[TUTORIAL] Configuring FreeIPA LDAP server with Proxmox

T

torchilidae

New Member
Feb 7, 2022
6
4
3
32
Hi,

I was not able find on step by step tutorial on setting up the LDAP authentication for FreeIPA so I am writing this guide for someone like me who is unable to find the guide for this. Please feel free to add anything that I am missing.

Step 1: Go to Datacenter -> Realms -> Add -> LDAP Server
Step2: Fill the "General" section with the following details
  • Realm: example.com
  • Server: hostname.example.com
  • Base Domain Name: dc=example,dc=com
  • Fallback Server (Optional): bkp_hostname.example.com
  • User Attribute Name: uid
  • Port: Default
  • SSL: Checked
  • Verify Certificate: Unchecked
  • Require TFA: none
1660193176268.png
Step3: Fill the Sync Options with the following details and Click "Add"
  • Bind User: uid=admin,cn=users,cn=accounts,dc=example,dc=com
  • Bind Password: Password
  • Email Attribute(Optional): email@example.com
  • Groupname attr.: cn
  • User Classes: person
  • Group Classes: posixGroup
  • User Filter: memberOf=cn=pve-group,cn=groups,cn=accounts,dc=example,dc=com
  • Group Filter: (|(cn=*pve*)(dc=ipa)(dc=example)(dc=com))
  • Scope: Users and Groups
  • Enable new users: Yes
  • ACL: Checked
  • Entry: Checked
  • Properties: Checked
1660193715887.png

Step4: Now select the added Realm and click the "Sync" button. With the below options press Sync.
  • Scope: Users and Groups
  • Enable new: Yes
  • ACL: Checked
  • Entry: Checked
  • Properties: Checked
1660193988287.png

Once the sync is pressed the Proxmox users and groups will automatically synchronized from the FreeIPA LDAP server. You can check the user and group details in the Users and Groups tab.

Step5: Setup the related group/user permissions in the permissions tab.
1660195061242.png

Step6: Once you are sure that above steps are working as expected add the below line to chron jobs in the server to synchronize the Users and Groups automatically.

*/15 * * * * pveum realm sync example.com > /var/log/ldap-sync.log



Reference Links:
 
Last edited:
  • Like
Reactions: bryvo01, Tmanok, alarma and 1 other person
torchilidae said:
Hi,

I was not able find on step by step tutorial on setting up the LDAP authentication for FreeIPA so I am writing this guide for someone like me who is unable to find the guide for this. Please feel free to add anything that I am missing.

Step 1: Go to Datacenter -> Realms -> Add -> LDAP Server
Step2: Fill the "General" section with the following details
  • Realm: example.com
  • Server: hostname.example.com
  • Base Domain Name: dc=example,dc=com
  • Fallback Server (Optional): bkp_hostname.example.com
  • User Attribute Name: uid
  • Port: Default
  • SSL: Checked
  • Verify Certificate: Unchecked
  • Require TFA: none
View attachment 39886
Step3: Fill the Sync Options with the following details and Click "Add"
  • Bind User: uid=admin,cn=users,cn=accounts,dc=example,dc=com
  • Bind Password: Password
  • Email Attribute(Optional): email@example.com
  • Groupname attr.: cn
  • User Classes: person
  • Group Classes: posixGroup
  • User Filter: memberOf=cn=pve-group,cn=groups,cn=accounts,dc=example,dc=com
  • Group Filter: (|(cn=*pve*)(dc=ipa)(dc=example)(dc=com))
  • Scope: Users and Groups
  • Enable new users: Yes
  • ACL: Checked
  • Entry: Checked
  • Properties: Checked
View attachment 39887

Step4: Now select the added Realm and click the "Sync" button. With the below options press Sync.
  • Scope: Users and Groups
  • Enable new: Yes
  • ACL: Checked
  • Entry: Checked
  • Properties: Checked
View attachment 39888

Once the sync is pressed the Proxmox users and groups will automatically synchronized from the FreeIPA LDAP server. You can check the user and group details in the Users and Groups tab.

Step5: Setup the related group/user permissions in the permissions tab.
View attachment 39889

Step6: Once you are sure that above steps are working as expected add the below line to chron jobs in the server to synchronize the Users and Groups automatically.

*/15 * * * * pveum realm sync example.com > /var/log/ldap-sync.log



Reference Links:
Click to expand...
Thanks for the write up! Did you have to add Proxmox to FreeIPA as a host before being able to sync users and groups? If so, how did you do that?
 
torchilidae said:
Hi,

I was not able find on step by step tutorial on setting up the LDAP authentication for FreeIPA so I am writing this guide for someone like me who is unable to find the guide for this. Please feel free to add anything that I am missing.

Step 1: Go to Datacenter -> Realms -> Add -> LDAP Server
Step2: Fill the "General" section with the following details
  • Realm: example.com
  • Server: hostname.example.com
  • Base Domain Name: dc=example,dc=com
  • Fallback Server (Optional): bkp_hostname.example.com
  • User Attribute Name: uid
  • Port: Default
  • SSL: Checked
  • Verify Certificate: Unchecked
  • Require TFA: none
View attachment 39886
Step3: Fill the Sync Options with the following details and Click "Add"
  • Bind User: uid=admin,cn=users,cn=accounts,dc=example,dc=com
  • Bind Password: Password
  • Email Attribute(Optional): email@example.com
  • Groupname attr.: cn
  • User Classes: person
  • Group Classes: posixGroup
  • User Filter: memberOf=cn=pve-group,cn=groups,cn=accounts,dc=example,dc=com
  • Group Filter: (|(cn=*pve*)(dc=ipa)(dc=example)(dc=com))
  • Scope: Users and Groups
  • Enable new users: Yes
  • ACL: Checked
  • Entry: Checked
  • Properties: Checked
View attachment 39887

Step4: Now select the added Realm and click the "Sync" button. With the below options press Sync.
  • Scope: Users and Groups
  • Enable new: Yes
  • ACL: Checked
  • Entry: Checked
  • Properties: Checked
View attachment 39888

Once the sync is pressed the Proxmox users and groups will automatically synchronized from the FreeIPA LDAP server. You can check the user and group details in the Users and Groups tab.

Step5: Setup the related group/user permissions in the permissions tab.
View attachment 39889

Step6: Once you are sure that above steps are working as expected add the below line to chron jobs in the server to synchronize the Users and Groups automatically.

*/15 * * * * pveum realm sync example.com > /var/log/ldap-sync.log



Reference Links:
Click to expand...
Hi Torchilidae,

Thanks for this great write up.

Do you have a write up for what you did on the Proxmox Side?



For example, did you create a 'bind' account (I see that you used 'admin' which seems like its the FreeIPA 'admin' account). Also, in user filter, I see 'pve-group'; did you make that group in FreeIPA?

Also in 'Group Filter' i see you have 'dc' as: (dc=ipa)(dc=example)(dc=com)
but in other areas you only have '(dc=example)(dc=com)'. is '(dc=ipa) actually part of your 'dc' ?
I'm also guessing that cn=*pve* is because you've created a group called 'pve-group'?

I don't mind experimenting when I'm home, but the FreeIPA side of the instructions would be a great help to many!

Cheers!
 
Hi,
Thanks for your tuto. I was able to recover a sub set of groups and users from freeipa following it witout headache.

However the recovered users and groups have lost their relations, meaning I had to add the users to the groups in proxmox when they were already in the groups in free ipa.
This is may be intended but as I am usually clueless on ldap request this might comme from my requests that are ill formated.

I used the following query parameters
  • Bind User: uid=ldap_bind_generic,cn=users,cn=accounts,dc=intra,dc=corp,dc=fr
  • Bind Password: Password
  • Email Attribute(Optional):
  • Groupname attr.: cn
  • User Classes: person
  • Group Classes: posixGroup
  • User Filter: memberOf=cn=proxmox_admin_global,cn=groups,cn=accounts,dc=intra,dc=corp,dc=fr
  • Group Filter: (|(cn=*proxmox*)(dc=ipa)(dc=intra)(dc=corp)(dc=fr))
  • Scope: Users and Groups
  • Enable new users: Yes
  • ACL: Checked
  • Entry: Checked
  • Properties: Checked
Thanks for your inputs.
 
With FreeIPA & Proxmox (LXC), how did you solve the default UID/GID issue being higher than 65536?

My attempt was to change FreeIPA's id range to 20000-50000. Not ideal I suppose, but it worked. I haven't messed around with changing the mappings for each container, which I guess is another solution.
 
sebastien chanson said:
Hi,
Thanks for your tuto. I was able to recover a sub set of groups and users from freeipa following it witout headache.

However the recovered users and groups have lost their relations, meaning I had to add the users to the groups in proxmox when they were already in the groups in free ipa.
This is may be intended but as I am usually clueless on ldap request this might comme from my requests that are ill formated.

I used the following query parameters
  • Bind User: uid=ldap_bind_generic,cn=users,cn=accounts,dc=intra,dc=corp,dc=fr
  • Bind Password: Password
  • Email Attribute(Optional):
  • Groupname attr.: cn
  • User Classes: person
  • Group Classes: posixGroup
  • User Filter: memberOf=cn=proxmox_admin_global,cn=groups,cn=accounts,dc=intra,dc=corp,dc=fr
  • Group Filter: (|(cn=*proxmox*)(dc=ipa)(dc=intra)(dc=corp)(dc=fr))
  • Scope: Users and Groups
  • Enable new users: Yes
  • ACL: Checked
  • Entry: Checked
  • Properties: Checked
Thanks for your inputs.
Click to expand...
I changed my query parameters to target the group holding proxmox users which gave me proper user/groups relations:
  • Group filter: cn=proxmox_group,cn=groups,cn=accounts,dc=intra,dc=corp,dc=fr
 
You must log in or register to reply here.
Top Bottom