[pve-devel] [PATCH common/access-control v2 0/5] improve LDAP DN and bind creds checking on creation/change

Lukas Wagner l.wagner at proxmox.com
Thu Jul 27 11:54:39 CEST 2023

On 7/24/23 11:03, Christoph Heiss wrote:
> tl;dr implements the result of the discussion in [0].
> First, this removes the dreaded LDAP DN regex, replacing it instead with
> a proper schema format, which does validation using
> Net::LDAP::Util::canonical_dn().
Already discussed off-list, but for the sake of completeness:

I'd say we can just do the same thing as in PBS, were we only verify the settings by
connecting to the server, but nothing else.
If we drop the check through `canonical_dn()`, then we actually improve
the AD realm implementation, which is also based on the LDAP code.

AD not only supports the regular DN syntax, but also:
   Administrator at Domain

However, these two formats are not accepted by `canonical_dn`. If we just drop the
check, then these alternative forms will work automatically (I've actually tested
this against a real AD server)

- Lukas

More information about the pve-devel mailing list