With freeipa-client in stable in buster I was considering joining the pve hosts in my cluster to my domain for ease of management.
Is this advisable? Thanks.
Is this advisable? Thanks.
Join PVE Host to FreeIPA Domain?
- Thread starter Bromeister
- Start date
Hey, I'm interested in doing this, as it will make user management easier (most users are in FreeIPA and I'd rather they use their own names for host shell access rather than root, or have to maintain separate host accounts). I've seen tutorials where the hosts are set up as clients and then IPA users can just use PAM to log in, I'd be interested in how stable that is. I don't want to risk my hosts if there will be problems with this. Did you ever attempt this?
Hello everyone,
Im interested in installing the freeipa-client in my Proxmox host as well.
@Bromeister / @4am would be grateful if you can share your experience here.
Im interested in installing the freeipa-client in my Proxmox host as well.
@Bromeister / @4am would be grateful if you can share your experience here.
Can't say for FreeIPA as I do not use it, but I'm joining my PVE servers to my AD (samba4) domain using sssd / adcli. It's working without issue.
hey danielb, thanks for your reply, however I already have a FreeIPA server for central authentication.
I already tried connecting to it using the LDAP realm in proxmox, but was unable to make it work. The option of installing the freeipa-client on the host server and authenticating using PAM seems like a more easier approach. I just need to know if it will mess up my already functioning Proxmox nodes.
I already tried connecting to it using the LDAP realm in proxmox, but was unable to make it work. The option of installing the freeipa-client on the host server and authenticating using PAM seems like a more easier approach. I just need to know if it will mess up my already functioning Proxmox nodes.
I don't know freeipa, but I guess it's also using sssd, and so, it should work to. Better to try on a test proxmox though
So I did install freeipa-client on the PVE host without any issues. However it did not solve my GUI authentication problem. After some more testing I was able to get the LDAP authentication working via freeipa. Now I need to see if I can implement authorization as well.
Did you get any further ? if so could you share your findings ?
Currently working on getting our testproxmox connected to freeipa
Thanks
I would like to manage the GUI users using IPA, centralised user managment for our testlab
users within the group promox_access should be able to login on the proxmox gui
Try the following:
That should be it, that should get it to work, you can explore with Groups and Roles to give different permission levels. Let me know if you need more clarifications.
Code:
Go to Datacenter-->Permissions-->Realms-->Add-LDAP Server
In General:
Enter the details of your freeipa server and port
Realm:your domain
Base Domain Name: cn=users,cn=accounts,dc=xxxxxx,dc=xx
User Attribute Name: uid
require TFA: none
Sync Options:
Bind user: uid=<<bind_username_here>>,cn=users,cn=accounts,dc=xxxxxxxx,dc=xx
Bind Password: <<your bind password>>
User classes: <<i left blank, you can explore>>
Group classes: <<i left blank, you can explore>>
Default Sync Options:
Scope: None
Full: None
Enable new users: Yes
Purge: None
Then Go to Users and cliick Add
User name: same username in freeipa
Realm: choose the Realm name you entered aboveThat should be it, that should get it to work, you can explore with Groups and Roles to give different permission levels. Let me know if you need more clarifications.