[pbs-devel] [PATCH v3 proxmox{, -backup, -widget-toolkit} 00/18] add LDAP realm support

Lukas Wagner l.wagner at proxmox.com
Thu Feb 9 14:31:10 CET 2023


This patch series adds support for adding LDAP realms, including user sync.

The configuration scheme in `pbs-api-types` is based on the one from PVE,
with some slight differences:
  * consistent use of kebab-case for properties
  * only support `mode` instead of the deprecated `secure` property

The GUI is mostly based on the implementation from PVE, with some slight
adaptations - for details, please refer to the commit messages.
The GUI components were added to the widget-toolkit repo, at some point PVE
could be adapted to use the same implemention as PBS.

This patch series adds a new dependency to the `proxmox-ldap` crate,
introduced in [1]. This also brings in `ldap3` and `lber` as new transitive
dependencies. Both crates were already packaged and are available on the
repository, thanks to Fabian.

The implementation was tested against the following LDAP servers:
  * slapd 2.5.13 on Ubuntu Server 22.04 (LDAP, LDAPS, STARTTLS)
  * Windows Server 2022 Active Directory (LDAP)
  * glauth 2.1.0 (LDAP, LDAPS)

Some notes for testers:
  * I can recommend `glauth` for testing: It is an LDAP server implementation
    in a statically-compiled Go binary that can be configured using a single,
    simple to understand configuration file. I can share my config if needed.


Note: This patch series includes a cherry-picked commit from Hannes' series from
[2]. The functionality was needed for user sync.

Changes v2 --> v3:
  * Dropped the `Ldap` prefix for structs from the `proxmox-ldap` crate
  * minor clippy fixes
  * added a `OpenIdAuthenticator` that implements dummy-implements
    `ProxmoxAuthenticator` - otherwise, manually adding users to
    OpenId realms does not work
  * Changed the naming of the different authenticators in `auth.rs`
    e.g PAM --> PamAuthenticator, LDAP --> LdapAuthenticator
    This allows us to drop some clippy-allow directives

Changes v1 --> v2:
  * add pbs_config::exists helper function
  * Remove now unused `password` field from `LdapRealmConfig`, add
    additional password paramter to routes which need it
  * Only log a warning instead of failing completely when removing a
    stored password does not work
  * Proper naming for `DeleteableProperty` struct
  * Document that the domain config lock must be held when
    the LDAP password helper functions are called.
    Also added a &BackupLockGuard as a parameter, to make sure that
    at least *something* is locked.
  * moved `handle_worker` function to the `proxmox_rest_server` crate,
    so that it is usable for both, the LDAP management CLI and the debug
    CLI.
  * Made user authentication async,
   `ProxmoxAuthenticator::authenticate_user` now returns a boxed future
  * Promoted `src/server/ldap.rs` to be its own crate - this will be
    useful when PVE uses the same LDAP implemenation via perlmod one
    day.


[1] https://lists.proxmox.com/pipermail/pbs-devel/2023-January/005833.html
[2] https://lists.proxmox.com/pipermail/pbs-devel/2022-December/005774.html

proxmox:
Lukas Wagner (1):
  rest-server: add handle_worker from backup debug cli

 proxmox-rest-server/src/worker_task.rs | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

proxmox-backup:
Hannes Laimer (1):
  pbs-config: add delete_authid to ACL-tree

Lukas Wagner (12):
  debug cli: use handle_worker in proxmox-rest-server
  ui: add 'realm' field in user edit
  api-types: add LDAP configuration type
  api: add routes for managing LDAP realms
  auth: add LDAP realm authenticator
  api-types: add config options for LDAP user sync
  server: add LDAP realm sync job
  manager: add commands for managing LDAP realms
  docs: add configuration file reference for domains.cfg
  docs: add documentation for LDAP realms
  auth: add dummy OpenIdAuthenticator struct
  auth: unify naming for all authenticator implementations

 Cargo.toml                             |   2 +
 docs/Makefile                          |   6 +-
 docs/conf.py                           |   1 +
 docs/config/domains/format.rst         |  27 ++
 docs/config/domains/man5.rst           |  21 ++
 docs/configuration-files.rst           |  16 +
 docs/user-management.rst               |  58 ++++
 pbs-api-types/src/ldap.rs              | 199 +++++++++++
 pbs-api-types/src/lib.rs               |   5 +
 pbs-api-types/src/user.rs              |   2 +-
 pbs-config/src/acl.rs                  |  71 ++++
 pbs-config/src/domains.rs              |  43 ++-
 src/api2/access/domain.rs              |  85 ++++-
 src/api2/access/mod.rs                 |   8 +-
 src/api2/access/tfa.rs                 |  15 +-
 src/api2/config/access/ldap.rs         | 352 +++++++++++++++++++
 src/api2/config/access/mod.rs          |   7 +-
 src/api2/config/access/openid.rs       |   5 +-
 src/auth.rs                            | 208 +++++++++--
 src/auth_helpers.rs                    |  58 ++++
 src/bin/docgen.rs                      |   1 +
 src/bin/proxmox-backup-manager.rs      |   1 +
 src/bin/proxmox_backup_debug/api.rs    |  27 +-
 src/bin/proxmox_backup_manager/ldap.rs | 152 ++++++++
 src/bin/proxmox_backup_manager/mod.rs  |   2 +
 src/server/mod.rs                      |   3 +
 src/server/realm_sync_job.rs           | 463 +++++++++++++++++++++++++
 www/OnlineHelpInfo.js                  |   8 +
 www/Utils.js                           |   4 +-
 www/window/UserEdit.js                 |  95 ++++-
 30 files changed, 1840 insertions(+), 105 deletions(-)
 create mode 100644 docs/config/domains/format.rst
 create mode 100644 docs/config/domains/man5.rst
 create mode 100644 pbs-api-types/src/ldap.rs
 create mode 100644 src/api2/config/access/ldap.rs
 create mode 100644 src/bin/proxmox_backup_manager/ldap.rs
 create mode 100644 src/server/realm_sync_job.rs

promxox-widget-toolkit:
Lukas Wagner (4):
  auth ui: add LDAP realm edit panel
  auth ui: add LDAP sync UI
  auth ui: add `onlineHelp` for AuthEditLDAP
  auth ui: add `firstname` and `lastname` sync-attribute fields

 src/Makefile               |   2 +
 src/Schema.js              |  12 ++
 src/panel/AuthView.js      |  24 +++
 src/window/AuthEditLDAP.js | 367 +++++++++++++++++++++++++++++++++++++
 src/window/SyncWindow.js   | 192 +++++++++++++++++++
 5 files changed, 597 insertions(+)
 create mode 100644 src/window/AuthEditLDAP.js
 create mode 100644 src/window/SyncWindow.js


-- 
2.30.2






More information about the pbs-devel mailing list