[pve-devel] Feature request: LDAP non-anonymous bind

Sten Aus sten.aus at eenet.ee
Mon Sep 7 15:25:20 CEST 2015


Hi

I would like to propse a feature: LDAP non-anonymous bind.
As it has been discussed already in forums I will link it here as well:
http://forum.proxmox.com/threads/14649-LDAP-authentication-with-non-anonymous-bind

As a proposed patch is working I would suggest it to add to Proxmox.
A (almost) copy-paste from this patch is here. There is missing one 
comma (,) at the end of bind_pw {} section

|diff --git a/PVE/Auth/LDAP.pm b/PVE/Auth/LDAP.pm index dc1c229..50df467 
100755 --- a/PVE/Auth/LDAP.pm +++ b/PVE/Auth/LDAP.pm @@ -18,6 +18,19 @@ 
sub properties { optional => 1, maxLength => 256, }, + bind_dn => { + 
description => "LDAP bind DN", + type => 'string', + pattern => 
'\w+=[^,]+(,\s*\w+=[^,]+)*', + optional => 1, + maxLength => 256, + }, + 
bind_pw => { + description => "LDAP bind password", + type => 'string', 
+ optional => 1, + maxLength => 256, + }, user_attr => { description => 
"LDAP user attribute name", type => 'string', @@ -33,6 +46,8 @@ sub 
options { server1 => {}, server2 => { optional => 1 }, base_dn => {}, + 
bind_dn => { optional => 1 }, + bind_pw => { optional => 1 }, user_attr 
=> {}, port => { optional => 1 }, secure => { optional => 1 }, @@ -50,6 
+65,12 @@ my $authenticate_user_ldap = sub { my $conn_string = 
"$scheme://${server}:$port"; my $ldap = Net::LDAP->new($conn_string, 
verify => 'none') || die "$@\n"; + if ($config->{bind_dn} ) { + my $res 
= $ldap->bind( $config->{bind_dn}, password => $config->{bind_pw} ); + 
my $code = $res->code(); + my $err = $res->error; + die "Error during 
initial bind: $err\n" if ($code); + } my $search = $config->{user_attr} 
. "=" . $username; my $result = $ldap->search( base => 
"$config->{base_dn}", scope => "sub", |

Now, all you’ve got to do is edit |/etc/pve/domains.cfg| file and add 
|bind_dn| and |bind_pw| parameters there.

Also, when I edit from GUI, those values get lost from this file, so I 
would suggest it that you configure LDAP from GUI and then add those two 
rows there from CLI.

As some daemon caches LDAP.pm I needed to restart my host to get LDAP 
bind working. I have tried to restart three services:

|service pve-cluster restart && service pve-manager restart && service 
pveproxy restart |

Can anyone tell me what service caches it? Can I restart it without 
affecting my KVMs?

Maybe a feature in Proxmox 4.0? Or when stable is too far away, then in 
3.4. :)

All the best
Sten Aus

​
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.proxmox.com/pipermail/pve-devel/attachments/20150907/d13a6ed1/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3262 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.proxmox.com/pipermail/pve-devel/attachments/20150907/d13a6ed1/attachment.bin>


More information about the pve-devel mailing list