[TUTORIAL] Connect to Active-Directory with additonal Checks

sb-jw

Famous Member
Jan 23, 2018
1,843
292
128
33
Hello,

i've setup today our PMG with LDAP Connection and this was a little bit tricky. So i want to gave you here a little guide to help you by setting this up. It seems really complicated, but in the end its really easy.

What do I want to achieve?
- Login per LDAP for Users
- Remove disabled AD Users
- Only sync Users within a specified group BUT nested!

First at all, make sure your PMG is able to reach your Domain Controllers and all needed Ports are opened.
Your Users should already existing and have an E-Mail Address.

For a better understanding of how my strings are structured i will explain a little more about our Setup.
Best practise to setup an Active-Directory is to use an real existing TLD, therefore add a subdomain named "ad.domain.de".
My Realm is: dc=ad,dc=domain,dc=de

In my experience, i have a "best practise" Setup for orangize the AD Structure. If you work a little more with Active-Directory, perhaps you will thank me for this in a few years :D
I will leave all the default Stuff at it is and will create my own Users, Groups and OUs.

The Groupname "SG_PMG_USER" looks a little crypted, but its easy to understand. The Prefix "SG_" stands for "Security Group", "PMG" for Proxmox Mail Gateway (or any other Service) and "USER" should reflected only the User Rights, not administrative.

How these freaky LDAP Filter is Working?
In general you could check these Page for an general understanding for the String itself: https://confluence.atlassian.com/kb/how-to-write-ldap-search-filters-792496933.html

I will only explain the little "Magic" here:
(userAccountControl=512):
This value means, the account is active and not disabled
(memberOf:1.2.840.113556.1.4.1941:=cn=SG_PMG_USER,ou=security,ou=groups,ou=global,dc=ad,dc=domain,dc=de): This means, every user who has a membership in the Group "SG_PMG_USER" should snyced to PMG, the String "1.2.840.113556.1.4.1941" in Front means, LDAP should check nested Groups too. So i have Group "SG_Management" who is a member of "SG_PMG_USER" in the Group "SG_PMG_USER" is no User direclty, its only another Group.

For more infos about the ID "1.2.840.113556.1.4.1941" see this Page: https://docs.microsoft.com/en-us/windows/desktop/adsi/search-filter-syntax

So thats my current Structure:
Code:
ad.domain.de
- Global
-- accounts
--- admin
--- disabled
--- guest
--- service
--- user
-- computers
--- clients
--- servers
-- groups
--- distribution
--- mailbox
--- printer
--- security
--- shares
--- software

Step 1.
Login to PMG, now go to "Configuration" > "User Management", now you will find in the upper Navi the Button "LDAP", here you can click on "Create".

Step 2.
Now we will fill the Form:

Profile Name: Here you can use any String you want
Protocol: LDAP (otherwise you have LDAPS etc.)
Server: 127.0.0.1 (IP of the first DC)
Server: 127.0.0.2 (IP of the second DC)
Port: Default (leave if, otherwise you have another Port)
User name: pmg (i recommend to add an "Service Account" which named "pmg", with NO groupmembership)
Password: **** (the Password of the PMG User)

Enable: Yes
Base DN:
Code:
ou=user,ou=accounts,ou=global,dc=ad,dc=domain,dc=de
Base DN for Groups:
Code:
cn=SG_PMG_USER,ou=security,ou=groups,ou=global,dc=ad,dc=domain,dc=de
EMail attribute name(s): mail
Account attribute name: sAMAccountName
LDAP filter:
Code:
(&(objectClass=person)(userAccountControl=512)(memberOf:1.2.840.113556.1.4.1941:=cn=SG_PMG_USER,ou=security,ou=groups,ou=global,dc=ad,dc=domain,dc=de))
Group Objectclass: Leave it blank

Comment: Here you can enter what you want.

Step 3.
Now click on "OK" and check they will find the Group and Users.

Step 4.
If you now configured "Configuration" > "Spam Detector" > "Quarantine" > "Authentication method" to "LDAP or Ticket", your users are able to login under https://pmg01.domain.de:8006/quarantine

Let me know, if you have an feedback or questions about this Tutorial.
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!