[pve-devel] applied: [PATCH access-control v2 1/5] Auth/LDAP: add necessary options for syncing
Thomas Lamprecht
t.lamprecht at proxmox.com
Sat Mar 21 16:23:49 CET 2020
On 3/13/20 1:18 PM, Dominik Csapak wrote:
> for syncing users/groups from ldap, we need some more options
> so that the users can adapt it to their LDAP setup, which are very
> different accross systems.
>
> sensible defaults are documented
>
> Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
> ---
> changes from v1:
> * increased filter maxLength
> * better wording of sync_attributes description; with example
> * rename group_attr -> group_name_attr
>
applied, squashed in some description "fixes" (mainly indentation one, as I
do not like the used much).
Thanks!
> PVE/Auth/LDAP.pm | 59 ++++++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 59 insertions(+)
>
> diff --git a/PVE/Auth/LDAP.pm b/PVE/Auth/LDAP.pm
> index 5eef12c..7d1d1ed 100755
> --- a/PVE/Auth/LDAP.pm
> +++ b/PVE/Auth/LDAP.pm
> @@ -57,6 +57,58 @@ sub properties {
> type => 'string',
> optional => 1,
> },
> + filter => {
> + description => "LDAP filter for user sync.",
> + type => 'string',
> + optional => 1,
> + maxLength => 2048,
> + },
> + sync_attributes => {
> + description => "Comma separated list of key=value pairs for specifying ".
> + "which LDAP attributes map to which PVE user field".
> + "(e.g. to map the LDAP attribute 'mail' to PVEs 'email', ".
> + "write 'email=mail' ). By default, each PVE user field ".
> + "is represented by an LDAP attribute of the same name.",
> + optional => 1,
> + type => 'string',
> + pattern => '\w+=[^,]+(,\s*\w+=[^,]+)*',
> + },
> + user_classes => {
> + description => "The objectclasses for users.",
> + type => 'string',
> + default => 'inetorgperson, posixaccount, person, user',
> + format => 'ldap-simple-attr-list',
> + optional => 1,
> + },
> + group_dn => {
> + description => "LDAP base domain name for group sync. ".
> + "If not given, the base_dn will be used.",
> + type => 'string',
> + pattern => '\w+=[^,]+(,\s*\w+=[^,]+)*',
> + optional => 1,
> + maxLength => 256,
> + },
> + group_name_attr => {
> + description => "LDAP attribute representing a groups name. If not given or ".
> + "found, the first value of the DN will be used as name.",
> + type => 'string',
> + format => 'ldap-simple-attr',
> + optional => 1,
> + maxLength => 256,
> + },
> + group_filter => {
> + description => "LDAP filter for group sync.",
> + type => 'string',
> + optional => 1,
> + maxLength => 2048,
> + },
> + group_classes => {
> + description => "The objectclasses for groups.",
> + type => 'string',
> + default => 'groupOfNames, group, univentionGroup, ipausergroup',
> + format => 'ldap-simple-attr-list',
> + optional => 1,
> + },
> };
> }
>
> @@ -77,6 +129,13 @@ sub options {
> capath => { optional => 1 },
> cert => { optional => 1 },
> certkey => { optional => 1 },
> + filter => { optional => 1 },
> + sync_attributes => { optional => 1 },
> + user_classes => { optional => 1 },
> + group_dn => { optional => 1 },
> + group_name_attr => { optional => 1 },
> + group_filter => { optional => 1 },
> + group_classes => { optional => 1 },
> };
> }
>
>
More information about the pve-devel
mailing list