[pve-devel] [PATCH access-control/manager 0/2] ldap: check bind connection on realm add/update

Christoph Heiss c.heiss at proxmox.com
Thu Jul 27 15:33:16 CEST 2023

First of, this removes the dreaded LDAP DN regex.

Further, upon saving a LDAP realm in the UI, it tries to connect & bind
using the provided credentials, providing the user with immediate
feedback whether they are valid or not.

The same approach is already implemented in PBS [0], and I'll plan to
implement the same for PMG too, if & when the PVE side is done.

Changes were tested against slapd 2.5.13+dfsg-5, using both the web UI
and `pveum` to create and update realms with different combinations of
valid and invalid parameters, mixed with using new `check-connection`

Prior art
This completely supersedes the previous series [1].

This series is a complete new approach to it (also why this also isn't
marked as v3), which previously tried to solve this using a new schema
format by validated DNs using Net::LDAP::Util::canonical_dn(). But this
has the problem that it does not support AD-specific DN syntax.

After a off-list discussion with Lukas (summary [2]), it was decided to
rather implement it much like PBS does it - simply drop the explicit
validation of DN parameters, instead just trying to connect & bind to
the target server - although I'm always open for other/better
suggestions to tackle this.

[0] https://git.proxmox.com/?p=proxmox-backup.git;a=commitdiff;h=5210f3b5
[1] https://lists.proxmox.com/pipermail/pve-devel/2023-July/058392.html
[2] https://lists.proxmox.com/pipermail/pve-devel/2023-July/058540.html


More information about the pve-devel mailing list