LDAP/Active Directory authentication for Proxmox

Discussion in 'Proxmox VE: Installation and configuration' started by Sander, Jan 3, 2014.

  1. Sander

    Sander New Member

    Joined:
    Jan 3, 2014
    Messages:
    5
    Likes Received:
    0
    Hi everyone,

    I have a question about configurating LDAP/Active Directory. We are running Proxmox on a Hyper-V, but i want the Proxmox server to connect to the LDAP/Active Directory for authentication. Is there any tutorial on how to do this? Or can someone explain in easy steps on how to do this?

    Thanks in advance,

    Sander
     
  2. kofik

    kofik Member

    Joined:
    Aug 5, 2011
    Messages:
    34
    Likes Received:
    1
    Hi Sander

    The very first pointer is likely: http://pve.proxmox.com/wiki/User_Management
    You'll see a screenshot on how to configure your AD/LDAP server, of course you'll need to know at least one hostname of your AD DCs.
    You'll have to later define who as in user or as in groups has what permissions on the host level or the VM level.

    If your AD doesn't have unencrypted LDAP disabled, test with LDAP first, if it works try switching to SSL. Debugging a non-working
    LDAP config is often easier than first messing around with SSL encrypted LDAP where you can hit al sorts of certificate validation issues
    not related to misconfiguration of the LDAP client itself.

    I haven't done AD integration with Proxmox but OpenLDAP - and other services with AD, and I remember Proxmox being quite straightforward compared to others.
    Once your LDAP authentication is set up and configured with permissions you'll have to check on the login screen what authentication realm you chose (default is the Proxmox internal authentication).

    By means that you mention running Proxmox on (top of) Hyper-V you mean nested virtualization (with KVM) - then you'd be giving away quite some resources - or are you using OpenVZ containers?
     
    AlexLup likes this.
  3. Sander

    Sander New Member

    Joined:
    Jan 3, 2014
    Messages:
    5
    Likes Received:
    0

    Thanks for your reply!!
    It really helped me forward. Now the following question is: How can we assign the rights to users and/or groups? Because we want different rights for users and not that everyone has Administrator rights.
     
  4. kofik

    kofik Member

    Joined:
    Aug 5, 2011
    Messages:
    34
    Likes Received:
    1
    @Sander, you're welcome, though a quick read on the wiki page about the roles as well as the search on the net would have turned up something like this:
    http://www.jamescoyle.net/how-to/43-setup-active-directory-authentication-in-proxmox-2 :)

    The thing that hasn't changed in between 2.x and 3.x is that Proxmox continues to only delegate authentication ("Got valid credentials?") to an LDAP Directory, the
    authorization ("Are you allowed to do that?") has to be done at the level of your Proxmox Servers (only once if they are in a management cluster).

    It also means that a) You have to (re-)define your AD users at the proxmox level with the same AD Login Name (sAMAccountName, not the distinguishedName) - they are not auto-created.
    Then tell this new user to rely AD as authentication realm. The best is likely to create a group in proxmox, give it a role at the DC level (not PVEAdmin if you don't want them to be ) and add t
    he admin users with the AD realm in there. Check out what the path in permission means. And if you want you can even give permissions per VM, but that depends on your requirements.

    There is no LDAP attribute mapping or groups mapping from Proxmox to AD currently, I don't know if there is interest in that or planned
    (possibly community-contributed or as development request from subscribers).
     
  5. Sander

    Sander New Member

    Joined:
    Jan 3, 2014
    Messages:
    5
    Likes Received:
    0
    Thank you! You really helped me. And we can move forward now.

    Now the following question is:
    We are running ubuntu servers virtualized on Proxmox. And we want the same thing for those ubuntu servers. At the moment we have to login with local accounts, but we want to login with our Windows accounts. Basically i mean that we want to login to the ubuntu servers through Active Directory.
     
  6. kofik

    kofik Member

    Joined:
    Aug 5, 2011
    Messages:
    34
    Likes Received:
    1
    Sorry but that's out of scope for a Proxmox-related forum, without being rude, I'd say your previous answers gave me a little bit the impression,
    that you could have done a bit more own search and try to find the solutions that were actually often only a few searches away.

    Anyway: Depending on how closely you want them to be tied / integrated with your AD you'll have to consider and weigh out different approaches. But I can tell you that you'll have to do a bit more extra lifting than on a Windows box using the GUI or executing netdom join / Add-Computer. Oh, and there is definitely (as of now) no exact equivalent to GPO on AD, there are other approaches (think configuration management). A Google search for AD + Ubuntu will turn up some of the possible approaches. To my knowledge and experience there are various ways to get to some authentication integration i.e. using Samba/Winbind, Kerberos or sssd. Things are just quite different in that area between Windows and the unix-like operating systems.
     
  7. malevolent

    malevolent New Member

    Joined:
    Jun 1, 2012
    Messages:
    10
    Likes Received:
    0
    So, as far as I can see, there is no replication or auto-creation of the users... bad thing with large LDAP/AD...
     
  8. malevolent

    malevolent New Member

    Joined:
    Jun 1, 2012
    Messages:
    10
    Likes Received:
    0
    EDITED: Oh, BTW, I've just found where is on the API for create users...
     
    #8 malevolent, Jan 21, 2014
    Last edited: Jan 21, 2014
  9. dietmar

    dietmar Proxmox Staff Member
    Staff Member

    Joined:
    Apr 28, 2005
    Messages:
    16,255
    Likes Received:
    276
    HTTP: POST /api2/json/access/users
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. malevolent

    malevolent New Member

    Joined:
    Jun 1, 2012
    Messages:
    10
    Likes Received:
    0
    Yes, my bad... I was looking deeper, on /api2/json/access/users/{userid}
     
  11. yassinebg

    yassinebg New Member

    Joined:
    Jun 14, 2018
    Messages:
    5
    Likes Received:
    0
    4 years .. lol

    I want to know if it's possible or not to auto_create users of LDAP without re-creating them?

    Thanks!
     
    #11 yassinebg, Jul 13, 2018
    Last edited: Jul 16, 2018
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice