Re: [pve-devel] Feature request: LDAP non-anonymous bind

2015-10-09 Thread Andreas Steinel 
Hi all,

Due to the lack of non-anonymous bind, i solved it by building a
replicating ldap instance only bind to localhost on each proxmox node. This
is a pain in the ass and very error prone - especially on schema changes,
which have to be propagated to all nodes.

On Thu, Oct 8, 2015 at 11:57 AM, Dietmar Maurer  wrote:
>
> IMHO this is a security risk (adding plain text passwords to www-data
> readable
> files)


I'd also like to get this feature into proxmox and I don't think that it's
an security risk. Having anonymous bind is more insecure than non-anonymous
binds iff (if-and-only-if) this non-anonymous bind is restricted on the
ldap server side. I have a special query user for this which has only read
permission on some attributes in a subtree.

There could be a problem binding to an SSL secured server with self-signed
certificates. I don't think that there is (or should be) a GUI parameter to
accept such a certificate. Is has to be configured as always directly in
/etc/ldap/ldap.conf, hasn't it?

Best,
Andreas
___
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] Feature request: LDAP non-anonymous bind

2015-10-08 Thread Sten Aus 
Any news on adding those few lines to master regarding LDAP 
non-anonymous bind?


On 07.09.15 16:25, Sten Aus wrote:


Hi

I would like to propse a feature: LDAP non-anonymous bind.
As it has been discussed already in forums I will link it here as well:
http://forum.proxmox.com/threads/14649-LDAP-authentication-with-non-anonymous-bind

As a proposed patch is working I would suggest it to add to Proxmox.
A (almost) copy-paste from this patch is here. There is missing one 
comma (,) at the end of bind_pw {} section


|diff --git a/PVE/Auth/LDAP.pm b/PVE/Auth/LDAP.pm index 
dc1c229..50df467 100755 --- a/PVE/Auth/LDAP.pm +++ b/PVE/Auth/LDAP.pm 
@@ -18,6 +18,19 @@ sub properties { optional => 1, maxLength => 256, 
}, + bind_dn => { + description => "LDAP bind DN", + type => 'string', 
+ pattern => '\w+=[^,]+(,\s*\w+=[^,]+)*', + optional => 1, + maxLength 
=> 256, + }, + bind_pw => { + description => "LDAP bind password", + 
type => 'string', + optional => 1, + maxLength => 256, + }, user_attr 
=> { description => "LDAP user attribute name", type => 'string', @@ 
-33,6 +46,8 @@ sub options { server1 => {}, server2 => { optional => 1 
}, base_dn => {}, + bind_dn => { optional => 1 }, + bind_pw => { 
optional => 1 }, user_attr => {}, port => { optional => 1 }, secure => 
{ optional => 1 }, @@ -50,6 +65,12 @@ my $authenticate_user_ldap = sub 
{ my $conn_string = "$scheme://${server}:$port"; my $ldap = 
Net::LDAP->new($conn_string, verify => 'none') || die "$@\n"; + if 
($config->{bind_dn} ) { + my $res = $ldap->bind( $config->{bind_dn}, 
password => $config->{bind_pw} ); + my $code = $res->code(); + my $err 
= $res->error; + die "Error during initial bind: $err\n" if ($code); + 
} my $search = $config->{user_attr} . "=" . $username; my $result = 
$ldap->search( base => "$config->{base_dn}", scope => "sub", |


Now, all you’ve got to do is edit |/etc/pve/domains.cfg| file and add 
|bind_dn| and |bind_pw| parameters there.


Also, when I edit from GUI, those values get lost from this file, so I 
would suggest it that you configure LDAP from GUI and then add those 
two rows there from CLI.


As some daemon caches LDAP.pm I needed to restart my host to get LDAP 
bind working. I have tried to restart three services:


|service pve-cluster restart && service pve-manager restart && service 
pveproxy restart |


Can anyone tell me what service caches it? Can I restart it without 
affecting my KVMs?


Maybe a feature in Proxmox 4.0? Or when stable is too far away, then 
in 3.4. :)


All the best
Sten Aus

​


___
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel




smime.p7s
Description: S/MIME Cryptographic Signature
___
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] Feature request: LDAP non-anonymous bind

2015-10-08 Thread Dietmar Maurer 
> Any news on adding those few lines to master regarding LDAP 
> non-anonymous bind?

IMHO this is a security risk (adding plain text passwords to www-data readable
files)

___
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel