[pve-devel] [PATCH access-control 6/9] Auth/LDAP: add necessary options for syncing

Fri, 06 Mar 2020 02:06:25 -0800 

for syncing users/groups from ldap, we need some more options
so that the users can adapt it to their LDAP setup, which are very
different accross systems.

sensible defaults are documented

Signed-off-by: Dominik Csapak <d.csa...@proxmox.com>
---
 PVE/Auth/LDAP.pm | 58 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)

diff --git a/PVE/Auth/LDAP.pm b/PVE/Auth/LDAP.pm
index 5eef12c..6047dfb 100755
--- a/PVE/Auth/LDAP.pm
+++ b/PVE/Auth/LDAP.pm
@@ -57,6 +57,57 @@ sub properties {
            type => 'string',
            optional => 1,
        },
+       filter => {
+           description => "LDAP filter for user sync.",
+           type => 'string',
+           optional => 1,
+           maxLength => 256,
+       },
+       sync_attributes => {
+           description => "Comma seperated list of key=value pairs for ".
+                          "selecting which ldap fields sync which user 
fields.".
+                          " By default, the ldap attribute name is the field 
name.".
+                          " If an attribute is not found, a sensible default 
is used.",
+           optional => 1,
+           type => 'string',
+           pattern => '\w+=[^,]+(,\s*\w+=[^,]+)*',
+       },
+       user_classes => {
+           description => "The objectclasses for users.",
+           type => 'string',
+           default => 'inetorgperson, posixaccount, person, user',
+           format => 'ldap-simple-attr-list',
+           optional => 1,
+       },
+       group_dn => {
+           description => "LDAP base domain name for group sync. ".
+                          "If not given, the base_dn will be used.",
+           type => 'string',
+           pattern => '\w+=[^,]+(,\s*\w+=[^,]+)*',
+           optional => 1,
+           maxLength => 256,
+       },
+       group_attr => {
+           description => "LDAP group attribute for its name. If not given or 
".
+                          "found, the first value of the DN will be used as 
name.",
+           type => 'string',
+           format => 'ldap-simple-attr',
+           optional => 1,
+           maxLength => 256,
+       },
+       group_filter => {
+           description => "LDAP filter for group sync.",
+           type => 'string',
+           optional => 1,
+           maxLength => 256,
+       },
+       group_classes => {
+           description => "The objectclasses for groups.",
+           type => 'string',
+           default => 'groupOfNames, group, univentionGroup, ipausergroup',
+           format => 'ldap-simple-attr-list',
+           optional => 1,
+       },
     };
 }
 
@@ -77,6 +128,13 @@ sub options {
        capath => { optional => 1 },
        cert => { optional => 1 },
        certkey => { optional => 1 },
+       filter => { optional => 1 },
+       sync_attributes => { optional => 1 },
+       user_classes => { optional => 1 },
+       group_dn => { optional => 1 },
+       group_attr => { optional => 1 },
+       group_filter => { optional => 1 },
+       group_classes => { optional => 1 },
     };
 }
 
-- 
2.20.1


_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Reply via email to