[pve-devel] [Patch v2 access-control] fix #2947 login name for the LDAP/AD realm can be case-insensitive

Dominik Csapak d.csapak at proxmox.com
Mon Sep 7 10:20:48 CEST 2020 

one comment inline

On 9/3/20 10:36 AM, Wolfgang Link wrote:
> This is an optional for LDAP and AD realm.
> The default behavior is case-sensitive.
> 
> Signed-off-by: Wolfgang Link <w.link at proxmox.com>
> ---
> v1 -> v2:	* naming of paramenter
>        		* use grep instead of a loop, to avoid login errors
> 		  with ambiguous usernames
> 
>   PVE/API2/AccessControl.pm | 23 +++++++++++++++++++++++
>   PVE/Auth/AD.pm            |  1 +
>   PVE/Auth/LDAP.pm          |  7 +++++++
>   3 files changed, 31 insertions(+)
> 
> diff --git a/PVE/API2/AccessControl.pm b/PVE/API2/AccessControl.pm
> index fd27786..3155d67 100644
> --- a/PVE/API2/AccessControl.pm
> +++ b/PVE/API2/AccessControl.pm
> @@ -226,6 +226,28 @@ __PACKAGE__->register_method ({
>       returns => { type => "null" },
>       code => sub { return undef; }});
>   
> +sub lookup_username {
> +    my ($username) = @_;
> +
> +    $username =~ /@(.+)/;

i do not know if you saw my last mail, but we have to do a
better regex here, since the username can contain an '@'

so foo at bar@pve is a valid username (:-S)
and the realm here would parse to 'bar at pve'

so a better regex would be
/@([^@]+)$/

> +
> +    my $realm = $1;
> +    my $domain_cfg = cfs_read_file("domains.cfg");
> +    my $casesensitive = $domain_cfg->{ids}->{$realm}->{'case-sensitive'} // 1;
> +    my $usercfg = cfs_read_file('user.cfg');
> +
> +    if (!$casesensitive) {
> +	my @matches = grep { lc $username eq lc $_ } (keys %{$usercfg->{users}});
> +
> +	die "ambiguous case insensitive match of username '$username', cannot safely grant access!\n"
> +	    if scalar @matches > 1;
> +
> +	return $matches[0]
> +    }
> +
> +    return $username;
> +};
> +
>   __PACKAGE__->register_method ({
>       name => 'create_ticket',
>       path => 'ticket',
> @@ -292,6 +314,7 @@ __PACKAGE__->register_method ({
>   	my $username = $param->{username};
>   	$username .= "\@$param->{realm}" if $param->{realm};
>   
> +	$username = lookup_username($username);
>   	my $rpcenv = PVE::RPCEnvironment::get();
>   
>   	my $res;
> diff --git a/PVE/Auth/AD.pm b/PVE/Auth/AD.pm
> index 4d64c20..88b2098 100755
> --- a/PVE/Auth/AD.pm
> +++ b/PVE/Auth/AD.pm
> @@ -94,6 +94,7 @@ sub options {
>   	group_classes => { optional => 1 },
>   	'sync-defaults-options' => { optional => 1 },
>   	mode => { optional => 1 },
> +	'case-sensitive' => { optional => 1 },
>       };
>   }
>   
> diff --git a/PVE/Auth/LDAP.pm b/PVE/Auth/LDAP.pm
> index 09b2202..97d0778 100755
> --- a/PVE/Auth/LDAP.pm
> +++ b/PVE/Auth/LDAP.pm
> @@ -129,6 +129,12 @@ sub properties {
>   	    optional => 1,
>   	    default => 'ldap',
>   	},
> +        'case-sensitive' => {
> +	    description => "username is case-sensitive",
> +	    type => 'boolean',
> +	    optional => 1,
> +	    default => 1,
> +	}
>       };
>   }
>   
> @@ -159,6 +165,7 @@ sub options {
>   	group_classes => { optional => 1 },
>   	'sync-defaults-options' => { optional => 1 },
>   	mode => { optional => 1 },
> +	'case-sensitive' => { optional => 1 },
>       };
>   }
>   
>

More information about the pve-devel mailing list