[pve-devel] [PATCH access-control 3/4] auth ldap/ad: introduce connection 'mode'

Dominik Csapak d.csapak at proxmox.com
Mon Apr 6 13:55:20 CEST 2020



On 4/6/20 1:41 PM, Thomas Lamprecht wrote:
> On 4/6/20 1:31 PM, Dominik Csapak wrote:
>> instead of having only a 'secure' flag which switches between
>> ldap/ldaps we now have a mode which also contains 'ldap+starttls'
>>
>> our connection code in PVE::LDAP can handle this already (used in pmg)
>> so that is no problem
>>
>> if we want to really remove the 'secure' flag, e.g. in 7.0
>> we'd either have to rewrite the config or have it as an error
>> in a pve6to7 script
>>
>> Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
>> ---
>> we could of course rewrite the config now already, but
>> i am not sure if that is wise, since e.g. config management
>> tools do not expect it now? is that a thing we should care about?
>>
>>   PVE/Auth/AD.pm   | 10 ++++++----
>>   PVE/Auth/LDAP.pm | 15 ++++++++++++---
>>   2 files changed, 18 insertions(+), 7 deletions(-)
>>
>> diff --git a/PVE/Auth/AD.pm b/PVE/Auth/AD.pm
>> index 4f40be3..395d78b 100755
>> --- a/PVE/Auth/AD.pm
>> +++ b/PVE/Auth/AD.pm
>> @@ -27,7 +27,7 @@ sub properties {
>>   	    maxLength => 256,
>>   	},
>>   	secure => {
>> -	    description => "Use secure LDAPS protocol.",
>> +	    description => "Use secure LDAPS protocol. DEPRECATED: use 'mode' instead.",
>>   	    type => 'boolean',
>>   	    optional => 1,
>>   	},
>> @@ -92,6 +92,7 @@ sub options {
>>   	group_filter => { optional => 1 },
>>   	group_classes => { optional => 1 },
>>   	'sync-defaults-options' => { optional => 1 },
>> +	mode => { optional => 1 },
>>       };
>>   }
>>   
>> @@ -109,9 +110,10 @@ sub authenticate_user {
>>       my $servers = [$config->{server1}];
>>       push @$servers, $config->{server2} if $config->{server2};
>>   
>> -    my $default_port = $config->{secure} ? 636: 389;
>> +    my $scheme = $config->{mode} // ($config->{secure} ? 'ldaps' : 'ldap');
>> +
>> +    my $default_port = $scheme eq 'ldaps' ? 636 : 389;
>>       my $port = $config->{port} // $default_port;
>> -    my $scheme = $config->{secure} ? 'ldaps' : 'ldap';
>>   
>>       my %ad_args;
>>       if ($config->{verify}) {
>> @@ -129,7 +131,7 @@ sub authenticate_user {
>>   	$ad_args{verify} = 'none';
>>       }
>>   
>> -    if ($config->{secure}) {
>> +    if ($scheme ne 'ldap') {
>>   	$ad_args{sslversion} = $config->{sslversion} // 'tlsv1_2';
>>       }
>>   
>> diff --git a/PVE/Auth/LDAP.pm b/PVE/Auth/LDAP.pm
>> index 905cc47..9b9199d 100755
>> --- a/PVE/Auth/LDAP.pm
>> +++ b/PVE/Auth/LDAP.pm
>> @@ -117,6 +117,13 @@ sub properties {
>>   	    format => 'realm-sync-options',
>>   	    optional => 1,
>>   	},
>> +	mode => {
>> +	    description => "LDAP protocol mode.",
>> +	    type => 'string',
>> +	    enum => [ 'ldap', 'ldaps', 'ldap+starttls'],
>> +	    optional => 1,
>> +	    default => 'ldap',
>> +	},
>>       };
>>   }
>>   
>> @@ -145,6 +152,7 @@ sub options {
>>   	group_filter => { optional => 1 },
>>   	group_classes => { optional => 1 },
>>   	'sync-defaults-options' => { optional => 1 },
>> +	mode => { optional => 1 },
>>       };
>>   }
>>   
>> @@ -154,9 +162,10 @@ sub connect_and_bind {
>>       my $servers = [$config->{server1}];
>>       push @$servers, $config->{server2} if $config->{server2};
>>   
>> -    my $default_port = $config->{secure} ? 636: 389;
>> +    my $scheme = $config->{mode} // ($config->{secure} ? 'ldaps' : 'ldap');
>> +
>> +    my $default_port = $scheme eq 'ldaps' ? 636 : 389;
>>       my $port = $config->{port} // $default_port;
> 
> can we factor the get port and scheme with default fallbacks out to it's
> own little helper? After all we use it twice and it crowds things here
> 
> OK, besides that
> 

ah yes of course

> 
>> -    my $scheme = $config->{secure} ? 'ldaps' : 'ldap';
>>   
>>       my %ldap_args;
>>       if ($config->{verify}) {
>> @@ -174,7 +183,7 @@ sub connect_and_bind {
>>   	$ldap_args{verify} = 'none';
>>       }
>>   
>> -    if ($config->{secure}) {
>> +    if ($scheme ne 'ldap') {
>>   	$ldap_args{sslversion} = $config->{sslversion} || 'tlsv1_2';
>>       }
>>   
>>
> 




More information about the pve-devel mailing list