this series implements basic ldap/ad user/group sync via api/cli
a new api call for realms called 'sync' is implemented which
calls the plugins 'get_{user,group}' sub which in turn uses
the realms config to get the relevant users/groups
and this is then written into the user config
there are some things which i am not so sure about:
* putting the get_users/groups into the Auth plugins
i did not find a better place where we still can use the config
(besides a new config which i wanted to avoid, because this can
become inconsistent/complicated fast)
we could put it into its own package of course, but this way
the config options and actual code are closer together
* the amount of options
i do not like having this many new options, but afaict, ldap/ad
deployments vary wildly in used attributes, dns, etc. so
giving the user various knobs is probably the only way
things not yet implemented, but can be done later on
* auto-sync
we probably want to be able to 'auto-sync' the users/groups,
so probably some kind of systemd timer which calls pveum?
we have to somehow make this configureable and of course
only call it from one node (however this can be done)
* preview mode
we could implement a 'preview' api call (or option) so that
it only return what would be done, so that we can show the
user a preview. this should not be that hard to implement
* gui
a 'sync' gui where the user can put in the sync relevant config
options and a button which actually syncs the users should
not be that hard
notes:
* i included the two remaining patches from my refactoring series, they
did not change
* pmg-api patches are only there becasuse i moved the ldap-simple-attr
to the jsonschema to be able to reuse it in pve-access-control,
so a new pve-common breaks the old pmg-api and the new pmg-api
and pve-access-control depend on the new pve-common
* patches 2,3,4 for pve-access-control can be applied seperately,
i think they make sense anyway
pve-common:
Dominik Csapak (3):
ldap: optionally save group name by attribute
ldap: add optional classes to query_users
add ldap-simple-attr from pmg
src/PVE/JSONSchema.pm | 13 +++++++++++++
src/PVE/LDAP.pm | 19 ++++++++++++++++---
2 files changed, 29 insertions(+), 3 deletions(-)
pve-access-control:
Dominik Csapak (9):
use PVE::LDAP module instead of useing Net::LDAP directly
add realm commands to pveum
API2/Domains.pm: fix whitespace errors
API2/Domains.pm: document 'type' return value
Auth/LDAP: refactor out 'connect_and_bind'
Auth/LDAP: add necessary options for syncing
Auth/LDAP: add get_{users,groups} subs for syncing
Auth/AD: make PVE::Auth::AD a subclass of PVE::Auth::LDAP
Domains: add sync API call
PVE/API2/Domains.pm | 175 ++++++++++++++++++++++++-----
PVE/Auth/AD.pm | 66 ++++++-----
PVE/Auth/LDAP.pm | 261 +++++++++++++++++++++++++++++++++++++-------
PVE/CLI/pveum.pm | 10 ++
4 files changed, 413 insertions(+), 99 deletions(-)
pmg-api:
Dominik Csapak (2):
use new PVE::LDAP instead of Net::LDAP directly
remove ldap-simple-attr
src/PMG/LDAPCache.pm | 299 +++++++++++++-----------------------------
src/PMG/LDAPConfig.pm | 13 --
2 files changed, 93 insertions(+), 219 deletions(-)
--
2.20.1
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
