implement better ldap tls handling, fix naming for groupnames and usernames in path params

2026-05-31 02:43:28 +00:00
parent d3462723df
commit b6fd060daf
3 changed files with 86 additions and 62 deletions
@@ -19,8 +19,10 @@ type PVEConfig struct {

 type LDAPConfig struct {
 	BaseDN   string `json:""`
-	LdapURL  string
+	Hostname string
 	StartTLS bool
+	TLS      bool
+	Verify   bool
 }

 type Config struct {
@@ -19,30 +19,50 @@ type LDAPClient struct {

 // returns a new LDAPClient from the config
 func NewClientFromCredentials(config common.LDAPConfig, username common.Username, password string) (*LDAPClient, int, error) {
-	LDAPConn, err := ldap.DialURL(config.LdapURL)
+	ldapclient := LDAPClient{}
+
+	if config.TLS {
+		tlsConfig := &tls.Config{
+			InsecureSkipVerify: !config.Verify,
+		}
+		url := fmt.Sprintf("ldaps://%s", config.Hostname)
+		LDAPConn, err := ldap.DialURL(url, ldap.DialWithTLSConfig(tlsConfig))
 		if err != nil {
 			return nil, http.StatusInternalServerError, err
 		}
-
-	if config.StartTLS {
-		err = LDAPConn.StartTLS(&tls.Config{})
+		ldapclient.config = &config
+		ldapclient.client = LDAPConn
+	} else if config.StartTLS {
+		tlsConfig := &tls.Config{
+			InsecureSkipVerify: !config.Verify,
+		}
+		url := fmt.Sprintf("ldap://%s", config.Hostname)
+		LDAPConn, err := ldap.DialURL(url)
 		if err != nil {
 			return nil, http.StatusInternalServerError, err
 		}
+		err = LDAPConn.StartTLS(tlsConfig)
+		if err != nil {
+			return nil, http.StatusInternalServerError, err
+		}
+		ldapclient.config = &config
+		ldapclient.client = LDAPConn
+	} else {
+		url := fmt.Sprintf("ldap://%s", config.Hostname)
+		LDAPConn, err := ldap.DialURL(url)
+		if err != nil {
+			return nil, http.StatusInternalServerError, err
+		}
+		ldapclient.config = &config
+		ldapclient.client = LDAPConn
 	}

-	ldap := LDAPClient{
-		config: &config,
-		client: LDAPConn,
-	}
-
-	userdn := fmt.Sprintf("uid=%s,ou=people,%s", username.UserID, ldap.config.BaseDN)
-	err = ldap.client.Bind(userdn, password)
-
+	userdn := fmt.Sprintf("uid=%s,ou=people,%s", username.UserID, ldapclient.config.BaseDN)
+	err := ldapclient.client.Bind(userdn, password)
 	if err != nil {
 		return nil, http.StatusUnauthorized, err
 	} else {
-		return &ldap, http.StatusOK, nil
+		return &ldapclient, http.StatusOK, nil
 	}
 }

@@ -199,14 +199,14 @@ func Run(configPath *string, localDBPath *string) {
 		}
 	})

-	router.GET("/groups/:groupid", func(c *gin.Context) {
-		groupid, ok := c.Params.Get("groupid")
+	router.GET("/groups/:groupname", func(c *gin.Context) {
+		groupname_str, ok := c.Params.Get("groupname")
 		if !ok {
 			c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Errorf("Missing required path parameter poolid")})
 			return
 		}

-		groupname, err := common.ParseGroupname(groupid)
+		groupname, err := common.ParseGroupname(groupname_str)
 		if err != nil {
 			c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
 		}
@@ -225,14 +225,14 @@ func Run(configPath *string, localDBPath *string) {
 		}
 	})

-	router.POST("/groups/:groupid", func(c *gin.Context) {
-		groupid, ok := c.Params.Get("groupid")
+	router.POST("/groups/:groupname", func(c *gin.Context) {
+		groupname_str, ok := c.Params.Get("groupname")
 		if !ok {
-			c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Errorf("Missing required path parameter groupid")})
+			c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Errorf("Missing required path parameter groupname")})
 			return
 		}

-		groupname, err := paas.ParseGroupname(groupid)
+		groupname, err := paas.ParseGroupname(groupname_str)
 		if err != nil {
 			c.JSON(http.StatusBadRequest, gin.H{"error": err})
 			return
@@ -252,14 +252,14 @@ func Run(configPath *string, localDBPath *string) {
 		}
 	})

-	router.DELETE("/groups/:groupid", func(c *gin.Context) {
-		groupid, ok := c.Params.Get("groupid")
+	router.DELETE("/groups/:groupname", func(c *gin.Context) {
+		groupname_str, ok := c.Params.Get("groupname")
 		if !ok {
-			c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Errorf("Missing required path parameter groupid")})
+			c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Errorf("Missing required path parameter groupname")})
 			return
 		}

-		groupname, err := paas.ParseGroupname(groupid)
+		groupname, err := paas.ParseGroupname(groupname_str)
 		if err != nil {
 			c.JSON(http.StatusBadRequest, gin.H{"error": err})
 			return
@@ -279,20 +279,20 @@ func Run(configPath *string, localDBPath *string) {
 		}
 	})

-	router.POST("/pools/:poolid/groups/:groupid", func(c *gin.Context) {
+	router.POST("/pools/:poolid/groups/:groupname", func(c *gin.Context) {
 		poolid, ok := c.Params.Get("poolid")
 		if !ok {
 			c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Errorf("Missing required path parameter poolid")})
 			return
 		}

-		groupid, ok := c.Params.Get("groupid")
+		groupname_str, ok := c.Params.Get("groupname")
 		if !ok {
-			c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Errorf("Missing required path parameter groupid")})
+			c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Errorf("Missing required path parameter groupname")})
 			return
 		}

-		groupname, err := paas.ParseGroupname(groupid)
+		groupname, err := paas.ParseGroupname(groupname_str)
 		if err != nil {
 			c.JSON(http.StatusBadRequest, gin.H{"error": err})
 			return
@@ -312,20 +312,20 @@ func Run(configPath *string, localDBPath *string) {
 		}
 	})

-	router.DELETE("/pools/:poolid/groups/:groupid", func(c *gin.Context) {
+	router.DELETE("/pools/:poolid/groups/:groupname", func(c *gin.Context) {
 		poolid, ok := c.Params.Get("poolid")
 		if !ok {
 			c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Errorf("Missing required path parameter poolid")})
 			return
 		}

-		groupid, ok := c.Params.Get("groupid")
+		groupname_str, ok := c.Params.Get("groupname")
 		if !ok {
-			c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Errorf("Missing required path parameter groupid")})
+			c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Errorf("Missing required path parameter groupname")})
 			return
 		}

-		groupname, err := paas.ParseGroupname(groupid)
+		groupname, err := paas.ParseGroupname(groupname_str)
 		if err != nil {
 			c.JSON(http.StatusBadRequest, gin.H{"error": err})
 			return
@@ -345,14 +345,14 @@ func Run(configPath *string, localDBPath *string) {
 		}
 	})

-	router.GET("/users/:userid", func(c *gin.Context) {
-		userid, ok := c.Params.Get("userid")
+	router.GET("/users/:username", func(c *gin.Context) {
+		username_str, ok := c.Params.Get("username")
 		if !ok {
 			c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Errorf("Missing required path parameter poolid")})
 			return
 		}

-		username, err := common.ParseUsername(userid)
+		username, err := common.ParseUsername(username_str)
 		if err != nil {
 			c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
 		}
@@ -371,14 +371,14 @@ func Run(configPath *string, localDBPath *string) {
 		}
 	})

-	router.POST("/users/:userid", func(c *gin.Context) {
-		userid, ok := c.Params.Get("userid")
+	router.POST("/users/:username", func(c *gin.Context) {
+		username_str, ok := c.Params.Get("username")
 		if !ok {
-			c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Errorf("Missing required path parameter groupid")})
+			c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Errorf("Missing required path parameter groupname")})
 			return
 		}

-		username, err := paas.ParseUsername(userid)
+		username, err := paas.ParseUsername(username_str)
 		if err != nil {
 			c.JSON(http.StatusBadRequest, gin.H{"error": err})
 			return
@@ -411,14 +411,14 @@ func Run(configPath *string, localDBPath *string) {
 		}
 	})

-	router.DELETE("/users/:userid", func(c *gin.Context) {
-		userid, ok := c.Params.Get("userid")
+	router.DELETE("/users/:username", func(c *gin.Context) {
+		username_str, ok := c.Params.Get("username")
 		if !ok {
-			c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Errorf("Missing required path parameter groupid")})
+			c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Errorf("Missing required path parameter groupname")})
 			return
 		}

-		username, err := paas.ParseUsername(userid)
+		username, err := paas.ParseUsername(username_str)
 		if err != nil {
 			c.JSON(http.StatusBadRequest, gin.H{"error": err})
 			return
@@ -438,26 +438,26 @@ func Run(configPath *string, localDBPath *string) {
 		}
 	})

-	router.POST("/groups/:groupid/users/:userid", func(c *gin.Context) {
-		groupid, ok := c.Params.Get("groupid")
+	router.POST("/groups/:groupname/users/:username", func(c *gin.Context) {
+		groupname_str, ok := c.Params.Get("groupname")
 		if !ok {
-			c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Errorf("Missing required path parameter groupid")})
+			c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Errorf("Missing required path parameter groupname")})
 			return
 		}

-		userid, ok := c.Params.Get("userid")
+		username_str, ok := c.Params.Get("username")
 		if !ok {
-			c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Errorf("Missing required path parameter userid")})
+			c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Errorf("Missing required path parameter username")})
 			return
 		}

-		groupname, err := paas.ParseGroupname(groupid)
+		groupname, err := paas.ParseGroupname(groupname_str)
 		if err != nil {
 			c.JSON(http.StatusBadRequest, gin.H{"error": err})
 			return
 		}

-		username, err := paas.ParseUsername(userid)
+		username, err := paas.ParseUsername(username_str)
 		if err != nil {
 			c.JSON(http.StatusBadRequest, gin.H{"error": err})
 			return
@@ -477,26 +477,26 @@ func Run(configPath *string, localDBPath *string) {
 		}
 	})

-	router.DELETE("/groups/:groupid/users/:userid", func(c *gin.Context) {
-		groupid, ok := c.Params.Get("groupid")
+	router.DELETE("/groups/:groupname/users/:username", func(c *gin.Context) {
+		groupname_str, ok := c.Params.Get("groupname")
 		if !ok {
-			c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Errorf("Missing required path parameter groupid")})
+			c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Errorf("Missing required path parameter groupname")})
 			return
 		}

-		userid, ok := c.Params.Get("userid")
+		username_str, ok := c.Params.Get("username")
 		if !ok {
-			c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Errorf("Missing required path parameter userid")})
+			c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Errorf("Missing required path parameter username")})
 			return
 		}

-		groupname, err := paas.ParseGroupname(groupid)
+		groupname, err := paas.ParseGroupname(groupname_str)
 		if err != nil {
 			c.JSON(http.StatusBadRequest, gin.H{"error": err})
 			return
 		}

-		username, err := paas.ParseUsername(userid)
+		username, err := paas.ParseUsername(username_str)
 		if err != nil {
 			c.JSON(http.StatusBadRequest, gin.H{"error": err})
 			return
@@ -585,8 +585,10 @@ func GetRealmsFromPVE(config *common.Config) map[string]Realm {
 		if realm.Type == "ldap" {
 			ldapconfig := common.LDAPConfig{
 				BaseDN:   realm.BaseDN,
-				LdapURL:  fmt.Sprintf("ldap://%s", realm.Server1),
-				StartTLS: false, // todo fix startlts
+				Hostname: realm.Server1,
+				TLS:      realm.Mode == "ldaps",
+				StartTLS: realm.Mode == "ldap+starttls",
+				Verify:   bool(realm.Verify),
 			}
 			realms[realm.Realm] = Realm{
 				Type:   realm.Type,