Authentication Failure Using FreeIPA LDAP

B

bcisse

New Member
Nov 7, 2018
1
0
1
47
I'm having trouble with LDAP authentication on a Proxmox 5.2 server. Everything appears to be configured properly but users are still unable to authenticate even though ldapsearch query works without any issues from Proxmox console. daemon.log on server are showing the following:

Nov 7 16:28:03 pve1 pvedaemon[35313]: authentication failure; rhost=xxx.xxx.xxx.xxx user=username@EXAMPLE.COM msg=no such user ('username@EXAMPLE.COM')


Here is the content of the host domain.cfg

root@xxx:/etc/pve# cat /etc/pve/domains.cfg
pve: pve
comment Proxmox VE authentication server

pam: pam
comment Linux PAM standard authentication

ldap: EXAMPLE.COM
comment LDAP authentication
base_dn cn=users,cn=accounts,dc=example,dc=com
server1 ipa.example.com
user_attr uid
default 0
port 389
secure 0


ldapsearch -x -W -b "cn=users,cn=accounts,dc=example,dc=com" -D "cn=Directory Manager"


# extended LDIF

#

# LDAPv3

# base <cn=users,cn=accounts,dc=example,dc=com> with scope subtree

# filter: (objectclass=*)

# requesting: ALL

#


# users, accounts, example.com

dn: cn=users,cn=accounts,dc=example,dc=com

objectClass: top

objectClass: nsContainer

cn: users

::

::

# search result

search: 2

result: 0 Success


# numResponses: 30

# numEntries: 29


I also attempted to authenticate by setting <bind_dn uid=sys-ldap,cn=sysaccounts,cn=etc,dc=example,dc=com> then add the bind user password to /etc/pve/priv/ldap/example.com.pw without success. Any insight/assistance will be greatly appreciated.
 
Hi @bcisse

Did you manage to get Proxmox server working with FreeIPA? I struggled with it months ago and gave up but really want to get it working.
 
I don't know if you are still interested, but in order to work you will have to add the user in proxmox before it can authenticate via LDAP.
So, your LDAP search base is correct (cn=users,cn=accounts,dc=domain,dc=com) but you missed only the step to add the usernames (uid) you want them to be able to login on proxmox.
So, what i did was:
  1. Went to Groups and added a new group named LDAP_Admins
  2. Went to Permissions ad added a new permission for / with Administrator privilege, selected the group created at step 1
  3. Went to Users and added a new user whom username=the exact username in FreeIPA, selected the group created at step 1. (example if username in FreeIPA is bob.marley, in proxmox the username must be the same so it can match).
  4. At login use LDAP REALM you created before and voilà! your FreeIPA user can now login on Proxmox.
 
  • Like
Reactions: llewxam and ZipTX
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom