[pve-devel] [RFC PATCH common/access-control/pmg-api] implement ldap/ad sync

Dominik Csapak d.csapak at proxmox.com
Fri Mar 6 11:05:33 CET 2020 

this series implements basic ldap/ad user/group sync via api/cli
a new api call for realms called 'sync' is implemented which
calls the plugins 'get_{user,group}' sub which in turn uses
the realms config to get the relevant users/groups
and this is then written into the user config

there are some things which i am not so sure about:
* putting the get_users/groups into the Auth plugins
   i did not find a better place where we still can use the config
   (besides a new config which i wanted to avoid, because this can
   become inconsistent/complicated fast)
   we could put it into its own package of course, but this way
   the config options and actual code are closer together
* the amount of options
   i do not like having this many new options, but afaict, ldap/ad
   deployments vary wildly in used attributes, dns, etc. so
   giving the user various knobs is probably the only way

things not yet implemented, but can be done later on
* auto-sync
   we probably want to be able to 'auto-sync' the users/groups,
   so probably some kind of systemd timer which calls pveum?
   we have to somehow make this configureable and of course
   only call it from one node (however this can be done)
* preview mode
   we could implement a 'preview' api call (or option) so that
   it only return what would be done, so that we can show the
   user a preview. this should not be that hard to implement
* gui
   a 'sync' gui where the user can put in the sync relevant config
   options and a button which actually syncs the users should
   not be that hard

notes:
* i included the two remaining patches from my refactoring series, they
  did not change
* pmg-api patches are only there becasuse i moved the ldap-simple-attr
  to the jsonschema to be able to reuse it in pve-access-control,
  so a new pve-common breaks the old pmg-api and the new pmg-api
  and pve-access-control depend on the new pve-common
* patches 2,3,4 for pve-access-control can be applied seperately,
  i think they make sense anyway

pve-common:

Dominik Csapak (3):
  ldap: optionally save group name by attribute
  ldap: add optional classes to query_users
  add ldap-simple-attr from pmg

 src/PVE/JSONSchema.pm | 13 +++++++++++++
 src/PVE/LDAP.pm       | 19 ++++++++++++++++---
 2 files changed, 29 insertions(+), 3 deletions(-)

pve-access-control:

Dominik Csapak (9):
  use PVE::LDAP module instead of useing Net::LDAP directly
  add realm commands to pveum
  API2/Domains.pm: fix whitespace errors
  API2/Domains.pm: document 'type' return value
  Auth/LDAP: refactor out 'connect_and_bind'
  Auth/LDAP: add necessary options for syncing
  Auth/LDAP: add get_{users,groups} subs for syncing
  Auth/AD: make PVE::Auth::AD a subclass of PVE::Auth::LDAP
  Domains: add sync API call

 PVE/API2/Domains.pm | 175 ++++++++++++++++++++++++-----
 PVE/Auth/AD.pm      |  66 ++++++-----
 PVE/Auth/LDAP.pm    | 261 +++++++++++++++++++++++++++++++++++++-------
 PVE/CLI/pveum.pm    |  10 ++
 4 files changed, 413 insertions(+), 99 deletions(-)

pmg-api:

Dominik Csapak (2):
  use new PVE::LDAP instead of Net::LDAP directly
  remove ldap-simple-attr

 src/PMG/LDAPCache.pm  | 299 +++++++++++++-----------------------------
 src/PMG/LDAPConfig.pm |  13 --
 2 files changed, 93 insertions(+), 219 deletions(-)

-- 
2.20.1

More information about the pve-devel mailing list