Hi I would like to propse a feature: LDAP non-anonymous bind. As it has been discussed already in forums I will link it here as well: http://forum.proxmox.com/threads/14649-LDAP-authentication-with-non-anonymous-bind
As a proposed patch is working I would suggest it to add to Proxmox.A (almost) copy-paste from this patch is here. There is missing one comma (,) at the end of bind_pw {} section
|diff --git a/PVE/Auth/LDAP.pm b/PVE/Auth/LDAP.pm index dc1c229..50df467 100755 --- a/PVE/Auth/LDAP.pm +++ b/PVE/Auth/LDAP.pm @@ -18,6 +18,19 @@ sub properties { optional => 1, maxLength => 256, }, + bind_dn => { + description => "LDAP bind DN", + type => 'string', + pattern => '\w+=[^,]+(,\s*\w+=[^,]+)*', + optional => 1, + maxLength => 256, + }, + bind_pw => { + description => "LDAP bind password", + type => 'string', + optional => 1, + maxLength => 256, + }, user_attr => { description => "LDAP user attribute name", type => 'string', @@ -33,6 +46,8 @@ sub options { server1 => {}, server2 => { optional => 1 }, base_dn => {}, + bind_dn => { optional => 1 }, + bind_pw => { optional => 1 }, user_attr => {}, port => { optional => 1 }, secure => { optional => 1 }, @@ -50,6 +65,12 @@ my $authenticate_user_ldap = sub { my $conn_string = "$scheme://${server}:$port"; my $ldap = Net::LDAP->new($conn_string, verify => 'none') || die "$@\n"; + if ($config->{bind_dn} ) { + my $res = $ldap->bind( $config->{bind_dn}, password => $config->{bind_pw} ); + my $code = $res->code(); + my $err = $res->error; + die "Error during initial bind: $err\n" if ($code); + } my $search = $config->{user_attr} . "=" . $username; my $result = $ldap->search( base => "$config->{base_dn}", scope => "sub", |
Now, all you’ve got to do is edit |/etc/pve/domains.cfg| file and add |bind_dn| and |bind_pw| parameters there.
Also, when I edit from GUI, those values get lost from this file, so I would suggest it that you configure LDAP from GUI and then add those two rows there from CLI.
As some daemon caches LDAP.pm I needed to restart my host to get LDAP bind working. I have tried to restart three services:
|service pve-cluster restart && service pve-manager restart && service pveproxy restart |
Can anyone tell me what service caches it? Can I restart it without affecting my KVMs?
Maybe a feature in Proxmox 4.0? Or when stable is too far away, then in 3.4. :)
All the best Sten Aus
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
