[pve-devel] [PATCH access-control] ldap: fix ldap distinguished names regex

Christoph Heiss c.heiss at proxmox.com
Thu May 25 11:52:37 CEST 2023


On Tue, May 23, 2023 at 02:17:18PM +0200, Stefan Sterz wrote:
> On 23.05.23 12:12, Christoph Heiss wrote:
> > On Tue, May 23, 2023 at 10:56:24AM +0200, Stefan Sterz wrote:
> > [..]
>
> yeah that would probably be best, as it's also closer to what the user
> wants (a working ldap setup) than either what the regex or `Net::LDAP`
> can do (making sure that the dn conforms to spec). since, my knowledge
> about ldap is fairly shallow, im not sure how this would work in terms
> of timeouts etc.
Looking at the docs, the timeout when connecting to the server can be
set. Other than that, trying a bind using the given DN/password should
pose no problems.

>
> another point that comes to mind is that lukas reminded me that the same
> regex is used in pbs. i haven't yet looked at that, but we probably want
> to make sure that both implementations work as similarly as possible.
Good point. Haven't looked at the PBS side at all yet, but I guess we
probably don't have something similar to canonical_dn() there? But in
any case, as long as we keep the same overall approach (lax sanity
check, then try connecting to the server and bind), it should be pretty
feel the same to the user.

> [..]
> yeah i agree, we should probably still keep the tests for the lax sanity
> check, just in case.
Definitvely, more tests are always good.

> i'll take a look at the pbs side. if you want to take this over, feel
> free to, just give me a heads-up.
Great! And sure, I'll take over the PVE side of things.





More information about the pve-devel mailing list