[pve-devel] [PATCH access-control 6/9] Auth/LDAP: add necessary options for syncing

Dominik Csapak d.csapak at proxmox.com
Mon Mar 9 12:49:41 CET 2020


On 3/9/20 11:43 AM, Fabian Grünbichler wrote:
> On March 6, 2020 11:05 am, Dominik Csapak wrote:
>> for syncing users/groups from ldap, we need some more options
>> so that the users can adapt it to their LDAP setup, which are very
>> different accross systems.
>>
>> sensible defaults are documented
>>
>> Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
>> ---
>>   PVE/Auth/LDAP.pm | 58 ++++++++++++++++++++++++++++++++++++++++++++++++
>>   1 file changed, 58 insertions(+)
>>
>> diff --git a/PVE/Auth/LDAP.pm b/PVE/Auth/LDAP.pm
>> index 5eef12c..6047dfb 100755
>> --- a/PVE/Auth/LDAP.pm
>> +++ b/PVE/Auth/LDAP.pm
>> @@ -57,6 +57,57 @@ sub properties {
>>   	    type => 'string',
>>   	    optional => 1,
>>   	},
>> +	filter => {
>> +	    description => "LDAP filter for user sync.",
>> +	    type => 'string',
>> +	    optional => 1,
>> +	    maxLength => 256,
> 
> this might benefit from a longer maxLength (filters could be complicated
> expressions)

ok

> 
>> +	},
>> +	sync_attributes => {
>> +	    description => "Comma seperated list of key=value pairs for ".
> 
> s/seperated/separated/
> 
>> +			   "selecting which ldap fields sync which user fields.".
> 
> this is a bit hard to read. maybe:
> 
> specifying which LDAP attributes map to which PVE user field.

yes, sounds better...


> 
>> +			   " By default, the ldap attribute name is the field name.".
> 
> By default, each PVE user field is represented by an LDAP attribute of
> the same name.
> 
>> +			   " If an attribute is not found, a sensible default is used.",
> 
> s/default/default value/
> 
> s/ldap/LDAP/ in general for all documentation ;)
> 
>> +	    optional => 1,
>> +	    type => 'string',
>> +	    pattern => '\w+=[^,]+(,\s*\w+=[^,]+)*',
>> +	},
>> +	user_classes => {
>> +	    description => "The objectclasses for users.",
>> +	    type => 'string',
>> +	    default => 'inetorgperson, posixaccount, person, user',
>> +	    format => 'ldap-simple-attr-list',
>> +	    optional => 1,
>> +	},
>> +	group_dn => {
>> +	    description => "LDAP base domain name for group sync. ".
>> +			   "If not given, the base_dn will be used.",
>> +	    type => 'string',
>> +	    pattern => '\w+=[^,]+(,\s*\w+=[^,]+)*',
>> +	    optional => 1,
>> +	    maxLength => 256,
>> +	},
>> +	group_attr => {
>> +	    description => "LDAP group attribute for its name. If not given or ".
>> +			   "found, the first value of the DN will be used as name.",
> 
> LDAP attribute representing a group's name.

OK, will also rename it to group_name_attr as Thomas suggested

> 
>> +	    type => 'string',
>> +	    format => 'ldap-simple-attr',
>> +	    optional => 1,
>> +	    maxLength => 256,
>> +	},
>> +	group_filter => {
>> +	    description => "LDAP filter for group sync.",
>> +	    type => 'string',
>> +	    optional => 1,
>> +	    maxLength => 256,
> 
> same as above

OK

> 
>> +	},
>> +	group_classes => {
>> +	    description => "The objectclasses for groups.",
>> +	    type => 'string',
>> +	    default => 'groupOfNames, group, univentionGroup, ipausergroup',
>> +	    format => 'ldap-simple-attr-list',
>> +	    optional => 1,
>> +	},
>>       };
>>   }
>>   
>> @@ -77,6 +128,13 @@ sub options {
>>   	capath => { optional => 1 },
>>   	cert => { optional => 1 },
>>   	certkey => { optional => 1 },
>> +	filter => { optional => 1 },
>> +	sync_attributes => { optional => 1 },
>> +	user_classes => { optional => 1 },
>> +	group_dn => { optional => 1 },
>> +	group_attr => { optional => 1 },
>> +	group_filter => { optional => 1 },
>> +	group_classes => { optional => 1 },
>>       };
>>   }
>>   
>> -- 
>> 2.20.1
>>
>>
>> _______________________________________________
>> pve-devel mailing list
>> pve-devel at pve.proxmox.com
>> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>>
>>
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 





More information about the pve-devel mailing list