[PVE-User] Feature request: LDAP non-anonymous bind
Sten Aus
sten.aus at eenet.ee
Mon Sep 7 15:25:20 CEST 2015
Hi
I would like to propse a feature: LDAP non-anonymous bind.
As it has been discussed already in forums I will link it here as well:
http://forum.proxmox.com/threads/14649-LDAP-authentication-with-non-anonymous-bind
As a proposed patch is working I would suggest it to add to Proxmox.
A (almost) copy-paste from this patch is here. There is missing one
comma (,) at the end of bind_pw {} section
|diff --git a/PVE/Auth/LDAP.pm b/PVE/Auth/LDAP.pm index dc1c229..50df467
100755 --- a/PVE/Auth/LDAP.pm +++ b/PVE/Auth/LDAP.pm @@ -18,6 +18,19 @@
sub properties { optional => 1, maxLength => 256, }, + bind_dn => { +
description => "LDAP bind DN", + type => 'string', + pattern =>
'\w+=[^,]+(,\s*\w+=[^,]+)*', + optional => 1, + maxLength => 256, + }, +
bind_pw => { + description => "LDAP bind password", + type => 'string',
+ optional => 1, + maxLength => 256, + }, user_attr => { description =>
"LDAP user attribute name", type => 'string', @@ -33,6 +46,8 @@ sub
options { server1 => {}, server2 => { optional => 1 }, base_dn => {}, +
bind_dn => { optional => 1 }, + bind_pw => { optional => 1 }, user_attr
=> {}, port => { optional => 1 }, secure => { optional => 1 }, @@ -50,6
+65,12 @@ my $authenticate_user_ldap = sub { my $conn_string =
"$scheme://${server}:$port"; my $ldap = Net::LDAP->new($conn_string,
verify => 'none') || die "$@\n"; + if ($config->{bind_dn} ) { + my $res
= $ldap->bind( $config->{bind_dn}, password => $config->{bind_pw} ); +
my $code = $res->code(); + my $err = $res->error; + die "Error during
initial bind: $err\n" if ($code); + } my $search = $config->{user_attr}
. "=" . $username; my $result = $ldap->search( base =>
"$config->{base_dn}", scope => "sub", |
Now, all you’ve got to do is edit |/etc/pve/domains.cfg| file and add
|bind_dn| and |bind_pw| parameters there.
Also, when I edit from GUI, those values get lost from this file, so I
would suggest it that you configure LDAP from GUI and then add those two
rows there from CLI.
As some daemon caches LDAP.pm I needed to restart my host to get LDAP
bind working. I have tried to restart three services:
|service pve-cluster restart && service pve-manager restart && service
pveproxy restart |
Can anyone tell me what service caches it? Can I restart it without
affecting my KVMs?
Maybe a feature in Proxmox 4.0? Or when stable is too far away, then in
3.4. :)
All the best
Sten Aus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.proxmox.com/pipermail/pve-user/attachments/20150907/d13a6ed1/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3262 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.proxmox.com/pipermail/pve-user/attachments/20150907/d13a6ed1/attachment.bin>
More information about the pve-user
mailing list