In PBS we don't support this, so the current TFA API in rust
does not support this either (although the config does know
about its *existence*).
For now, yubico authentication will be done in perl. Adding
it to rust the rust TFA crate would not make much sense
anyway as we'd likely not want to use the same http client
crate in pve and pbs anyway (since pve is all blocking code
and pbs is async...)
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
The main difference here is that we have no separate api
path for verification. Instead, the ticket api call gets an
optional 'tfa-challenge' parameter.
This is opt-in: old pve-manager UI with new
pve-access-control will still work as expected, but users
won't be able to *update* their TFA settings.
Since the new tfa config parser will build a compatible
in-perl tfa config object as well, the old authentication
code is left unchanged for compatibility and will be removed
with pve-8, where the `new-format` parameter in the ticket
call will change its default to `1`.
The `change_tfa` call will simply die in this commit. It is
removed later when adding the pbs-style TFA API calls.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
commit 42ade84744ab60ff8e452d3e562a36dd3da2b810 added the pool
subcommands, reusing the PVE::API2::Pool module. But that module has
to live in pve-manager and is not available here, most of the time
not a real issue (but always ugly), on bootstrapping this becomes a
blocker though...
So, for now add a hack and do not hard depend on the modules
availability...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
partially fix #2825: authkey: rotate if it was generated in the future
Can happen if the RTC is in the future during installation and first
boot, when during key generation the clock is in the future and then,
after the key was already generated, jumps back in time.
Allow a fuzz of $auth_graceperiod, which is currently 5 minutes, as
that fuzz allows some minor, not really problematic, time sync
disparity in clusters.
If an old authkey exists, meaning we rotated at least once, check it's
time too. Only rotate if it'd not be valid for any tickets in the
cluster anymore, i.e., if it difference between the current key is >
$ticket_lifetime (2 hours)..
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Dominik Csapak [Fri, 8 May 2020 11:16:58 +0000 (13:16 +0200)]
LDAP: skip anonymous bind when clientcert/key is given
It seems that servers associate the client-cert/key with an account, so
doing an explicit anonymous bind then 'logs out' the already verified
user, limiting the search results in some cases
before refactoring to PVE::LDAP, we did not do '$ldap->bind' at all when
there was no bind_dn, but it is not really clear if Net::LDAP does this
automatically when searching (other libraries do this), so leave the
anonymous bind (for compatibility with PMG) but skip it when a client
certificate and key is given.
auth ldap/ad: make password a parameter for the api
Allows us to add it in the gui, until now the admin needed to create
the file themself.
Mirrored after credential handling from CIFS and PBS in their
pve-storage plugins
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
[Thomas: don't differ from storage one unnecessarily, keep comments
and behavior] Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Wed, 15 Apr 2020 15:13:59 +0000 (17:13 +0200)]
token: avoid undef warning if no tokens are configured
Initially the config may not even exist, and so the first token
create would give one then a ugly warning like:
> Use of uninitialized value $raw in split at ..
Handle that case, empty config (where we get '') was fine already, so
explicitly check for definedness, not truthiness.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Sat, 21 Mar 2020 15:01:56 +0000 (16:01 +0100)]
realm: add default-sync-options to config
This allows us to have a convenient way to set the desired default
sync options, and thus not forcing users to pass always all options
when they want to trigger a sync.
We still die when an option is neither specified in the domains
(realm) config nor as API/CLI parameter.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Sat, 21 Mar 2020 14:56:51 +0000 (15:56 +0100)]
api: realm sync: move out group and user update to separate methods
keep the api call way smaller and clearer
On moving out some minor adaptions where made, e.g., we do not print
"remove user X" if we know that we'd add it again, but just print a
single "update user X" for that. Same for groups.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Dominik Csapak [Fri, 13 Mar 2020 12:18:47 +0000 (13:18 +0100)]
api: domains: add user/group sync API enpoint
this api call syncs the users and groups from LDAP/AD to the
user.cfg
it also implements a 'full' mode where we first delete all
users/groups from the config and sync them again
the parameter 'enable' controls if newly synced users are 'enabled'
(if no sync parameter handles that)
the parameter 'purge' controls if ACLs get removed for users/groups
that do not exists anymore after
Dominik Csapak [Fri, 13 Mar 2020 12:18:46 +0000 (13:18 +0100)]
Auth/AD: make PVE::Auth::AD a subclass of PVE::Auth::LDAP
this makes it much easier to reuse the sync code from LDAP in AD.
The 'authenticate_user' sub is still the same, but we now
can still use the get_users and get_groups functionality of LDAP
in the case of AD, the user_attr is optional in the config
(would have been a breaking change) but we set it
to default to 'sAMAccountName'
Dominik Csapak [Fri, 13 Mar 2020 12:18:45 +0000 (13:18 +0100)]
Auth/LDAP: add get_{users, groups} subs for syncing
this adds the subs which actually query the LDAP for users/groups
and returns the value in format which makes it easy to insert
in our parsed user.cfg
when we find a user/groupname which cannot be in our config,
we warn the verification error
for groups, we append "-$realm" to the groupname, to lower the chance of
accidental overwriting of existing groups (this will be documented
in the api call since it technically does not prevent overwriting, just
makes it more unlikely)
Dominik Csapak [Fri, 13 Mar 2020 12:18:44 +0000 (13:18 +0100)]
Auth/LDAP: add necessary options for syncing
for syncing users/groups from ldap, we need some more options
so that the users can adapt it to their LDAP setup, which are very
different accross systems.
sensible defaults are documented
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com> Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
projects / pve-access-control.git / log