[pve-devel] [PATCH access-control 5/5] ldap: check bind credentials with LDAP directory directly on change

[Christoph Heiss]

Instead of letting a sync fail on the first try due to e.g. bad bind
credentials, give the user some direct feedback when trying to save a
LDAP realm in the UI.

This is part of the result of a previous discussion [0], and the same
approach is already implemented for PBS [1].

[0] https://lists.proxmox.com/pipermail/pve-devel/2023-May/056839.html
[1] https://lists.proxmox.com/pipermail/pbs-devel/2023-June/006237.html

Signed-off-by: Christoph Heiss <c.heiss at proxmox.com>
---
One thing to note might be that this "regresses" the UI in that you
cannot create or change realm settings, if the target LDAP server cannot
be reached.
After a short off-list discussion with Sterzy, a 'force' API
parameter (and accompanying checkbox in the UI) could be added to bypass
this "restriction", although open to discussion how useful that even
would be.

 src/PVE/Auth/LDAP.pm | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/src/PVE/Auth/LDAP.pm b/src/PVE/Auth/LDAP.pm
index e0ead1b..b73be9d 100755
--- a/src/PVE/Auth/LDAP.pm
+++ b/src/PVE/Auth/LDAP.pm
@@ -181,7 +181,7 @@ sub get_scheme_and_port {
 }

 sub connect_and_bind {
-    my ($class, $config, $realm) = @_;
+    my ($class, $config, $realm, $param) = @_;

     my $servers = [$config->{server1}];
     push @$servers, $config->{server2} if $config->{server2};
@@ -212,7 +212,7 @@ sub connect_and_bind {

     if ($config->{bind_dn}) {
 	my $bind_dn = $config->{bind_dn};
-	my $bind_pass = ldap_get_credentials($realm);
+	my $bind_pass = defined($param->{password}) ? $param->{password} : ldap_get_credentials($realm);
 	die "missing password for realm $realm\n" if !defined($bind_pass);
 	PVE::LDAP::ldap_bind($ldap, $bind_dn, $bind_pass);
     } elsif ($config->{cert} && $config->{certkey}) {
@@ -427,20 +427,27 @@ sub on_add_hook {
     my ($class, $realm, $config, %param) = @_;

     if (defined($param{password})) {
+	$class->connect_and_bind($config, $realm, \%param);
 	ldap_set_credentials($param{password}, $realm);
     } else {
-	ldap_delete_credentials($realm);
+	# Still validate the bind credentials, even if no user/password is given
+	$class->connect_and_bind($config, $realm);
     }
 }

 sub on_update_hook {
     my ($class, $realm, $config, %param) = @_;

-    return if !exists($param{password});
-
-    if (defined($param{password})) {
+    if (!exists($param{password})) {
+	# Password wasn't changed, login still needs to be validated in case bind_dn changed
+	$class->connect_and_bind($config, $realm);
+    } elsif (defined($param{password})) {
+	# Password was updated, validate the login and only then store it
+	$class->connect_and_bind($config, $realm, \%param);
 	ldap_set_credentials($param{password}, $realm);
     } else {
+	# Otherwise, the password was removed, so delete it
+	$class->connect_and_bind($config, $realm, \%param);
 	ldap_delete_credentials($realm);
     }
 }
--
2.41.0