<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font face="Helvetica, Arial, sans-serif">Any news on adding those few
lines to master regarding LDAP non-anonymous bind?</font><br>
<br>
<div class="moz-cite-prefix">On 07.09.15 16:25, Sten Aus wrote:<br>
</div>
<blockquote cite="mid:55ED9040.9020501@eenet.ee" type="cite">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div style="" class="markdown-here-wrapper"
data-md-url="Thunderbird">
<p style="margin: 0px 0px 1.2em ! important;">Hi</p>
<p style="margin: 0px 0px 1.2em ! important;">I would like to
propse a feature: LDAP non-anonymous bind.<br>
As it has been discussed already in forums I will link it here
as well:<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://forum.proxmox.com/threads/14649-LDAP-authentication-with-non-anonymous-bind">http://forum.proxmox.com/threads/14649-LDAP-authentication-with-non-anonymous-bind</a></p>
<p style="margin: 0px 0px 1.2em ! important;">As a proposed
patch is working I would suggest it to add to Proxmox.<br>
A (almost) copy-paste from this patch is here. There is
missing one comma (,) at the end of bind_pw {} section</p>
<pre style="font-size: 0.85em; font-family: Consolas,Inconsolata,Courier,monospace;font-size: 1em; line-height: 1.2em;margin: 1.2em 0px;"><code style="font-size: 0.85em; font-family: Consolas,Inconsolata,Courier,monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;white-space: pre; overflow: auto; border-radius: 3px; border: 1px solid rgb(204, 204, 204); padding: 0.5em 0.7em; display: block ! important;">diff --git a/PVE/Auth/LDAP.pm b/PVE/Auth/LDAP.pm
index dc1c229..50df467 100755
--- a/PVE/Auth/LDAP.pm
+++ b/PVE/Auth/LDAP.pm
@@ -18,6 +18,19 @@ sub properties {
optional => 1,
maxLength => 256,
},
+ bind_dn => {
+ description => "LDAP bind DN",
+ type => 'string',
+ pattern => '\w+=[^,]+(,\s*\w+=[^,]+)*',
+ optional => 1,
+ maxLength => 256,
+ },
+ bind_pw => {
+ description => "LDAP bind password",
+ type => 'string',
+ optional => 1,
+ maxLength => 256,
+ },
user_attr => {
description => "LDAP user attribute name",
type => 'string',
@@ -33,6 +46,8 @@ sub options {
server1 => {},
server2 => { optional => 1 },
base_dn => {},
+ bind_dn => { optional => 1 },
+ bind_pw => { optional => 1 },
user_attr => {},
port => { optional => 1 },
secure => { optional => 1 },
@@ -50,6 +65,12 @@ my $authenticate_user_ldap = sub {
my $conn_string = "$scheme://${server}:$port";
my $ldap = Net::LDAP->new($conn_string, verify => 'none') || die "$@\n";
+ if ($config->{bind_dn} ) {
+ my $res = $ldap->bind( $config->{bind_dn}, password => $config->{bind_pw} );
+ my $code = $res->code();
+ my $err = $res->error;
+ die "Error during initial bind: $err\n" if ($code);
+ }
my $search = $config->{user_attr} . "=" . $username;
my $result = $ldap->search( base => "$config->{base_dn}",
scope => "sub",
</code></pre>
<p style="margin: 0px 0px 1.2em ! important;">Now, all you’ve
got to do is edit <code style="font-size: 0.85em; font-family: Consolas,Inconsolata,Courier,monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">/etc/pve/domains.cfg</code>
file and add <code style="font-size: 0.85em; font-family: Consolas,Inconsolata,Courier,monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">bind_dn</code>
and <code style="font-size: 0.85em; font-family: Consolas,Inconsolata,Courier,monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;">bind_pw</code>
parameters there.</p>
<p style="margin: 0px 0px 1.2em ! important;">Also, when I edit
from GUI, those values get lost from this file, so I would
suggest it that you configure LDAP from GUI and then add those
two rows there from CLI.</p>
<p style="margin: 0px 0px 1.2em ! important;">As some daemon
caches LDAP.pm I needed to restart my host to get LDAP bind
working. I have tried to restart three services:</p>
<pre style="font-size: 0.85em; font-family: Consolas,Inconsolata,Courier,monospace;font-size: 1em; line-height: 1.2em;margin: 1.2em 0px;"><code style="font-size: 0.85em; font-family: Consolas,Inconsolata,Courier,monospace;margin: 0px 0.15em; padding: 0px 0.3em; white-space: pre-wrap; border: 1px solid rgb(234, 234, 234); background-color: rgb(248, 248, 248); border-radius: 3px; display: inline;white-space: pre; overflow: auto; border-radius: 3px; border: 1px solid rgb(204, 204, 204); padding: 0.5em 0.7em; display: block ! important;">service pve-cluster restart && service pve-manager restart && service pveproxy restart
</code></pre>
<p style="margin: 0px 0px 1.2em ! important;">Can anyone tell me
what service caches it? Can I restart it without affecting my
KVMs?</p>
<p style="margin: 0px 0px 1.2em ! important;">Maybe a feature in
Proxmox 4.0? Or when stable is too far away, then in 3.4. :)</p>
<p style="margin: 0px 0px 1.2em ! important;">All the best<br>
Sten Aus</p>
<div
title="MDH:SGk8YnI+PGJyPkkgd291bGQgbGlrZSB0byBwcm9wc2UgYSBmZWF0dXJlOiBMREFQIG5vbi1hbm9ueW1vdXMgYmluZC48YnI+QXMgaXQgaGFzIGJlZW4gZGlzY3Vzc2VkIGFscmVhZHkgaW4gZm9ydW1zIEkgd2lsbCBsaW5rIGl0IGhlcmUgYXMgd2VsbDo8YnI+aHR0cDovL2ZvcnVtLnByb3htb3guY29t
L3RocmVhZHMvMTQ2NDktTERBUC1hdXRoZW50aWNhdGlvbi13aXRoLW5vbi1hbm9ueW1vdXMtYmlu
ZDxicj48YnI+QXMgYSBwcm9wb3NlZCBwYXRjaCBpcyB3b3JraW5nIEkgd291bGQgc3VnZ2VzdCBp
dCB0byBhZGQgdG8gUHJveG1veC48YnI+QSAoYWxtb3N0KSBjb3B5LXBhc3RlIGZyb20gdGhpcyBw
YXRjaCBpcyBoZXJlLiBUaGVyZSBpcyBtaXNzaW5nIG9uZSBjb21tYSAoLCkgYXQgdGhlIGVuZCBv
ZiBiaW5kX3B3IHt9IHNlY3Rpb248YnI+YGBgPGJyPmRpZmYgLS1naXQgYS9QVkUvQXV0aC9MREFQ
LnBtIGIvUFZFL0F1dGgvTERBUC5wbTxicj5pbmRleCBkYzFjMjI5Li41MGRmNDY3IDEwMDc1NTxi
cj4tLS0gYS9QVkUvQXV0aC9MREFQLnBtPGJyPisrKyBiL1BWRS9BdXRoL0xEQVAucG08YnI+QEAg
LTE4LDYgKzE4LDE5IEBAIHN1YiBwcm9wZXJ0aWVzIHs8YnI+wqDCoMKgwqAgwqDCoMKgIG9wdGlv
bmFsID0mZ3Q7IDEsPGJyPsKgwqDCoMKgIMKgwqDCoCBtYXhMZW5ndGggPSZndDsgMjU2LDxicj7C
oMKgwqDCoCB9LDxicj4rwqDCoMKgIGJpbmRfZG4gPSZndDsgezxicj4rwqDCoMKgIMKgwqDCoCBk
ZXNjcmlwdGlvbiA9Jmd0OyAiTERBUCBiaW5kIEROIiw8YnI+K8KgwqDCoCDCoMKgwqAgdHlwZSA9
Jmd0OyAnc3RyaW5nJyw8YnI+K8KgwqDCoCDCoMKgwqAgcGF0dGVybiA9Jmd0OyAnXHcrPVteLF0r
KCxccypcdys9W14sXSspKicsPGJyPivCoMKgwqAgwqDCoMKgIG9wdGlvbmFsID0mZ3Q7IDEsPGJy
PivCoMKgwqAgwqDCoMKgIG1heExlbmd0aCA9Jmd0OyAyNTYsPGJyPivCoMKgwqAgfSw8YnI+K8Kg
wqDCoCBiaW5kX3B3ID0mZ3Q7IHs8YnI+K8KgwqDCoCDCoMKgwqAgZGVzY3JpcHRpb24gPSZndDsg
IkxEQVAgYmluZCBwYXNzd29yZCIsPGJyPivCoMKgwqAgwqDCoMKgIHR5cGUgPSZndDsgJ3N0cmlu
ZycsPGJyPivCoMKgwqAgwqDCoMKgIG9wdGlvbmFsID0mZ3Q7IDEsPGJyPivCoMKgwqAgwqDCoMKg
IG1heExlbmd0aCA9Jmd0OyAyNTYsPGJyPivCoMKgwqAgfSw8YnI+wqDCoMKgwqAgdXNlcl9hdHRy
ID0mZ3Q7IHs8YnI+wqDCoMKgwqAgwqDCoMKgIGRlc2NyaXB0aW9uID0mZ3Q7ICJMREFQIHVzZXIg
YXR0cmlidXRlIG5hbWUiLDxicj7CoMKgwqDCoCDCoMKgwqAgdHlwZSA9Jmd0OyAnc3RyaW5nJyw8
YnI+QEAgLTMzLDYgKzQ2LDggQEAgc3ViIG9wdGlvbnMgezxicj7CoMKgwqDCoCBzZXJ2ZXIxID0m
Z3Q7IHt9LDxicj7CoMKgwqDCoCBzZXJ2ZXIyID0mZ3Q7IHsgb3B0aW9uYWwgPSZndDsgMSB9LDxi
cj7CoMKgwqDCoCBiYXNlX2RuID0mZ3Q7IHt9LDxicj4rwqDCoMKgIGJpbmRfZG4gPSZndDsgeyBv
cHRpb25hbCA9Jmd0OyAxIH0sPGJyPivCoMKgwqAgYmluZF9wdyA9Jmd0OyB7IG9wdGlvbmFsID0m
Z3Q7IDEgfSw8YnI+wqDCoMKgwqAgdXNlcl9hdHRyID0mZ3Q7IHt9LDxicj7CoMKgwqDCoCBwb3J0
ID0mZ3Q7IHsgb3B0aW9uYWwgPSZndDsgMSB9LDxicj7CoMKgwqDCoCBzZWN1cmUgPSZndDsgeyBv
cHRpb25hbCA9Jmd0OyAxIH0sPGJyPkBAIC01MCw2ICs2NSwxMiBAQCBteSAkYXV0aGVudGljYXRl
X3VzZXJfbGRhcCA9IHN1YiB7PGJyPsKgwqDCoMKgIG15ICRjb25uX3N0cmluZyA9ICIkc2NoZW1l
Oi8vJHtzZXJ2ZXJ9OiRwb3J0Ijs8YnI+wqA8YnI+wqDCoMKgwqAgbXkgJGxkYXAgPSBOZXQ6OkxE
QVAtJmd0O25ldygkY29ubl9zdHJpbmcsIHZlcmlmeSA9Jmd0OyAnbm9uZScpIHx8IGRpZSAiJEBc
biI7PGJyPivCoMKgwqAgaWYgKCRjb25maWctJmd0O3tiaW5kX2RufSApIHs8YnI+K8KgwqDCoMKg
wqAgbXkgJHJlcyA9ICRsZGFwLSZndDtiaW5kKCAkY29uZmlnLSZndDt7YmluZF9kbn0sIHBhc3N3
b3JkID0mZ3Q7ICRjb25maWctJmd0O3tiaW5kX3B3fSApOzxicj4rwqDCoMKgwqDCoCBteSAkY29k
ZSA9ICRyZXMtJmd0O2NvZGUoKTs8YnI+K8KgwqDCoMKgwqAgbXkgJGVyciA9ICRyZXMtJmd0O2Vy
cm9yOzxicj4rwqDCoMKgwqDCoCBkaWUgIkVycm9yIGR1cmluZyBpbml0aWFsIGJpbmQ6ICRlcnJc
biIgaWYgKCRjb2RlKTs8YnI+K8KgwqDCoCB9PGJyPsKgwqDCoMKgIG15ICRzZWFyY2ggPSAkY29u
ZmlnLSZndDt7dXNlcl9hdHRyfSAuICI9IiAuICR1c2VybmFtZTs8YnI+wqDCoMKgwqAgbXkgJHJl
c3VsdCA9ICRsZGFwLSZndDtzZWFyY2goIGJhc2XCoMKgwqAgPSZndDsgIiRjb25maWctJmd0O3ti
YXNlX2RufSIsPGJyPsKgwqDCoMKgIMKgwqDCoCDCoMKgwqAgwqDCoMKgIHNjb3BlwqDCoCA9Jmd0
OyAic3ViIiw8YnI+YGBgPGJyPjxicj5Ob3csIGFsbCB5b3UndmUgZ290IHRvIGRvIGlzIGVkaXQg
YC9ldGMvcHZlL2RvbWFpbnMuY2ZnYCBmaWxlIGFuZCBhZGQgYGJpbmRfZG5gIGFuZCBgYmluZF9w
d2AgcGFyYW1ldGVycyB0aGVyZS48YnI+PGJyPkFsc28sIHdoZW4gSSBlZGl0IGZyb20gR1VJLCB0
aG9zZSB2YWx1ZXMgZ2V0IGxvc3QgZnJvbSB0aGlzIGZpbGUsIHNvIEkgd291bGQgc3VnZ2VzdCBp
dCB0aGF0IHlvdSBjb25maWd1cmUgTERBUCBmcm9tIEdVSSBhbmQgdGhlbiBhZGQgdGhvc2UgdHdv
IHJvd3MgdGhlcmUgZnJvbSBDTEkuPGJyPjxicj5BcyBzb21lIGRhZW1vbiBjYWNoZXMgTERBUC5w
bSBJIG5lZWRlZCB0byByZXN0YXJ0IG15IGhvc3QgdG8gZ2V0IExEQVAgYmluZCB3b3JraW5nLiBJ
IGhhdmUgdHJpZWQgdG8gcmVzdGFydCB0aHJlZSBzZXJ2aWNlczo8YnI+YGBgPGJyPjxtZXRhIGNo
YXJzZXQ9InV0Zi04Ij5zZXJ2aWNlIHB2ZS1jbHVzdGVyIHJlc3RhcnQgJmFtcDsmYW1wOyBzZXJ2
aWNlIHB2ZS1tYW5hZ2VyIHJlc3RhcnQgJmFtcDsmYW1wOyBzZXJ2aWNlIHB2ZXByb3h5IHJlc3Rh
cnQ8YnI+YGBgPGJyPkNhbiBhbnlvbmUgdGVsbCBtZSB3aGF0IHNlcnZpY2UgY2FjaGVzIGl0PyBD
YW4gSSByZXN0YXJ0IGl0IHdpdGhvdXQgYWZmZWN0aW5nIG15IEtWTXM/PGJyPjxicj5NYXliZSBh
IGZlYXR1cmUgaW4gUHJveG1veCA0LjA/IE9yIHdoZW4gc3RhYmxlIGlzIHRvbyBmYXIgYXdheSwg
dGhlbiBpbiAzLjQuIDopPGJyPjxicj5BbGwgdGhlIGJlc3Q8YnI+U3RlbiBBdXM8YnI+"
style="height:0;width:0;max-height:0;max-width:0;overflow:hidden;font-size:0em;padding:0;margin:0;"></div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
pve-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:pve-devel@pve.proxmox.com">pve-devel@pve.proxmox.com</a>
<a class="moz-txt-link-freetext" href="http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel">http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel</a>
</pre>
</blockquote>
<br>
</body>
</html>