[pve-devel] applied: [PATCH access-control v2 1/5] Auth/LDAP: add necessary options for syncing

Sat Mar 21 16:23:49 CET 2020

On 3/13/20 1:18 PM, Dominik Csapak wrote:
> for syncing users/groups from ldap, we need some more options
> so that the users can adapt it to their LDAP setup, which are very
> different accross systems.
> 
> sensible defaults are documented
> 
> Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
> ---
> changes from v1:
> * increased filter maxLength
> * better wording of sync_attributes description; with example
> * rename group_attr -> group_name_attr
> 

applied, squashed in some description "fixes" (mainly indentation one, as I
do not like the used much).
Thanks!

>  PVE/Auth/LDAP.pm | 59 ++++++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 59 insertions(+)
> 
> diff --git a/PVE/Auth/LDAP.pm b/PVE/Auth/LDAP.pm
> index 5eef12c..7d1d1ed 100755
> --- a/PVE/Auth/LDAP.pm
> +++ b/PVE/Auth/LDAP.pm
> @@ -57,6 +57,58 @@ sub properties {
>  	    type => 'string',
>  	    optional => 1,
>  	},
> +	filter => {
> +	    description => "LDAP filter for user sync.",
> +	    type => 'string',
> +	    optional => 1,
> +	    maxLength => 2048,
> +	},
> +	sync_attributes => {
> +	    description => "Comma separated list of key=value pairs for specifying ".
> +			   "which LDAP attributes map to which PVE user field".
> +			   "(e.g. to map the LDAP attribute 'mail' to PVEs 'email', ".
> +			   "write 'email=mail' ). By default, each PVE user field ".
> +			   "is represented by an LDAP attribute of the same name.",
> +	    optional => 1,
> +	    type => 'string',
> +	    pattern => '\w+=[^,]+(,\s*\w+=[^,]+)*',
> +	},
> +	user_classes => {
> +	    description => "The objectclasses for users.",
> +	    type => 'string',
> +	    default => 'inetorgperson, posixaccount, person, user',
> +	    format => 'ldap-simple-attr-list',
> +	    optional => 1,
> +	},
> +	group_dn => {
> +	    description => "LDAP base domain name for group sync. ".
> +			   "If not given, the base_dn will be used.",
> +	    type => 'string',
> +	    pattern => '\w+=[^,]+(,\s*\w+=[^,]+)*',
> +	    optional => 1,
> +	    maxLength => 256,
> +	},
> +	group_name_attr => {
> +	    description => "LDAP attribute representing a groups name. If not given or ".
> +			   "found, the first value of the DN will be used as name.",
> +	    type => 'string',
> +	    format => 'ldap-simple-attr',
> +	    optional => 1,
> +	    maxLength => 256,
> +	},
> +	group_filter => {
> +	    description => "LDAP filter for group sync.",
> +	    type => 'string',
> +	    optional => 1,
> +	    maxLength => 2048,
> +	},
> +	group_classes => {
> +	    description => "The objectclasses for groups.",
> +	    type => 'string',
> +	    default => 'groupOfNames, group, univentionGroup, ipausergroup',
> +	    format => 'ldap-simple-attr-list',
> +	    optional => 1,
> +	},
>      };
>  }
>  
> @@ -77,6 +129,13 @@ sub options {
>  	capath => { optional => 1 },
>  	cert => { optional => 1 },
>  	certkey => { optional => 1 },
> +	filter => { optional => 1 },
> +	sync_attributes => { optional => 1 },
> +	user_classes => { optional => 1 },
> +	group_dn => { optional => 1 },
> +	group_name_attr => { optional => 1 },
> +	group_filter => { optional => 1 },
> +	group_classes => { optional => 1 },
>      };
>  }
>  
> 