 10:49:16 CEST 2023 

On Thu, Aug 10, 2023 at 10:35:14AM +0200, Christoph Heiss wrote:
> 
> On Thu, Aug 10, 2023 at 09:55:51AM +0200, Wolfgang Bumiller wrote:
> > On Tue, Aug 01, 2023 at 02:37:18PM +0200, Christoph Heiss wrote:
> [..]
> > > @@ -137,7 +131,13 @@ sub properties {
> > >  	    type => 'boolean',
> > >  	    optional => 1,
> > >  	    default => 1,
> > > -	}
> > > +	},
> > > +	'check-connection' => {
> > > +	    description => 'Check bind connection to LDAP server.',
> > > +	    type => 'boolean',
> > > +	    optional => 1,
> > > +	    default => 0,
> > > +	},
> >
> > While there's special handling for how we store the password, this
> > schema here should still actually describe the stored config.
> > Since this is a parameter specifically for the add/update API methods we
> > should declare it in those functions as parameter.
> >
> > Some of our methods to get schemas have an optional hash parameter to
> > include an extra set of base properties in its returned contents (see
> > `get_standard_option` as an example), but `createSchema` and
> > `updateSchema` do not.
> Right, I was unsure anyway if this was the right way anyway to add this,
> at least I did not see any other way - that explains why :^)
> 
> >
> > We could either add this, or, since this is currently only required
> > once, just move the `{create,update}Schema` calls over the
> > `register_method()` calls and modify them right there before use...
> > Since this series already touches pve-common, I have a *slight*
> > preference to extending the `create/updateSchema` subs in
> > `PVE::SectionConfig`,
> Seems like the right thing - I'd also rather do it properly once than to
> introduce a hack that sticks around ..
> 
> > although AFAICT the common patch does not strictly
> > require a dependency bump inside pve-access-control as it mostly about
> > how errors are presented to end-users (?), so either way is fine with
> Exactly, the changes in pve-common are purely cosmectic.
> 
> > me. If we update the SectionConfig we'll definitely need a versioned
> > dependency bump.
> If it's OK for you I will go this route, extending
> {create,update}Schema() as needed for this, in the same way
> get_standard_option() works.

Sure, just be aware that `get_standard_option()` only needs 1 level,
whereas for the section config ones it works one level above, as in
it returns a full schema like:

  {
    type => 'object',
    properties => { ... }
  }

It's unlikely that we'll need to modify anything at the top level, so I
think it would be fine for the extra parameter to only affect the
contained properties hash, so no need to do any multi-level merging.

More information about the pve-devel mailing list