[pve-devel] [PATCH access-control 6/9] Auth/LDAP: add necessary options for syncing
Fabian Grünbichler
f.gruenbichler at proxmox.com
Mon Mar 9 11:43:44 CET 2020
On March 6, 2020 11:05 am, Dominik Csapak wrote:
> for syncing users/groups from ldap, we need some more options
> so that the users can adapt it to their LDAP setup, which are very
> different accross systems.
>
> sensible defaults are documented
>
> Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
> ---
> PVE/Auth/LDAP.pm | 58 ++++++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 58 insertions(+)
>
> diff --git a/PVE/Auth/LDAP.pm b/PVE/Auth/LDAP.pm
> index 5eef12c..6047dfb 100755
> --- a/PVE/Auth/LDAP.pm
> +++ b/PVE/Auth/LDAP.pm
> @@ -57,6 +57,57 @@ sub properties {
> type => 'string',
> optional => 1,
> },
> + filter => {
> + description => "LDAP filter for user sync.",
> + type => 'string',
> + optional => 1,
> + maxLength => 256,
this might benefit from a longer maxLength (filters could be complicated
expressions)
> + },
> + sync_attributes => {
> + description => "Comma seperated list of key=value pairs for ".
s/seperated/separated/
> + "selecting which ldap fields sync which user fields.".
this is a bit hard to read. maybe:
specifying which LDAP attributes map to which PVE user field.
> + " By default, the ldap attribute name is the field name.".
By default, each PVE user field is represented by an LDAP attribute of
the same name.
> + " If an attribute is not found, a sensible default is used.",
s/default/default value/
s/ldap/LDAP/ in general for all documentation ;)
> + optional => 1,
> + type => 'string',
> + pattern => '\w+=[^,]+(,\s*\w+=[^,]+)*',
> + },
> + user_classes => {
> + description => "The objectclasses for users.",
> + type => 'string',
> + default => 'inetorgperson, posixaccount, person, user',
> + format => 'ldap-simple-attr-list',
> + optional => 1,
> + },
> + group_dn => {
> + description => "LDAP base domain name for group sync. ".
> + "If not given, the base_dn will be used.",
> + type => 'string',
> + pattern => '\w+=[^,]+(,\s*\w+=[^,]+)*',
> + optional => 1,
> + maxLength => 256,
> + },
> + group_attr => {
> + description => "LDAP group attribute for its name. If not given or ".
> + "found, the first value of the DN will be used as name.",
LDAP attribute representing a group's name.
> + type => 'string',
> + format => 'ldap-simple-attr',
> + optional => 1,
> + maxLength => 256,
> + },
> + group_filter => {
> + description => "LDAP filter for group sync.",
> + type => 'string',
> + optional => 1,
> + maxLength => 256,
same as above
> + },
> + group_classes => {
> + description => "The objectclasses for groups.",
> + type => 'string',
> + default => 'groupOfNames, group, univentionGroup, ipausergroup',
> + format => 'ldap-simple-attr-list',
> + optional => 1,
> + },
> };
> }
>
> @@ -77,6 +128,13 @@ sub options {
> capath => { optional => 1 },
> cert => { optional => 1 },
> certkey => { optional => 1 },
> + filter => { optional => 1 },
> + sync_attributes => { optional => 1 },
> + user_classes => { optional => 1 },
> + group_dn => { optional => 1 },
> + group_attr => { optional => 1 },
> + group_filter => { optional => 1 },
> + group_classes => { optional => 1 },
> };
> }
>
> --
> 2.20.1
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
>
More information about the pve-devel
mailing list