[pve-devel] [PATCH access-control v2] auth ldap/ad: make password a parameter for the api
Thomas Lamprecht
t.lamprecht at proxmox.com
Tue Apr 7 17:02:27 CEST 2020
On 4/7/20 1:11 PM, Dominik Csapak wrote:
> Instead of simply requiring it to exist in /etc/pve.
>
> Takes after the password handling of CIFS in pve-storage.
>
> Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
> ---
> changes from v1:
> * delete pw when given via 'delete' parameter
> * do not delete pw when updating without giving 'password' parameter
> diff --git a/PVE/Auth/LDAP.pm b/PVE/Auth/LDAP.pm
> index 905cc47..1b2c606 100755
> --- a/PVE/Auth/LDAP.pm
> +++ b/PVE/Auth/LDAP.pm
> @@ -37,6 +37,11 @@ sub properties {
> optional => 1,
> maxLength => 256,
> },
> + password => {
> + description => "LDAP bind password. Will be stored in '/etc/pve/priv/ldap/<REALM>.pw'.",
> + type => 'string',
> + optional => 1,
> + },
> verify => {
> description => "Verify the server's SSL certificate",
> type => 'boolean',
> @@ -185,7 +191,7 @@ sub connect_and_bind {
>
> if ($config->{bind_dn}) {
> $bind_dn = $config->{bind_dn};
> - $bind_pass = PVE::Tools::file_read_firstline("/etc/pve/priv/ldap/${realm}.pw");
> + $bind_pass = ldap_get_credentials($realm);
> die "missing password for realm $realm\n" if !defined($bind_pass);
> }
>
> @@ -343,4 +349,69 @@ sub authenticate_user {
> return 1;
> }
>
> +my $ldap_pw_dir = "/etc/pve/priv/ldap";
> +
> +sub ldap_cred_filename {
> + my ($realm) = @_;
> + return "${ldap_pw_dir}/${realm}.pw";
> +}
> +
looks mostly ok from a quick whiff, albeit I'd like to have the .pw
file in a priv/realm/ directory, ldap is "wrong" here, we also use
priv/storage/ as base directory for CIFS and PBS, not priv/cifs and
priv/pbs ..
More information about the pve-devel
mailing list