Group names and Active Directory sync

Jul 3, 2020
23
1
8
47
Hi,

today I wanted to configure authentication via Active Directory. Bind authentication seems to work, but when previewing the sync I get these messages:

Code:
group name 'Team Analyse-ucs-addc' contains invalid characters
group name 'Team Defend-ucs-addc' contains invalid characters
group name 'Product Leads-ucs-addc' contains invalid characters
group name 'Office Manager-ucs-addc' contains invalid characters
group name 'Partner Management-ucs-addc' contains invalid characters
group name 'Internal IT-ucs-addc' contains invalid characters
group name 'Team Leads-ucs-addc' contains invalid characters

Groups not containing spaces don't provoke these messages so I just checked creating a group with a space, et voilà!, the space character is the offending character.

Is there a way to tell Proxmox VE to substitute spaces with underscores or something similar? I cannot imagine that space characters are so rarely used in AD that I'm the first one to stumble upon this problem.

Bests,
Masin
 
Is there a way to tell Proxmox VE to substitute spaces with underscores or something similar?
not yet, you can of course open a feature request, no promises though
i am not sure if this would be wise though, since you loose information, for example if you have groups:
"Foo Bar" and
"Foo_Bar", what should we do on a sync? merge them? error out again?

the problem is that spaces are not allowed in our group names, so they cannot be synced...
 
  • Like
Reactions: MasinAD
not yet, you can of course open a feature request, no promises though
i am not sure if this would be wise though, since you loose information, for example if you have groups:
"Foo Bar" and
"Foo_Bar", what should we do on a sync? merge them? error out again?

the problem is that spaces are not allowed in our group names, so they cannot be synced...

If this substitution was configurable the respective admin would be responsible for that. In my case, we have a history of using spaces in AD groups for years now. No application has had any problems with that till now. You might understand why I'm hesitant to change our naming and favor a solution on Proxmox' end. ;-)

Let's see it this way: Either a domain uses spaces in group names or it uses underscores. But a domain would certainly not use both schemes. So, "Foo Bar" and "Foo_Bar" would probably never exist in the same domain.
 
@dcsapak is possible to guide us what section on the code deal with this authentication, maybe someone on the community could be reviewing what could be done an propose as a solution. Also @gustavobada comment on the bugzilla ticket.
The thing is that for non-green field Active Directory implementations maybe is an simple change the structure.
 
@dcsapak
Hi!

I just added a comment at the bottom section of https://bugzilla.proxmox.com/show_bug.cgi?id=2929, filed by @MasinAD 3 years ago.
I'm running into the same issue and I am fairly convinced that everyone who wants to sync the default AD Users and Groups runs into this issue - rendering this wonderful function useless, sadly enough.

Use case scenario:
I administer users in the AD (UCS with AD/Samba).
The default groups and their respective names in this AD as well as Microsoft AD, contain spaces in their names by design, i.e. 'Domain Admins'.
When I create an AD user and add it to the AD group 'Domain Admins', the user syncs just fine, but the group won't sync.
The result is that said user does not have admin permissions within Proxmox, as the AD group 'Domain Admins' cannot be selected, in order to link it to the Proxmox role 'Administrator'.

Working test (using an AD group not containing any spaces):
If I create a permission in Proxmox to have the AD group 'Administrators' (@Administrators-<realmname>) linked to the Proxmox role 'Administrator' this works like a charm - especially coupled with a regular sync that has been setup to run every 30 min.

Conclusion:
This is a fantastic option and works nearly perfect, but it does not seem to comply with standard naming conventions of the Microsoft AD (or open source variants that went through great lenghts to mimic this naming convention to match MS AD).

Any chance this much required and much wanted fix can be expedited?
Very willing to help with testing, just give me a shout. :)
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!