Configure LDAP server

L

luferazth

New Member
Oct 18, 2022
8
0
1
Hi I want to configure LDAP with proxmox.
1669111546218.png
I have a couple of questions:
How do i know which parameters are these?
Should I take a tutorial on what are these?
Because I want to configure it but the only parameter i Know it's Server.
Reaml -> is DNS?
Base Domain Name -> what are CN? DC?
User Attribute Name -> is this the login user name? I don't get it yet.
But if you give a place where I can understand what all of this parameters mean?
 
Hello,

the parameters depend on your LDAP server, so there is no definite way to say what you want to put in there. These are common (not PVE-related) parameters, so you should know what these values are if you have configured the LDAP server yourself, or ask the administrator for the values.

I can give you some pointers what's generally in there:
  • Realm: Thats just the name you give to the authentication Realm in Proxmox. By default your Proxmox has two Realms: pam (the linux native authentication) and pve (the Proxmox cluster-wide authentication). On authentication you have to add the realm as username@realm (for example, root@pam). In your case you can call it whatever, like naming it "ldap". See here: https://pve.proxmox.com/pve-docs/chapter-pveum.html#pveum_authentication_realms
  • Base Domain Name: Thats the name (DN) of the LDAP root object. Usually it is derived from the domain, so the company with domain example.com generally has the root dc=example,dc=com
  • User Attribute Name: The Attribute in the LDAP objects that will be interpreted as the login name. So when the User user@ldap tries to authenticate to your Proxmox server, it tries to find an object in the LDAP server with that attribute. It is common is to use uid, so in that case it looks for the object uid=user,ou=people,dc=example,dc=com
  • Server/Fallback Server: The IP address (or in case of SSL, the FQDN) of one or more LDAP server to use for authentication in that realm.

The LDAP structure is a bit tough to get used to in the beginning, since it was designed to do more than just user authentication. It might be good to look up some tutorials for it if you are planning to work with it regularly.

For more infos regarding the Proxmox side (like for example, if your server needs to authenticate to be able to get the objects), see also the LDAP entries in the Proxmox Docs:
https://pve.proxmox.com/pve-docs/chapter-pveum.html#_ldap

Kind regards,
Benedikt
 
Last edited:
B.Otto said:
Hello,

the parameters depend on your LDAP server, so there is no definite way to say what you want to put in there. These are common (not PVE-related) parameters, so you should know what these values are if you have configured the LDAP server yourself, or ask the administrator for the values.

I can give you some pointers what's generally in there:
  • Realm: Thats just the name you give to the authentication Realm in Proxmox. By default your Proxmox has two Realms: pam (the linux native authentication) and pve (the Proxmox cluster-wide authentication). On authentication you have to add the realm as username@realm (for example, root@pam). In your case you can call it whatever, like naming it "ldap". See here: https://pve.proxmox.com/pve-docs/chapter-pveum.html#pveum_authentication_realms
  • Base Domain Name: Thats the name (DN) of the LDAP root object. Usually it is derived from the domain, so the company with domain example.com generally has the root dc=example,dc=com
  • User Attribute Name: The Attribute in the LDAP objects that will be interpreted as the login name. So when the User user@ldap tries to authenticate to your Proxmox server, it tries to find an object in the LDAP server with that attribute. It is common is to use uid, so in that case it looks for the object uid=user,ou=people,dc=example,dc=com
  • Server/Fallback Server: The IP address (or in case of SSL, the FQDN) of one or more LDAP server to use for authentication in that realm.

The LDAP structure is a bit tough to get used to in the beginning, since it was designed to do more than just user authentication. It might be good to look up some tutorials for it if you are planning to work with it regularly.

For more infos regarding the Proxmox side (like for example, if your server needs to authenticate to be able to get the objects), see also the LDAP entries in the Proxmox Docs:
https://pve.proxmox.com/pve-docs/chapter-pveum.html#_ldap

Kind regards,
Benedikt
Click to expand...
Hi Otto, thanks for your answer. I feel confident now on the meaning of these parameters.
Also, I'd like to continue with a question.
I watched some tutorials on how to attach LDAP with proxmox. But I can't find tutorials on older versions of proxmox since I'd like to sync proxmox 4-4 with users in ldap-

I used to host my ldap in zentyal and I created the ldap auth in proxmox putting all the parameters explained above. But I think i need to do something else or some kind of sync between the ldap and proxmox. Since still is not possible to login.

can you draw some light on it for me? because i'm too new in the matter that i feel stupid.
I understand that everything has a config file and I'd like to know if working around with some conf files maybe i can log in with my ldap user. Thanks in advance.
 
Hello, let me ask an additional question here because this should be the right thread to ask:

I see in the logs proxmox is searching for user@realm in the ldap. But our ldap backend does not allows for this and requires to search for 'user' only. Is there any configuration option where we can adjust the search query or something like that?
 
  • Like
Reactions: luferazth
ihr said:
Hello, let me ask an additional question here because this should be the right thread to ask:

I see in the logs proxmox is searching for user@realm in the ldap. But our ldap backend does not allows for this and requires to search for 'user' only. Is there any configuration option where we can adjust the search query or something like that?
Click to expand...
I would like to reply my own question just to avoid other people to waste time looking for a response. In my case, authentication was working but the user has to exists also in proxmox. There is a feature called "sync" that loads users form LDAP and create the new entries in users.cfg file and it is only in that context where the user name ends with the realm.
 
  • Like
Reactions: B.Otto
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom