this series implements basic ldap/ad user/group sync via api/cli a new api call for realms called 'sync' is implemented which calls the plugins 'get_{user,group}' sub which in turn uses the realms config to get the relevant users/groups and this is then written into the user config
there are some things which i am not so sure about: * putting the get_users/groups into the Auth plugins i did not find a better place where we still can use the config (besides a new config which i wanted to avoid, because this can become inconsistent/complicated fast) we could put it into its own package of course, but this way the config options and actual code are closer together * the amount of options i do not like having this many new options, but afaict, ldap/ad deployments vary wildly in used attributes, dns, etc. so giving the user various knobs is probably the only way things not yet implemented, but can be done later on * auto-sync we probably want to be able to 'auto-sync' the users/groups, so probably some kind of systemd timer which calls pveum? we have to somehow make this configureable and of course only call it from one node (however this can be done) * preview mode we could implement a 'preview' api call (or option) so that it only return what would be done, so that we can show the user a preview. this should not be that hard to implement * gui a 'sync' gui where the user can put in the sync relevant config options and a button which actually syncs the users should not be that hard notes: * i included the two remaining patches from my refactoring series, they did not change * pmg-api patches are only there becasuse i moved the ldap-simple-attr to the jsonschema to be able to reuse it in pve-access-control, so a new pve-common breaks the old pmg-api and the new pmg-api and pve-access-control depend on the new pve-common * patches 2,3,4 for pve-access-control can be applied seperately, i think they make sense anyway pve-common: Dominik Csapak (3): ldap: optionally save group name by attribute ldap: add optional classes to query_users add ldap-simple-attr from pmg src/PVE/JSONSchema.pm | 13 +++++++++++++ src/PVE/LDAP.pm | 19 ++++++++++++++++--- 2 files changed, 29 insertions(+), 3 deletions(-) pve-access-control: Dominik Csapak (9): use PVE::LDAP module instead of useing Net::LDAP directly add realm commands to pveum API2/Domains.pm: fix whitespace errors API2/Domains.pm: document 'type' return value Auth/LDAP: refactor out 'connect_and_bind' Auth/LDAP: add necessary options for syncing Auth/LDAP: add get_{users,groups} subs for syncing Auth/AD: make PVE::Auth::AD a subclass of PVE::Auth::LDAP Domains: add sync API call PVE/API2/Domains.pm | 175 ++++++++++++++++++++++++----- PVE/Auth/AD.pm | 66 ++++++----- PVE/Auth/LDAP.pm | 261 +++++++++++++++++++++++++++++++++++++------- PVE/CLI/pveum.pm | 10 ++ 4 files changed, 413 insertions(+), 99 deletions(-) pmg-api: Dominik Csapak (2): use new PVE::LDAP instead of Net::LDAP directly remove ldap-simple-attr src/PMG/LDAPCache.pm | 299 +++++++++++++----------------------------- src/PMG/LDAPConfig.pm | 13 -- 2 files changed, 93 insertions(+), 219 deletions(-) -- 2.20.1 _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel