I am currently testing integration of AD with PVE including syncing and found the documentation and wiki somewhat incomplete. Especially there were two points
Some explanations:
- can I use bind_dn and similar with AD as well (yes)
- how to filter a set of users and/or groups. Luckily there are options documented in
man pveum
.
Code:
pveum realm add EXAMPLE.COM \
--type ad \
--domain EXAMPLE.COM \
--server1 example.com \
--mode ldap+starttls \
--bind_dn "cn=mybind.account,ou=FUsers,dc=example,dc=com" \
--password changeme \
--base_dn dc=example,dc=com \
--filter '(&(|(objectClass=Person)(objectClass=orgPerson)(objectClass=inetOrgPerson))(memberof:1.2.840.113556.1.4.1941:=cn=proxmox,ou=FGroups,ou=dc=example,dc=com))' \
--group_filter '(&(|(objectClass=group)(objectClass=groupOfNames)(objectClass=groupOfUniqueNames))(memberof=cn=proxmox,ou=FGroups,dc=example,dc=com))'
Some explanations:
memberof:1.2.840.113556.1.4.1941:=
is used for recursive lookup, e.g. you have userX in groupY which is again in proxmox group- I only gave one server because redundancy should be handled by the DCs already, i.e. you have DC1.example.com, DC2.example.com and either should answer if you resolve example.com
- Obviously the above is redacted and therefore untested, which might have introduced errors.
pveum realm delete EXAMPLE.COM
andpveum realm sync EXAMPLE.COM --dry-run --full=0 --purge=0 --scope=both
are super helpful for testing- if you have multiple DCs be aware that it can take minutes to sync users, groups and other stuff, so do not expect instant success when running the tests and you made changes in your AD tree beforehand
- Other parameters like --autocreate, --sync-defaults-options, --sync-attributes I still have to test