Accessing user quarantine with LDAP auth

Marrot

New Member
Jun 6, 2018
3
0
1
23
Hi,

As indicated, I'm trying to allow users to access their quarantine using an LDAP authentication
(PMG 5.0.61)

User directory is correctly synchronized in PMG over LDAP, but when trying to log in , all I get in the log is:
authentication failure; rhost=xxxx user=test@dom.com@pmg msg=no such user ('test@dom.com@pmg')

It seems that there is an "@pmg" added to the correct address, I don't know why.

Also, may be there is a specific URL I don't use to access user quanrantine ?.

Can anyone give me some hints ?.

Thank you.
PM.
 
I didnt check my logs but ive got the following:

under Configuration --> Spam Detector --> Quarantine --> Authentication, i got "LDAP or Ticket"
under Configuration --> User Management --> LDAP --> LDAP Profile --> Users of <LDAP Profile> im seeing my users.

if that all is correct and the same user doesnt exist in the local users you should be able to login at https://<pmg>:8006/quarantine
NOTE: log out of the admin Interface first or use another browser.

since u see an aditional @pmg im guessing it trys to authenticate a local user. So try to set the Authentication to LDAP only.
 
I didnt check my logs but ive got the following:

under Configuration --> Spam Detector --> Quarantine --> Authentication, i got "LDAP or Ticket"
under Configuration --> User Management --> LDAP --> LDAP Profile --> Users of <LDAP Profile> im seeing my users.

if that all is correct and the same user doesnt exist in the local users you should be able to login at https://<pmg>:8006/quarantine
NOTE: log out of the admin Interface first or use another browser.

since u see an aditional @pmg im guessing it trys to authenticate a local user. So try to set the Authentication to LDAP only.
I have tried LDAP only and it still add an additional @pmg... it is strange...........I see it it the syslog....
 
Hi,

As indicated, I'm trying to allow users to access their quarantine using an LDAP authentication
(PMG 5.0.61)

User directory is correctly synchronized in PMG over LDAP, but when trying to log in , all I get in the log is:
authentication failure; rhost=xxxx user=test@dom.com@pmg msg=no such user ('test@dom.com@pmg')

It seems that there is an "@pmg" added to the correct address, I don't know why.

Also, may be there is a specific URL I don't use to access user quanrantine ?.

Can anyone give me some hints ?.

Thank you.
PM.
Hi. Sorry for bothering. I was wondering if you have ever resolved this issue. I am seeing the same issue with my AD windows 2016 and PMG 5.1-3
 
Hi. Sorry for bothering. I was wondering if you have ever resolved this issue. I am seeing the same issue with my AD windows 2016 and PMG 5.1-3

My Solution: Don´t use the username from LDAP users, but use any e-Mail Adress of the user to login.

My LDAP Username ist "kais" but it doesn´t work.

My eMail ist "kais@somehere.com" - and it works!

But you have to use the link as mentioned before:

https://<pmg>:8006/quarantine

Best regards,
Kai
 
I would like to quarantine without having to enter the full email address with the domain, but only with the user. How can I make this setting ??? Remembering that my Proxmox Mail gateway is already integrated via LDAP with my Zimbra mail server.

Thanks in advance for your attention.

Sincerely,

Hugo Almeida
 
As far as I understand, authentification to quarantine is based on the "account attribute name" which
could be "sAMAccountName" in your AD (or other appropriate AD field).

PM.
 
Same issue behind nginx reverse proxy ??
Aug 27 13:08:45 rmx1 pmgdaemon[391]: authentication failure; rhost=10.80.80.51 user=xxxxxxxx@domain.com@quarantine msg=ldap login failed

Why proxmox add @quarantine behind an ldap user loging ? (for sure ldap reject this auth. !)

Note : 10.80.80.51, is my nginx reverse proxy
 
Last edited:
same to me here...syslog states user@domain.com@quarantine

ldap is configured and working...though it is an kerio-connect ldap but the users and email-adresses are listed

maybe the login requires an "real" ldap with kerberos for getting the password passed to pmg?
 
As said above the @quarantine is informational for the logs it's not the actual user-name sent to LDAP - the problem needs to be somewhere else
maybe the login requires an "real" ldap with kerberos for getting the password passed to pmg?
PMG uses LDAP-auth as e.g. Apache - no kerberos involved

I hope this helps!
 
ldap扩展,这个是我有自定义的LDAP,支持组同步及用户与组的绑定。
具体修改代码请参见附件,打PATH到/usr/share/perl5/PVE


1569387160127.png
修改:/usr/share/pve-manager/js/pvemanagerlib.js 第 37240 行

} else if (me.authType === 'ldap') {
me.subject = gettext('LDAP Server');
column1.push({
xtype: 'textfield',
fieldLabel: gettext('Server'),
name: 'server1',
allowBlank: false
},{
xtype: 'textfield',
name: 'bind_dn',
fieldLabel: gettext('Bind DN'),
emptyText: 'cn=admin,OU=Users,DC=Company,DC=net',
allowBlank: false
},
{
xtype: 'textfield',
name: 'base_dn',
fieldLabel: gettext('Base Domain Name'),
emptyText: 'DC=Company,DC=net',
allowBlank: false
},
{
xtype: 'textfield',
name: 'user_ou',
fieldLabel: gettext('User OU'),
emptyText: 'OU=Users',
allowBlank: false
},{
xtype: 'textfield',
name: 'user_attr',
emptyText: 'uid / sAMAccountName',
fieldLabel: gettext('User Attribute Name'),
allowBlank: false
},{
xtype: 'proxmoxcheckbox',
fieldLabel: 'SSL',
name: 'secure',
uncheckedValue: 0
},
);
修改:/usr/share/pve-manager/js/pvemanagerlib.js 第 37314行
if (me.authType === 'ldap' || me.authType === 'ad') {
column2.push(
{
xtype: 'proxmoxtextfield',
fieldLabel: gettext('Fallback Server'),
deleteEmpty: !me.isCreate,
name: 'server2'
},
{
xtype: 'proxmoxintegerfield',
name: 'port',
fieldLabel: gettext('Port'),
minValue: 1,
maxValue: 65535,
emptyText: gettext('Default'),
submitEmptyText: false
},
{
xtype: 'textfield',
name: 'bind_pw',
inputType: 'password',
fieldLabel: gettext('Bind Password'),
emptyText: 'Bind password',
allowBlank: false
},
{
xtype: 'textfield',
name: 'group_ou',
fieldLabel: gettext('Group OU'),
emptyText: 'OU=Groups',
allowBlank: false
},
{
xtype: 'textfield',
name: 'group_filter',
fieldLabel: gettext('Group Filter'),
emptyText: '(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=posixGroup))',
allowBlank: false
},
{
xtype: 'textfield',
name: 'group_filter_field',
fieldLabel: gettext('Group Filter Field'),
emptyText: 'uniqueMember',
allowBlank: false
},
{
xtype: 'textfield',
name: 'group_field_map',
fieldLabel: gettext('Group Field'),
emptyText: 'cn',
},
);
}
修改后需要重启pvedaemon,pverpoxy服务
 

Attachments

  • ldap.patch.zip
    2.8 KB · Views: 9
Hi,

Thanks for sharing the code.

Please post in english, since otherwise it's difficult to know what you want to share (I used a translate service to base my answer on).

This thread is dealing with the Proxmox Mail Gateway (not Proxmox VE), while your patch seems to be for PVE.

A quick glance over the patch I get the use-case - although I think it would be better to have the sync in a dedicated api call.

If you want to contribute your patch please check our Developer Documentation: https://pve.proxmox.com/wiki/Developer_Documentation
and send it to the pve-devel mailing list

2 things I noticed while looking at your patch:
* synchronizing the whole user-database upon each users login might be a bit expensive (also that way the users decide if a new sync happens - i.e. if someone is not in a certain group anymore the PVE-system only sees this when they (or someone else from that realm) logs in again
* you should lock the config-files before writing them

Thanks!
 
Hi,

Thanks for sharing the code.

Please post in english, since otherwise it's difficult to know what you want to share (I used a translate service to base my answer on).

This thread is dealing with the Proxmox Mail Gateway (not Proxmox VE), while your patch seems to be for PVE.

A quick glance over the patch I get the use-case - although I think it would be better to have the sync in a dedicated api call.

If you want to contribute your patch please check our Developer Documentation: https://pve.proxmox.com/wiki/Developer_Documentation
and send it to the pve-devel mailing list

2 things I noticed while looking at your patch:
* synchronizing the whole user-database upon each users login might be a bit expensive (also that way the users decide if a new sync happens - i.e. if someone is not in a certain group anymore the PVE-system only sees this when they (or someone else from that realm) logs in again
* you should lock the config-files before writing them

Thanks!
Ok,Thanks
I know that my reply to bm about your two questions.
1. After the LDAP authentication is passed, the user's data will be synchronized. If the user does not synchronize in real time, if the user information in the LDAP changes or the GROUP changes, the unified management user cannot be implemented.
2, question 2, it is indeed this should be locked, has been modified.
3, in fact, to consider the cost of the problem, you should save the user configuration information to the database, not in the file.
 
My Solution: Don´t use the username from LDAP users, but use any e-Mail Adress of the user to login.

My LDAP Username ist "kais" but it doesn´t work.

My eMail ist "kais@somehere.com" - and it works!

But you have to use the link as mentioned before:

https://<pmg>:8006/quarantine

Best regards,
Kai
Worked for me! Thanks!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!