Commit Graph

23 Commits

Author SHA1 Message Date
Thomas Lamprecht
bd944b06f9 ldap: bump version to 0.2.2-1
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2024-04-24 21:13:45 +02:00
Christoph Heiss
72afba8b5b ldap: add method for retrieving root DSE attributes
The root DSE holds common attributes about the LDAP server itself.
Needed to e.g. support Active Directory-based LDAP servers to retrieve
the base DN from the server itself, based on an valid bind.

See also RFC 4512, Section 5.1 [0] for more information about this
special object.

[0] https://www.rfc-editor.org/rfc/rfc4512#section-5.1

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
2024-03-25 17:03:27 +01:00
Christoph Heiss
84fbfb22ec ldap: avoid superfluous allocation when calling .search()
The `attrs` parameter of `Ldap::search()` is an `impl AsRef<[impl
AsRef<str>]>` anyway, so replace `vec![..]` with `&[..]`.

Suggested-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
2024-03-25 17:03:27 +01:00
Wolfgang Bumiller
e9499bbcf2 bump proxmox-ldap to 0.2.1-1
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2023-08-08 14:09:19 +02:00
Stefan Sterz
c74167f528 ldap: only search base of base_dn when checking connection
this should avoid most common size limitations. the search should also
complete quicker as fewer results need to be computed. note that this
way a configuration may be accepted, but the related sync job can
fail due to and exceeded size limit warning for some ldap servers
(such as 2.5.14+dfsg-0ubuntu0.22.04.2).

Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
2023-08-08 14:01:27 +02:00
Stefan Sterz
92e02f6e33 ldap: add an integration test for check_connection
Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
2023-08-08 14:01:25 +02:00
Wolfgang Bumiller
54cb9be8ed bump proxmox-ldap to 0.2.0-1
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2023-06-26 14:22:50 +02:00
Stefan Sterz
7f135263a9 ldap: add check_connection function
this function checks if a given connection could work. it uses the
current config to connect to an ldap directory and perform a search
with the provided base_dn. this enables us to verify a connection
before storing it in a more meaningful way than with a regex.

Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
2023-06-26 14:15:35 +02:00
Stefan Sterz
599a6a49da ldap: remove support for unauthenticated binds
by using the default empty string if no password was provided,
unauthenticated binds were possible. to bring pbs in-line with pve,
switch to throwing an error in this case instead. however, this will
break any pre-existing setup that relied on this behavior.

Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
2023-06-26 14:15:33 +02:00
Wolfgang Bumiller
5791af8ff4 ldap: rustfmt
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2023-06-23 11:20:25 +02:00
Lukas Wagner
378e2380b7 ldap: surround user filter expression in parenthesis if not already
In PVE, the `filter` attribute is surrounded in () if it is not already,
allowing "uid=test" as well as "(uid=test)" [1].

A forum user [2] just ran into this inconsistency, so I decided to adjust
the behavior.

[1] https://git.proxmox.com/?p=pve-common.git;a=blob;f=src/PVE/LDAP.pm;h=ff98e367e63265bf76c0f302847c3749eea095a6;hb=HEAD#l115
[2] https://forum.proxmox.com/threads/ldap-query-for-security-group-members.127882/

Signed-off-by: Lukas Wagner <l.wagner@proxmox.com>
2023-06-23 11:19:04 +02:00
Wolfgang Bumiller
8f8d52f148 update d/copyright files to debian copyright-format 1.0
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2023-05-23 13:02:39 +02:00
Wolfgang Bumiller
1a14696a5c ldap: test fixup
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2023-03-02 15:44:11 +01:00
Wolfgang Bumiller
e8e8f83723 ldap: fixup d/control
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2023-02-08 14:30:52 +01:00
Wolfgang Bumiller
870be885ed ldap: drop Ldap prefix from types that have it
for a bit more consistency and since we tend to repeat stuff
too much

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2023-02-08 14:29:12 +01:00
Wolfgang Bumiller
4ff5c59559 fix 'default-features = false' for ldap3
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2023-02-08 14:26:34 +01:00
Wolfgang Bumiller
cd61c8741c ldap: clippy fixups
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2023-02-08 14:15:44 +01:00
Lukas Wagner
1db057e189 ldap: add debian packaging
Signed-off-by: Lukas Wagner <l.wagner@proxmox.com>
2023-02-08 14:11:24 +01:00
Lukas Wagner
582e994cca ldap: tests: add LDAP integration tests
This commit adds integration tests to ensure that the crate works as intended.
The tests are executed against a real LDAP server, namely `glauth`. `glauth` was
chosen because it ships as a single, statically compiled binary and can
be configured with a single configuration file.

The tests are written as off-the-shelf unit tests. However, they are
 #[ignored] by default, as they have some special requirements:
   * They required the GLAUTH_BIN environment variable to be set,
     pointing to the location of the `glauth` binary. `glauth` will be
     started and stopped automatically by the test suite.
   * Tests have to be executed sequentially (`--test-threads 1`),
     otherwise multiple instances of the glauth server might bind to the
     same port.

The `run_integration_tests.sh` checks whether GLAUTH_BIN is set, or if
not, attempts to find `glauth` on PATH. The script also ensures that the
tests are run sequentially.

Signed-off-by: Lukas Wagner <l.wagner@proxmox.com>
2023-02-08 14:11:21 +01:00
Lukas Wagner
4488256cb1 ldap: allow searching for LDAP entities
This commit adds the search_entities function, which allows to search for
LDAP entities given certain provided criteria.

Signed-off-by: Lukas Wagner <l.wagner@proxmox.com>
2023-02-08 14:11:18 +01:00
Lukas Wagner
b9ab0ba4fa ldap: add helpers for constructing LDAP filters
Signed-off-by: Lukas Wagner <l.wagner@proxmox.com>
2023-02-08 14:11:15 +01:00
Lukas Wagner
6fd77c9a5e ldap: add basic user auth functionality
In the LDAP world, authentication is done using the bind operation, where
users are authenticated with the tuple (dn, password). Since we only know
the user's username, it is first necessary to look up the user's
domain (dn).

Signed-off-by: Lukas Wagner <l.wagner@proxmox.com>
2023-02-08 14:11:12 +01:00
Lukas Wagner
0e2f88ccf3 ldap: create new proxmox-ldap crate
Signed-off-by: Lukas Wagner <l.wagner@proxmox.com>
2023-02-08 14:11:08 +01:00