Instead of letting a sync fail on the first try due to e.g. bad bind credentials, give the user some direct feedback when trying to save a LDAP realm in the UI.
This is part of the result of a previous discussion [0], and the same approach is already implemented for PBS [1]. [0] https://lists.proxmox.com/pipermail/pve-devel/2023-May/056839.html [1] https://lists.proxmox.com/pipermail/pbs-devel/2023-June/006237.html Signed-off-by: Christoph Heiss <c.he...@proxmox.com> --- One thing to note might be that this "regresses" the UI in that you cannot create or change realm settings, if the target LDAP server cannot be reached. After a short off-list discussion with Sterzy, a 'force' API parameter (and accompanying checkbox in the UI) could be added to bypass this "restriction", although open to discussion how useful that even would be. src/PVE/Auth/LDAP.pm | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/src/PVE/Auth/LDAP.pm b/src/PVE/Auth/LDAP.pm index e0ead1b..b73be9d 100755 --- a/src/PVE/Auth/LDAP.pm +++ b/src/PVE/Auth/LDAP.pm @@ -181,7 +181,7 @@ sub get_scheme_and_port { } sub connect_and_bind { - my ($class, $config, $realm) = @_; + my ($class, $config, $realm, $param) = @_; my $servers = [$config->{server1}]; push @$servers, $config->{server2} if $config->{server2}; @@ -212,7 +212,7 @@ sub connect_and_bind { if ($config->{bind_dn}) { my $bind_dn = $config->{bind_dn}; - my $bind_pass = ldap_get_credentials($realm); + my $bind_pass = defined($param->{password}) ? $param->{password} : ldap_get_credentials($realm); die "missing password for realm $realm\n" if !defined($bind_pass); PVE::LDAP::ldap_bind($ldap, $bind_dn, $bind_pass); } elsif ($config->{cert} && $config->{certkey}) { @@ -427,20 +427,27 @@ sub on_add_hook { my ($class, $realm, $config, %param) = @_; if (defined($param{password})) { + $class->connect_and_bind($config, $realm, \%param); ldap_set_credentials($param{password}, $realm); } else { - ldap_delete_credentials($realm); + # Still validate the bind credentials, even if no user/password is given + $class->connect_and_bind($config, $realm); } } sub on_update_hook { my ($class, $realm, $config, %param) = @_; - return if !exists($param{password}); - - if (defined($param{password})) { + if (!exists($param{password})) { + # Password wasn't changed, login still needs to be validated in case bind_dn changed + $class->connect_and_bind($config, $realm); + } elsif (defined($param{password})) { + # Password was updated, validate the login and only then store it + $class->connect_and_bind($config, $realm, \%param); ldap_set_credentials($param{password}, $realm); } else { + # Otherwise, the password was removed, so delete it + $class->connect_and_bind($config, $realm, \%param); ldap_delete_credentials($realm); } } -- 2.41.0 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
