Issue with importing group members into Active Directory

[gbayi_omo]

Hello All,
I just installed proxmox VE 8.1.3 as shown below and tryied to add the cluster to AD domain.

pveversion
pve-manager/8.1.3/b46aac3b42da5d15 (running kernel: 6.5.11-4-pve)

I followed the steps in this link

https://forum.proxmox.com/threads/active-directory-configuration-with-prox.78550/

the issue I am having are:
- When I configured the "Sync Options" with just the "Bind User and Password" it downloads all the users/groups in AD
- When I add all the other parameters as shown below, for the User Filter, only the proxmox-users are imported but the proxmox-admin is empty.
Members of the proxmox-users are able to login but proxmox-admin members are not able to login due to proxmox not importing the members

((memberOf=CN=proxmox-users,OU=PROXMOX,OU=COMPANY_GROUPS,DC=company,DC=local)(memberOf=CN=proxmox-admin,OU=PROXMOX,OU=COMPANY_GROUPS,DC=company,DC=local))



Please let me know if you require any more details

Thank you

 

[sb-jw]

((memberOf=CN=proxmox-users,OU=PROXMOX,OU=COMPANY_GROUPS,DC=company,DC=local)(memberOf=CN=proxmox-admin,OU=PROXMOX,OU=COMPANY_GROUPS,DC=company,DC=local))

If I'm not mistaken, you have to make another pipe after the first bracket. The instruction as to whether an AND or OR is linked is missing

 

[gbayi_omo]

(|(memberOf=CN=proxmox-users,OU=PROXMOX,OU=COMPANY_GROUPS,DC=company,DC=local)(memberOf=CN=proxmox-admin,OU=PROXMOX,OU=COMPANY_GROUPS,DC=company,DC=local))

Thank you sb-jw I have added the pipe as mentioned at the beginning still same result.

 

[sb-jw]

What I completely overlooked is that you use Microsoft AD. As far as I know, "memberOf" doesn’t work that easily.

Instead, you need to use the filter like this:

(|(memberOf:1.2.840.113556.1.4.1941:=CN=proxmox-users,OU=PROXMOX,OU=COMPANY_GROUPS,DC=company,DC=local)(memberOf:1.2.840.113556.1.4.1941:=CN=proxmox-admin,OU=PROXMOX,OU=COMPANY_GROUPS,DC=company,DC=local))

You could also simply use ldapsearch on the console to check whether the result is correct.
We have a bash script that does the synchronization with the domain. This also creates the domain for us directly if it doesn't exist and also puts the users directly into the associated groups so that it runs straight out of the box. Therefore, the requirements in the ldapsearch command may differ from what you have to store in PVE.

You need to add the following to the command below:
$SERVICE_ACCOUNT_PASSWORD = Password of the User "pve" (See the -D parameter)
$LDAP_SERVER_IP:$LDAP_SERVER_PORT = Replace with your LDAP IP and Port
$DOMAIN = Replace with your Domain of the AD

ldapsearch -w $SERVICE_ACCOUNT_PASSWORD -H ldap://$LDAP_SERVER_IP:$LDAP_SERVER_PORT -D "cn=pve,ou=service,ou=accounts,ou=global,dc=ad,dc=$DOMAIN,dc=de" -b "ou=user,ou=accounts,ou=global,dc=ad,dc=$DOMAIN,dc=de" -s sub "(&(objectClass=person)(userAccountControl=512)(|(memberOf:1.2.840.113556.1.4.1941:=cn=test,ou=security,ou=groups,ou=global,dc=ad,dc=$DOMAIN,dc=de)(memberOf:1.2.840.113556.1.4.1941:=cn=SG_OPENPROJECT_USER,ou=security,ou=groups,ou=global,dc=ad,dc=$DOMAIN,dc=de)))"

 

[gbayi_omo]

https://learn.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax?redirectedfrom=MSDN

 

[gbayi_omo]

ldapsearch -w $SERVICE_ACCOUNT_PASSWORD -H ldap://$LDAP_SERVER_IP:$LDAP_SERVER_PORT -D "cn=pve,ou=service,ou=accounts,ou=global,dc=ad,dc=$DOMAIN,dc=de" -b "ou=user,ou=accounts,ou=global,dc=ad,dc=$DOMAIN,dc=de" -s sub "(&(objectClass=person)(userAccountControl=512)(|(memberOf:1.2.840.113556.1.4.1941:=cn=test,ou=security,ou=groups,ou=global,dc=ad,dc=$DOMAIN,dc=de)(memberOf:1.2.840.113556.1.4.1941:=cn=SG_OPENPROJECT_USER,ou=security,ou=groups,ou=global,dc=ad,dc=$DOMAIN,dc=de)))"

I tried using the code but still no change - I can only see proxmox-users

 

[sb-jw]

Before I sent you my filter, I tried again with the two groups. There was only one in each of them and both were displayed to me.

Are you sure there is actually someone in both groups? Can you post the excerpt here (preferably anonymized, of course).
Please also note that the "-b" parameter says to only search for objects in a specific path. If the users from the groups are on different paths, then the behavior is definitely to be expected and okay. Furthermore, the filter itself states that it must be a person object and the account status must have the value 512 (which usually stands for activated accounts and, for example, deactivated accounts are hidden).