buildsys: split packaging and source build-systems Much nicer to handle and work with than entangling all together in a single spaghetti pile. Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
fix #1670: change PAM service name to project specific name Instead of 'common-auth' use 'proxmox-ve-auth', this way users can override PAM authentication settings via `/etc/pam.d/proxmox-ve-auth`. If the file does not exist, pam will use `/etc/pam.d/other` which by default behaves like `common-auth`. Note that this *can* be different from directly using `common-auth` *if* a user has actually modified `/etc/pam.d/other` for some reason. Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
fix #2947 login name for the LDAP/AD realm can be case-insensitive This is an optional for LDAP and AD realm. The default behavior is case-sensitive. Signed-off-by: Wolfgang Link <w.link@proxmox.com>
partially fix #2825: authkey: rotate if it was generated in the future Can happen if the RTC is in the future during installation and first boot, when during key generation the clock is in the future and then, after the key was already generated, jumps back in time. Allow a fuzz of $auth_graceperiod, which is currently 5 minutes, as that fuzz allows some minor, not really problematic, time sync disparity in clusters. If an old authkey exists, meaning we rotated at least once, check it's time too. Only rotate if it'd not be valid for any tickets in the cluster anymore, i.e., if it difference between the current key is > $ticket_lifetime (2 hours).. Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
LDAP: skip anonymous bind when clientcert/key is given It seems that servers associate the client-cert/key with an account, so doing an explicit anonymous bind then 'logs out' the already verified user, limiting the search results in some cases before refactoring to PVE::LDAP, we did not do '$ldap->bind' at all when there was no bind_dn, but it is not really clear if Net::LDAP does this automatically when searching (other libraries do this), so leave the anonymous bind (for compatibility with PMG) but skip it when a client certificate and key is given. Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
pveum: add 'tfa delete' subcommand for deleting user-TFA Allows a user to straight forward delete TFS over CLI, easier as telling them to edit some config files, and the API is already there. Short circuit most params of that API call to undef, as they do not make sense to expose. Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>