Using LDAP with RBAC groups ( nested Ad groups )

[deebsr]

Has anyone got this working?? From the numerous searches on this forum it seems there is a way to do this using "memberOf:1.2.840.113556.1.4.1941" LDAP search filter syntax.
However we are able to get the users but not the top level groups in order to apply PVE permission to those groups
What we would like to see is the following:
PVE Permissions>PVE Role > TOPLEVEL AD GROUPs> Nested AD roll groups > AD Users

When we use the "memberOf:1.2.840.113556.1.4.1941" LDAP user filter we are able to pull in all the users that belong to the top level groups via the nested AD groups but we cannot apply PVE role permissions to those top level groups directly.
Under the permissions > Groups we see the top groups but the user member is empty. However under the Permissions > Users we do see all the users that are members of the nested group inside those top level groups. If we attempt to apply permissions to those groups it does not seem to pick up any user memberships.

We are looking to setup a similar method of RBAC that we had with our vCenter.


thanks for your help

 

[deebsr]

bump to see if anyone else has run into this problem??

 

[deebsr]

So it seems there has been previous discussion to this https://forum.proxmox.com/threads/ldap-sync-with-nested-groups.80749/
However at the end it points to a bug submission: https://bugzilla.proxmox.com/show_bug.cgi?id=2738
Is there any plan to provide this in an update? This is such a major feature in order to provide proper RBAC access.

unless I'm missing something and its just a matter of setting something in a config file or using a different syntax for the LDAP filters?
What am i missing or not understanding here?!
Thanks for the help

 

[VictorSTS]

Is there any plan to provide this in an update? This is such a major feature in order to provide proper RBAC access.

Try to post in the bug report itself. It shows as "ASSIGNED", but PVE version is still "6", so it may get lower attention.

 

[deebsr]

Added a comment to that bugzilla post....hopefully someone from Proxmox can chime in on this issue. I'm unsure still if this is an actual bug or if its something that I'm doing with the config of the filters.....or even something else.

 

[VictorSTS]

When I need to, I use an AD backend and filter by groups that I create specifically to manage PVE privileges. Never had the need to use nested groups as the environments I've used this were not big enough to justify nesting groups or not creating groups for PVE. I understand that nesting groups is useful, tough.

 

[deebsr]

When I need to, I use an AD backend and filter by groups that I create specifically to manage PVE privileges. Never had the need to use nested groups as the environments I've used this were not big enough to justify nesting groups or not creating groups for PVE. I understand that nesting groups is useful, tough.

Unfortunately the definition of RBAC is that groups used for PVE will be using nested groups.....Role groups ( where users are added ) are usually nested into Permissions groups that we use for vCenter ( and hopefully PVE/PDM )