[pbs-devel] [PATCH proxmox-backup 06/17] auth: add LDAP realm authenticator
Lukas Wagner
l.wagner at proxmox.com
Tue Jan 3 15:22:57 CET 2023
Signed-off-by: Lukas Wagner <l.wagner at proxmox.com>
---
src/auth.rs | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 63 insertions(+), 2 deletions(-)
diff --git a/src/auth.rs b/src/auth.rs
index f1d5c0a1..101bec0e 100644
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -8,9 +8,12 @@ use std::process::{Command, Stdio};
use anyhow::{bail, format_err, Error};
use serde_json::json;
-use pbs_api_types::{RealmRef, Userid, UsernameRef};
+use pbs_api_types::{LdapMode, LdapRealmConfig, RealmRef, Userid, UsernameRef};
use pbs_buildcfg::configdir;
+use crate::auth_helpers;
+use crate::server::ldap::{LdapConfig, LdapConnection, LdapConnectionMode};
+
pub trait ProxmoxAuthenticator {
fn authenticate_user(&self, username: &UsernameRef, password: &str) -> Result<(), Error>;
fn store_password(&self, username: &UsernameRef, password: &str) -> Result<(), Error>;
@@ -122,12 +125,45 @@ impl ProxmoxAuthenticator for PBS {
}
}
+#[allow(clippy::upper_case_acronyms)]
+pub struct LDAP {
+ config: LdapRealmConfig,
+}
+
+impl ProxmoxAuthenticator for LDAP {
+ /// Authenticate user in LDAP realm
+ fn authenticate_user(&self, username: &UsernameRef, password: &str) -> Result<(), Error> {
+ let ldap_config = ldap_api_type_to_ldap_config(&self.config)?;
+
+ let ldap = LdapConnection::new(ldap_config);
+
+ proxmox_async::runtime::block_on(ldap.authenticate_user(username.as_str(), password))
+ }
+
+ fn store_password(&self, _username: &UsernameRef, _password: &str) -> Result<(), Error> {
+ // do not store password for LDAP users
+ Ok(())
+ }
+
+ fn remove_password(&self, _username: &UsernameRef) -> Result<(), Error> {
+ // do not remove password for LDAP users
+ Ok(())
+ }
+}
+
/// Lookup the autenticator for the specified realm
pub fn lookup_authenticator(realm: &RealmRef) -> Result<Box<dyn ProxmoxAuthenticator>, Error> {
match realm.as_str() {
"pam" => Ok(Box::new(PAM())),
"pbs" => Ok(Box::new(PBS())),
- _ => bail!("unknown realm '{}'", realm.as_str()),
+ realm => {
+ let (domains, _digest) = pbs_config::domains::config()?;
+ if let Ok(config) = domains.lookup::<LdapRealmConfig>("ldap", realm) {
+ Ok(Box::new(LDAP { config }))
+ } else {
+ bail!("unknown realm '{}'", realm);
+ }
+ }
}
}
@@ -135,3 +171,28 @@ pub fn lookup_authenticator(realm: &RealmRef) -> Result<Box<dyn ProxmoxAuthentic
pub fn authenticate_user(userid: &Userid, password: &str) -> Result<(), Error> {
lookup_authenticator(userid.realm())?.authenticate_user(userid.name(), password)
}
+
+// TODO: Is there a better place for this?
+pub fn ldap_api_type_to_ldap_config(config: &LdapRealmConfig) -> Result<LdapConfig, Error> {
+ let mut servers = vec![config.server1.clone()];
+ if let Some(server) = &config.server2 {
+ servers.push(server.clone());
+ }
+
+ let tls_mode = match config.mode.unwrap_or_default() {
+ LdapMode::Ldap => LdapConnectionMode::Ldap,
+ LdapMode::StartTls => LdapConnectionMode::StartTls,
+ LdapMode::Ldaps => LdapConnectionMode::Ldaps,
+ };
+
+ Ok(LdapConfig {
+ servers,
+ port: config.port,
+ user_attr: config.user_attr.clone(),
+ base_dn: config.base_dn.clone(),
+ bind_dn: config.bind_dn.clone(),
+ bind_password: auth_helpers::get_ldap_bind_password(&config.realm)?,
+ tls_mode,
+ verify_certificate: config.verify.unwrap_or_default(),
+ })
+}
--
2.30.2
More information about the pbs-devel
mailing list