Active Directory Configuration with Prox

I

ivaylo911

New Member
Aug 21, 2020
5
5
1
45
Hi,
I have tried to read all threads on the matter and I still cannot get it going.
I have enabled secure authentication to our Active Directory, which means that I have to manually create the users in the groups and they will authenticate to the AD.
However, I find mixed information. Is it or is it not possible to have security groups in AD, which to match group names in Prox and by adding members in the AD groups to provide them access to the cluster interface.
If this is possible and I sure hope so, how can it be done.
I would be very grateful if anyone can help.
Thank you.
 
in general: pve groups and ldap/ad groups are completely separate, so adding a user in an ad group will change nothing on pve side, but...

there is the feature to sync users and/or groups from ad/ldap to pve.
when this is setup, adding a user to an ad group will sync that information when the group is synced

see: https://pve.proxmox.com/pve-docs/chapter-pveum.html#pveum_ldap_sync
 
Hi Dominik,
thank you for that.
I will check in more detail.
When we tested this functionality we always received error:

user name '' is too short (500)
 
Hi,
I understood the issue. Issue is that user has to be root to sync the AD goups and users from the web interface.
Took me a lot of time to figure this out.
Now it is working.
Thank you.
 
  • Like
Reactions: Daniel2
Just one last question. I seem not to be able to limit the groups and users that are synchronized.
Can I limit groups being synchronized from Active Directory to a particular organization unit and the users to the members of these groups only.
Also - how do I set the permission that these groups should have in Prox?
Any idea?
 
Hi, do not mind the last question. We figured it out. I will attach an example how it works because this was impossible for me alone to figure out.

First, you have to now how it works. Synchronization to Active Directory works with ease when it comes only to authentication.
If you want also to add groups from AD, which to sync and also sync the users within, read on:
A few remarks:
1) All was performed using the interface
2) Groups permission of course you have to assign within the proxmox interface itself
3) You will have to sync manually each time you want or create some automated job for it.

I. Steps for setting up the Active Directory itself:

Authentication - Add - Active Directory Server
Realm - chose some name that speaks to you
Base Domain Name= dc=company,dc=local
User Attribute Name: sAMAccountName
Default - does not really matter
Server - input the IP or the host name of Domain Controller, whatever works in your setup
Port: I have it running on 636
SSL - is clicked for me
require TFA: none
This alone will enable the authentication to the AD itself, however, if you do not go on and sync the groups and their members from the AD, create manually the users as users in the freshly created Realm and assign a group to them with the proper permissions

II. Syncing the groups

You are going into sync options
First create in your AD a service user (normal AD user), which can browse the structure . Normal user is just fine. For instance proxmox
Create a few groups in the AD, which will handle your proxmox access - for instance proxSupers, proxAdmins, proxUsers, proxReadOnly
Assign members to the groups
Now back in Prox
Bind user: CN=proxmox,OU=serviceAccounts,OU=company_users,DC=company,DC=local
Pass: from your AD user proxmox
e-Mail attribute: email
groupname attr: sAMAccountName
User classes: user
Group classes: group
The next part is the most important one!
Please take a look here if you want - the standard syntax for filtering LDAP structures:
https://confluence.atlassian.com/kb/how-to-write-ldap-search-filters-792496933.html
User Filter (this is to filter only the users, that will be imported, not the entire AD): (|(memberOf=CN=proxAdmins,OU=PROXMOX,OU=COMPANY_GROUPS,DC=company,DC=local)(memberOf=CN=proxSupers,OU=PROXMOX,OU=COMPANY_GROUPS,DC=company,DC=local)(memberOf=CN=proxReadOnly,OU=PROXMOX,OU=COMPANY_GROUPS,DC=company,DC=local))
Group Filter (to filter, which groups to import): (|(sAMAccountName=prox*))
Select Users&Groups, Full, Enable New, Purge if you want to add automatically new users, purge the ones that are not in AD and etc.
Now go into the interface with root account!!!!
And synchronize the groups and users.
All groups should import just fine and users will be in the groups
After that assign permissions to the imported groups.
And you are ready.
Sync the groups and users when there is a change and you are ready.
 
Last edited:
  • Like
Reactions: saulttech, WSDJamie, slawomir and 1 other person
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom