[pve-devel] [PATCH common/access-control 0/5] improve LDAP DN and bind creds checking on creation/change
Christoph Heiss
c.heiss at proxmox.com
Thu Jul 20 15:30:20 CEST 2023
Thanks for taking a look and testing this!
On Thu, Jul 20, 2023 at 02:42:10PM +0200, Friedrich Weber wrote:
>
> Tested against slapd 2.4.47+dfsg-3+deb10u6. I quite like the connection
> check when creating/updating the realm, and also, it seems sensible to
> delegate DN validation to Net::LDAP.
>
> I noticed one bug: Weirdly, updating the realm via CLI or manually via
> API now errors out for me (the connection details are correct):
I only tested it via the UI, definitely a good catch.
>
> $ cat /etc/pve/domains.cfg
> pam: pam
> comment Linux PAM standard authentication
>
> pve: pve
> comment Proxmox VE authentication server
> default 0
>
> ldap: ldap
> comment foo
> base_dn dc=example,dc=com
> server1 [...]
> user_attr uid
> bind_dn cn=admin,dc=example,dc=com
> default 0
> secure 0
>
> $ pveum realm modify ldap -comment foo
> update auth server failed: Expected 'PeerHost' at
> /usr/share/perl5/Net/LDAP.pm line 173.
Weird. That error doesn't really match up with anything on my machine in
that file - what version of the `libnet-ldap-perl` package do
you have installed exactly?
Because I cannot seem to reproduce that error on my machine, both
`pveum` and `pvesh` work just fine for me.
>
> $ http --verify no PUT
> 'https://[...]:8006/api2/json/access/domains/ldap' comment=foo [...]
> HTTP/1.1 500 update auth server failed: Expected 'PeerHost' at
> /usr/share/perl5/Net/LDAP.pm line 173.
>
> On 19/07/2023 17:51, Christoph Heiss wrote:
> [..]
More information about the pve-devel
mailing list