LDAP/Active Directory authentication for Proxmox

Sander

New Member
Jan 3, 2014
5
0
1
Hi everyone,

I have a question about configurating LDAP/Active Directory. We are running Proxmox on a Hyper-V, but i want the Proxmox server to connect to the LDAP/Active Directory for authentication. Is there any tutorial on how to do this? Or can someone explain in easy steps on how to do this?

Thanks in advance,

Sander
 
Hi Sander

The very first pointer is likely: http://pve.proxmox.com/wiki/User_Management
You'll see a screenshot on how to configure your AD/LDAP server, of course you'll need to know at least one hostname of your AD DCs.
You'll have to later define who as in user or as in groups has what permissions on the host level or the VM level.

If your AD doesn't have unencrypted LDAP disabled, test with LDAP first, if it works try switching to SSL. Debugging a non-working
LDAP config is often easier than first messing around with SSL encrypted LDAP where you can hit al sorts of certificate validation issues
not related to misconfiguration of the LDAP client itself.

I haven't done AD integration with Proxmox but OpenLDAP - and other services with AD, and I remember Proxmox being quite straightforward compared to others.
Once your LDAP authentication is set up and configured with permissions you'll have to check on the login screen what authentication realm you chose (default is the Proxmox internal authentication).

By means that you mention running Proxmox on (top of) Hyper-V you mean nested virtualization (with KVM) - then you'd be giving away quite some resources - or are you using OpenVZ containers?
 
  • Like
Reactions: AlexLup
Hi Sander

The very first pointer is likely: http://pve.proxmox.com/wiki/User_Management
You'll see a screenshot on how to configure your AD/LDAP server, of course you'll need to know at least one hostname of your AD DCs.
You'll have to later define who as in user or as in groups has what permissions on the host level or the VM level.

If your AD doesn't have unencrypted LDAP disabled, test with LDAP first, if it works try switching to SSL. Debugging a non-working
LDAP config is often easier than first messing around with SSL encrypted LDAP where you can hit al sorts of certificate validation issues
not related to misconfiguration of the LDAP client itself.

I haven't done AD integration with Proxmox but OpenLDAP - and other services with AD, and I remember Proxmox being quite straightforward compared to others.
Once your LDAP authentication is set up and configured with permissions you'll have to check on the login screen what authentication realm you chose (default is the Proxmox internal authentication).

By means that you mention running Proxmox on (top of) Hyper-V you mean nested virtualization (with KVM) - then you'd be giving away quite some resources - or are you using OpenVZ containers?


Thanks for your reply!!
It really helped me forward. Now the following question is: How can we assign the rights to users and/or groups? Because we want different rights for users and not that everyone has Administrator rights.
 
@Sander, you're welcome, though a quick read on the wiki page about the roles as well as the search on the net would have turned up something like this:
http://www.jamescoyle.net/how-to/43-setup-active-directory-authentication-in-proxmox-2 :)

The thing that hasn't changed in between 2.x and 3.x is that Proxmox continues to only delegate authentication ("Got valid credentials?") to an LDAP Directory, the
authorization ("Are you allowed to do that?") has to be done at the level of your Proxmox Servers (only once if they are in a management cluster).

It also means that a) You have to (re-)define your AD users at the proxmox level with the same AD Login Name (sAMAccountName, not the distinguishedName) - they are not auto-created.
Then tell this new user to rely AD as authentication realm. The best is likely to create a group in proxmox, give it a role at the DC level (not PVEAdmin if you don't want them to be ) and add t
he admin users with the AD realm in there. Check out what the path in permission means. And if you want you can even give permissions per VM, but that depends on your requirements.

There is no LDAP attribute mapping or groups mapping from Proxmox to AD currently, I don't know if there is interest in that or planned
(possibly community-contributed or as development request from subscribers).
 
@Sander, you're welcome, though a quick read on the wiki page about the roles as well as the search on the net would have turned up something like this:
http://www.jamescoyle.net/how-to/43-setup-active-directory-authentication-in-proxmox-2 :)

The thing that hasn't changed in between 2.x and 3.x is that Proxmox continues to only delegate authentication ("Got valid credentials?") to an LDAP Directory, the
authorization ("Are you allowed to do that?") has to be done at the level of your Proxmox Servers (only once if they are in a management cluster).

It also means that a) You have to (re-)define your AD users at the proxmox level with the same AD Login Name (sAMAccountName, not the distinguishedName) - they are not auto-created.
Then tell this new user to rely AD as authentication realm. The best is likely to create a group in proxmox, give it a role at the DC level (not PVEAdmin if you don't want them to be ) and add t
he admin users with the AD realm in there. Check out what the path in permission means. And if you want you can even give permissions per VM, but that depends on your requirements.

There is no LDAP attribute mapping or groups mapping from Proxmox to AD currently, I don't know if there is interest in that or planned
(possibly community-contributed or as development request from subscribers).

Thank you! You really helped me. And we can move forward now.

Now the following question is:
We are running ubuntu servers virtualized on Proxmox. And we want the same thing for those ubuntu servers. At the moment we have to login with local accounts, but we want to login with our Windows accounts. Basically i mean that we want to login to the ubuntu servers through Active Directory.
 
Sorry but that's out of scope for a Proxmox-related forum, without being rude, I'd say your previous answers gave me a little bit the impression,
that you could have done a bit more own search and try to find the solutions that were actually often only a few searches away.

Anyway: Depending on how closely you want them to be tied / integrated with your AD you'll have to consider and weigh out different approaches. But I can tell you that you'll have to do a bit more extra lifting than on a Windows box using the GUI or executing netdom join / Add-Computer. Oh, and there is definitely (as of now) no exact equivalent to GPO on AD, there are other approaches (think configuration management). A Google search for AD + Ubuntu will turn up some of the possible approaches. To my knowledge and experience there are various ways to get to some authentication integration i.e. using Samba/Winbind, Kerberos or sssd. Things are just quite different in that area between Windows and the unix-like operating systems.
 
So, as far as I can see, there is no replication or auto-creation of the users... bad thing with large LDAP/AD...
 
EDITED: Oh, BTW, I've just found where is on the API for create users...
 
Last edited:
I'm looking at setting up Proxmox to authenticate against Google's Secure LDAP feature:

https://support.google.com/a/answer/9048516?hl=en

I just wanted to clarify - from reading above and https://pve.proxmox.com/wiki/User_Management I'm still a bit hazy on this part.

Do I need to create a separate user in Proxmox first?

The documentation is rather sparse - does anybody have a separate writeup, or any notes they can share around configuring Proxmox with LDAP?

I'm happy to contribute to the wiki afterwards, based on my experiences/learnings.
 
You need create separate user in PVE because there isn't any ability to manage user permissions via AD groups.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!