[pve-devel] [PATCH common/access-control v2 0/5] improve LDAP DN and bind creds checking on creation/change
Lukas Wagner
l.wagner at proxmox.com
Thu Jul 27 11:54:39 CEST 2023
On 7/24/23 11:03, Christoph Heiss wrote:
> tl;dr implements the result of the discussion in [0].
>
> First, this removes the dreaded LDAP DN regex, replacing it instead with
> a proper schema format, which does validation using
> Net::LDAP::Util::canonical_dn().
>
Already discussed off-list, but for the sake of completeness:
I'd say we can just do the same thing as in PBS, were we only verify the settings by
connecting to the server, but nothing else.
If we drop the check through `canonical_dn()`, then we actually improve
the AD realm implementation, which is also based on the LDAP code.
AD not only supports the regular DN syntax, but also:
Domain\Administrator
Administrator at Domain
However, these two formats are not accepted by `canonical_dn`. If we just drop the
check, then these alternative forms will work automatically (I've actually tested
this against a real AD server)
--
- Lukas
More information about the pve-devel
mailing list