ldap: add opt-in `check-connection` param to perform a bind check

Removes the dreaded DN regex, instead introducing a optional
connect/bind check on creation/update, aligning it with the way PBS does
it.

Additionally, it has the benefit that instead of letting a sync fail on
the first try due to e.g. bad bind credentials, it gives the user some
direct feedback when trying to add/update a LDAP realm, if enabled.

Should be rather a corner case, but it's the easiest way for us to
accomodate and the most versatile for users needing this.

This is part of the result of a previous discussion [0], and the same
approach is already implemented for PBS [1].

[0] https://lists.proxmox.com/pipermail/pve-devel/2023-May/056839.html
[1] https://lists.proxmox.com/pipermail/pbs-devel/2023-June/006237.html

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>

diff --git a/src/PVE/API2/Domains.pm b/src/PVE/API2/Domains.pm
index 9332aa7d7d94ab08bad223afedcbbd69789957f2..e7b7d39e62521e4a9ecc4e634a0ca279f59ab212 100644 (file)
--- a/src/PVE/API2/Domains.pm
+++ b/src/PVE/API2/Domains.pm
@@ -117,7 +117,14 @@ __PACKAGE__->register_method ({
        check => ['perm', '/access/realm', ['Realm.Allocate']],
     },
     description => "Add an authentication server.",
-    parameters => PVE::Auth::Plugin->createSchema(),
+    parameters => PVE::Auth::Plugin->createSchema(0, {
+       'check-connection' => {
+           description => 'Check bind connection to the server.',
+           type => 'boolean',
+           optional => 1,
+           default => 0,
+       },
+    }),
     returns => { type => 'null' },
     code => sub {
        my ($param) = @_;
@@ -133,6 +140,7 @@ __PACKAGE__->register_method ({
 
                my $realm = extract_param($param, 'realm');
                my $type = $param->{type};
+               my $check_connection = extract_param($param, 'check-connection');
 
                die "domain '$realm' already exists\n"
                    if $ids->{$realm};
@@ -143,6 +151,9 @@ __PACKAGE__->register_method ({
                die "unable to create builtin type '$type'\n"
                    if ($type eq 'pam' || $type eq 'pve');
 
+               die "'check-connection' parameter can only be set for realms of type 'ldap' or 'ad'\n"
+                   if defined($check_connection) && !($type eq 'ldap' || $type eq 'ad');
+
                if ($type eq 'ad' || $type eq 'ldap') {
                    $map_sync_default_options->($param, 1);
                }
@@ -165,6 +176,10 @@ __PACKAGE__->register_method ({
                }
                $plugin->on_add_hook($realm, $config, password => $password);
 
+               # Only for LDAP/AD, implied through the existence of the 'check-connection' param
+               $plugin->check_connection($realm, $config, password => $password)
+                   if $check_connection;
+
                cfs_write_file($domainconfigfile, $cfg);
            }, "add auth server failed");
 
@@ -180,7 +195,14 @@ __PACKAGE__->register_method ({
     },
     description => "Update authentication server settings.",
     protected => 1,
-    parameters => PVE::Auth::Plugin->updateSchema(),
+    parameters => PVE::Auth::Plugin->updateSchema(0, {
+       'check-connection' => {
+           description => 'Check bind connection to the server.',
+           type => 'boolean',
+           optional => 1,
+           default => 0,
+       },
+    }),
     returns => { type => 'null' },
     code => sub {
        my ($param) = @_;
@@ -198,10 +220,15 @@ __PACKAGE__->register_method ({
                PVE::SectionConfig::assert_if_modified($cfg, $digest);
 
                my $realm = extract_param($param, 'realm');
+               my $type = $ids->{$realm}->{type};
+               my $check_connection = extract_param($param, 'check-connection');
 
                die "domain '$realm' does not exist\n"
                    if !$ids->{$realm};
 
+               die "'check-connection' parameter can only be set for realms of type 'ldap' or 'ad'\n"
+                   if defined($check_connection) && !($type eq 'ldap' || $type eq 'ad');
+
                my $delete_str = extract_param($param, 'delete');
                die "no options specified\n"
                    if !$delete_str && !scalar(keys %$param) && !defined($password);
@@ -212,7 +239,6 @@ __PACKAGE__->register_method ({
                    $delete_pw = 1 if $opt eq 'password';
                }
 
-               my $type = $ids->{$realm}->{type};
                if ($type eq 'ad' || $type eq 'ldap') {
                    $map_sync_default_options->($param, 1);
                }
@@ -237,6 +263,10 @@ __PACKAGE__->register_method ({
                    $plugin->on_update_hook($realm, $config);
                }
 
+               # Only for LDAP/AD, implied through the existence of the 'check-connection' param
+               $plugin->check_connection($realm, $ids->{$realm}, password => $password)
+                   if $check_connection;
+
                cfs_write_file($domainconfigfile, $cfg);
            }, "update auth server failed");
 

diff --git a/src/PVE/Auth/LDAP.pm b/src/PVE/Auth/LDAP.pm
index fc82a17ad3baa26e1c5cc1a4fd71d3af105f0c15..b958f2b96a5a8c206bdaf15099dee5faebd4604a 100755 (executable)
--- a/src/PVE/Auth/LDAP.pm
+++ b/src/PVE/Auth/LDAP.pm
@@ -10,9 +10,6 @@ use PVE::Tools;
 
 use base qw(PVE::Auth::Plugin);
 
-my  $dn_part_regex = qr!("[^"]+"|[^ ,+"/<>;=#][^,+"/<>;=]*[^ ,+"/<>;=]|[^ ,+"/<>;=#])!;
-our $dn_regex = qr!\w+=${dn_part_regex}(,\s*\w+=${dn_part_regex})*!;
-
 sub type {
     return 'ldap';
 }
@@ -22,7 +19,6 @@ sub properties {
        base_dn => {
            description => "LDAP base domain name",
            type => 'string',
-           pattern => $dn_regex,
            optional => 1,
            maxLength => 256,
        },
@@ -36,7 +32,6 @@ sub properties {
        bind_dn => {
            description => "LDAP bind domain name",
            type => 'string',
-           pattern => $dn_regex,
            optional => 1,
            maxLength => 256,
        },
@@ -94,7 +89,6 @@ sub properties {
            description => "LDAP base domain name for group sync. If not set, the"
                ." base_dn will be used.",
            type => 'string',
-           pattern => $dn_regex,
            optional => 1,
            maxLength => 256,
        },
@@ -137,7 +131,7 @@ sub properties {
            type => 'boolean',
            optional => 1,
            default => 1,
-       }
+       },
     };
 }
 
@@ -184,7 +178,7 @@ sub get_scheme_and_port {
 }
 
 sub connect_and_bind {
-    my ($class, $config, $realm) = @_;
+    my ($class, $config, $realm, $param) = @_;
 
     my $servers = [$config->{server1}];
     push @$servers, $config->{server2} if $config->{server2};
@@ -215,7 +209,7 @@ sub connect_and_bind {
 
     if ($config->{bind_dn}) {
        my $bind_dn = $config->{bind_dn};
-       my $bind_pass = ldap_get_credentials($realm);
+       my $bind_pass = $param->{password} || ldap_get_credentials($realm);
        die "missing password for realm $realm\n" if !defined($bind_pass);
        PVE::LDAP::ldap_bind($ldap, $bind_dn, $bind_pass);
     } elsif ($config->{cert} && $config->{certkey}) {
@@ -454,4 +448,10 @@ sub on_delete_hook {
     ldap_delete_credentials($realm);
 }
 
+sub check_connection {
+    my ($class, $realm, $config, %param) = @_;
+
+    $class->connect_and_bind($config, $realm, \%param);
+}
+
 1;

diff --git a/src/PVE/Auth/Plugin.pm b/src/PVE/Auth/Plugin.pm
index 2f64a1378e0edb704a273093cef69ac76f5c57a9..429bc88cdad96469fd8054c810cb4aeb916e90cd 100755 (executable)
--- a/src/PVE/Auth/Plugin.pm
+++ b/src/PVE/Auth/Plugin.pm
@@ -317,4 +317,12 @@ sub on_delete_hook {
     # do nothing by default
 }
 
+# called during addition and updates of realms (before the new domain config gets written)
+# die to abort addition/update in case the connection/bind fails
+# NOTE: runs in a storage config *locked* context
+sub check_connection {
+    my ($class, $realm, $config, %param) = @_;
+    # do nothing by default
+}
+
 1;