LDAP user authencation

Glenn Provoost

New Member
Apr 6, 2018
3
1
3
41
Hi

I've just spun up Proxmox Mail Gateway in a virtualbox environment for the first time to explore its features.

I was surprised to see that although LDAP support is provided for authenticating users to the quarantine interface and even for advanced matching in filter rules, it is not supported to authenticate users to the configuration web interface.

This is a real shame, as the enterprise environment for which I'm evaluating Proxmox MG makes extensive use of central user account management in LDAP and considers LDAP support an essential feature for any new applications.

Are there any plans to extend the LDAP authentication to the config web interface?

Thank you
 
@dietmar
Can't you just implement the LDAP code part from PVE, which works totally fine?!

Being able to configure LDAP groups for different access levels would also be nice.

Thanks
 
Hi

Ldap auth could be implemented at os level ( via pam).
Actually admin user 'root' is a system user, so it's authenticated via pam.
One simple way to have a centralized auth is to let pmg add other system user via web ui.
In this way every system's user could be assigned a role and authenticated with imho a little code change.
 
Apart from LDAP support for the web interface, we would certainly be looking at making the required changes in PAM to support LDAP auth for console & SSH too. We have done this before for other virtual appliances like pfSense and FreePBX.

So the question is: would these changes also take effect in the web interface, i.e. would an LDAP user be able to log in to the web interface too? Or would additional code changes be required for this?

I'd like to second the desire for LDAP group support too, to provide role based access, but this LDAP authorisation would be a nice-to-have feature. As opposed to LDAP authentication, which is a must for us.

Not sure Proxmox has a feature sponsoring culture, but perhaps we would even consider (co-)sponsoring the LDAP auth feature.
 
  • Like
Reactions: DerDanilo
In the meanwhile, we have implemented LDAP authentication at the PAM level. These do not allow LDAP users to log in to the web interface. I also tried creating a local user in the web interface to see if I could trick the web interface into using the LDAP user credentials, but that doesn't work either, the local user takes precedence over the LDAP user.

@dietmar - Any feedback on the options of adding LDAP authentication to the web interface?
 
Hello,
I have an environment with Proxmox Mail Gateway integrated via LDAP with a Zimbra. I need the user to access the quarantine without having to provide the full address, ie without the domain, only the login, without the @.

Thanks in advance for your attention.

Sincerely,

Hugo Almeida
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!