[pve-devel] Feature request: LDAP non-anonymous bind

Sten Aus sten.aus at eenet.ee
Thu Oct 8 10:15:12 CEST 2015 

Any news on adding those few lines to master regarding LDAP 
non-anonymous bind?

On 07.09.15 16:25, Sten Aus wrote:
>
> Hi
>
> I would like to propse a feature: LDAP non-anonymous bind.
> As it has been discussed already in forums I will link it here as well:
> http://forum.proxmox.com/threads/14649-LDAP-authentication-with-non-anonymous-bind
>
> As a proposed patch is working I would suggest it to add to Proxmox.
> A (almost) copy-paste from this patch is here. There is missing one 
> comma (,) at the end of bind_pw {} section
>
> |diff --git a/PVE/Auth/LDAP.pm b/PVE/Auth/LDAP.pm index 
> dc1c229..50df467 100755 --- a/PVE/Auth/LDAP.pm +++ b/PVE/Auth/LDAP.pm 
> @@ -18,6 +18,19 @@ sub properties { optional => 1, maxLength => 256, 
> }, + bind_dn => { + description => "LDAP bind DN", + type => 'string', 
> + pattern => '\w+=[^,]+(,\s*\w+=[^,]+)*', + optional => 1, + maxLength 
> => 256, + }, + bind_pw => { + description => "LDAP bind password", + 
> type => 'string', + optional => 1, + maxLength => 256, + }, user_attr 
> => { description => "LDAP user attribute name", type => 'string', @@ 
> -33,6 +46,8 @@ sub options { server1 => {}, server2 => { optional => 1 
> }, base_dn => {}, + bind_dn => { optional => 1 }, + bind_pw => { 
> optional => 1 }, user_attr => {}, port => { optional => 1 }, secure => 
> { optional => 1 }, @@ -50,6 +65,12 @@ my $authenticate_user_ldap = sub 
> { my $conn_string = "$scheme://${server}:$port"; my $ldap = 
> Net::LDAP->new($conn_string, verify => 'none') || die "$@\n"; + if 
> ($config->{bind_dn} ) { + my $res = $ldap->bind( $config->{bind_dn}, 
> password => $config->{bind_pw} ); + my $code = $res->code(); + my $err 
> = $res->error; + die "Error during initial bind: $err\n" if ($code); + 
> } my $search = $config->{user_attr} . "=" . $username; my $result = 
> $ldap->search( base => "$config->{base_dn}", scope => "sub", |
>
> Now, all you’ve got to do is edit |/etc/pve/domains.cfg| file and add 
> |bind_dn| and |bind_pw| parameters there.
>
> Also, when I edit from GUI, those values get lost from this file, so I 
> would suggest it that you configure LDAP from GUI and then add those 
> two rows there from CLI.
>
> As some daemon caches LDAP.pm I needed to restart my host to get LDAP 
> bind working. I have tried to restart three services:
>
> |service pve-cluster restart && service pve-manager restart && service 
> pveproxy restart |
>
> Can anyone tell me what service caches it? Can I restart it without 
> affecting my KVMs?
>
> Maybe a feature in Proxmox 4.0? Or when stable is too far away, then 
> in 3.4. :)
>
> All the best
> Sten Aus
>
>>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.proxmox.com/pipermail/pve-devel/attachments/20151008/11993af6/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3262 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.proxmox.com/pipermail/pve-devel/attachments/20151008/11993af6/attachment.bin>

More information about the pve-devel mailing list