On 5/8/20 1:16 PM, Dominik Csapak wrote:
> It seems that servers associate the client-cert/key with an account, so
> doing an explicit anonymous bind then 'logs out' the already verified
> user, limiting the search results in some cases
>
> before refactoring to PVE::LDAP, we did not do '$ldap->bind' at all when
> there was no bind_dn, but it is not really clear if Net::LDAP does this
> automatically when searching (other libraries do this), so leave the
> anonymous bind (for compatibility with PMG) but skip it when a client
> certificate and key is given.
>
> Signed-off-by: Dominik Csapak <d.csa...@proxmox.com>
> ---
> PVE/Auth/LDAP.pm | 14 +++++++-------
> 1 file changed, 7 insertions(+), 7 deletions(-)
>
> diff --git a/PVE/Auth/LDAP.pm b/PVE/Auth/LDAP.pm
> index 9fa9095..09b2202 100755
> --- a/PVE/Auth/LDAP.pm
> +++ b/PVE/Auth/LDAP.pm
> @@ -203,17 +203,17 @@ sub connect_and_bind {
>
> my $ldap = PVE::LDAP::ldap_connect($servers, $scheme, $port,
> \%ldap_args);
>
> - my $bind_dn;
> - my $bind_pass;
> -
> if ($config->{bind_dn}) {
> - $bind_dn = $config->{bind_dn};
> - $bind_pass = ldap_get_credentials($realm);
> + my $bind_dn = $config->{bind_dn};
> + my $bind_pass = ldap_get_credentials($realm);
> die "missing password for realm $realm\n" if !defined($bind_pass);
> + PVE::LDAP::ldap_bind($ldap, $bind_dn, $bind_pass);
> + } elsif ($config->{cert} && $config->{certkey}) {
> + warn "skipping anonymous bind with clientcert\n";
> + } else {
> + PVE::LDAP::ldap_bind($ldap);
> }
>
> - PVE::LDAP::ldap_bind($ldap, $bind_dn, $bind_pass);
> -
> if (!$config->{base_dn}) {
> my $root = $ldap->root_dse(attrs => [ 'defaultNamingContext' ]);
> $config->{base_dn} = $root->get_value('defaultNamingContext');
>
applied, thanks!
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
