[pve-devel] applied: [PATCH access-control] LDAP: skip anonymous bind when clientcert/key is given

[Thomas Lamprecht]

On 5/8/20 1:16 PM, Dominik Csapak wrote:
> It seems that servers associate the client-cert/key with an account, so
> doing an explicit anonymous bind then 'logs out' the already verified
> user, limiting the search results in some cases
> 
> before refactoring to PVE::LDAP, we did not do '$ldap->bind' at all when
> there was no bind_dn, but it is not really clear if Net::LDAP does this
> automatically when searching (other libraries do this), so leave the
> anonymous bind (for compatibility with PMG) but skip it when a client
> certificate and key is given.
> 
> Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
> ---
>  PVE/Auth/LDAP.pm | 14 +++++++-------
>  1 file changed, 7 insertions(+), 7 deletions(-)
> 
> diff --git a/PVE/Auth/LDAP.pm b/PVE/Auth/LDAP.pm
> index 9fa9095..09b2202 100755
> --- a/PVE/Auth/LDAP.pm
> +++ b/PVE/Auth/LDAP.pm
> @@ -203,17 +203,17 @@ sub connect_and_bind {
>  
>      my $ldap = PVE::LDAP::ldap_connect($servers, $scheme, $port, \%ldap_args);
>  
> -    my $bind_dn;
> -    my $bind_pass;
> -
>      if ($config->{bind_dn}) {
> -	$bind_dn = $config->{bind_dn};
> -	$bind_pass = ldap_get_credentials($realm);
> +	my $bind_dn = $config->{bind_dn};
> +	my $bind_pass = ldap_get_credentials($realm);
>  	die "missing password for realm $realm\n" if !defined($bind_pass);
> +	PVE::LDAP::ldap_bind($ldap, $bind_dn, $bind_pass);
> +    } elsif ($config->{cert} && $config->{certkey}) {
> +	warn "skipping anonymous bind with clientcert\n";
> +    } else {
> +	PVE::LDAP::ldap_bind($ldap);
>      }
>  
> -    PVE::LDAP::ldap_bind($ldap, $bind_dn, $bind_pass);
> -
>      if (!$config->{base_dn}) {
>  	my $root = $ldap->root_dse(attrs => [ 'defaultNamingContext' ]);
>  	$config->{base_dn} = $root->get_value('defaultNamingContext');
> 

applied, thanks!