LDAP authentication fails

[hidalgo]

I created a LDAP realm and created users and groups. I added roles to groups and then I try to login with a LDAP user and it fails. The log says wrong credentials but the password is correct. Tried with different user – same result. My LDAP has anonymous bind and no security, my Proxmox has only a self signed certificate. But where is the problem? Any help to debug my problem?

 

[fireon]

First welcome to PVE

To your problem: https://pve.proxmox.com/wiki/User_Management
Can you post the file:

cat /etc/pve/user.cfg
cat /etc/pve/domains.cfg

 

[hidalgo]

First welcome to PVE

To your problem: https://pve.proxmox.com/wiki/User_Management
Can you post the file:

I will do it on monday, when I’m back in office.

 

[hidalgo]

I did some more testing. I created a lxe container with a ldap server for testing (domain2) and that works like expected.

cat /etc/pve/user.cfg
user:user@domain1:1:0:firstname:lastname:user@domain1:::
user:user@domain2:1:0:firstname:lastname:user@domain2:::

group:User:::
group:Administrator:user@domain1,user@domain2::

pool:Test:Testumfeld:999,100::


acl:1:/:@Administrator:Administrator:
acl:1:/:@User:PVEVMUser:
acl:1:/pool/Test:@User:PVESysAdmin:

cat /etc/pve/domains.cfg
pam: pam
    comment Linux PAM standard authentication

pve: pve
    comment Proxmox VE authentication server

ldap: domain1
    user_attr uid
    base_dn dc=unit,dc=domain1,dc=com
    server1 ldap.domain1.com
    default

ldap: domain2
    user_attr uid
    base_dn dc=domain2,dc=com
    server1 12.34.56.78

What’s wrong with domain1? The user is correct but the credentials aren’t.

 

[fireon]

When you login, what can you see in the log? What error are displayed? On Webinterface on the syslogtab. And on CMD with

journalctl -f

 

[hidalgo]

When you login, what can you see in the log? What error are displayed? On Webinterface on the syslogtab. And on CMD with

journalctl -f

I see always the same error

authentication failure; rhost=23.45.78.90 user=user@domain1 msg=Invalid credentials

 

[fireon]

Then the error looks likes on the ldapserver... when you login normal with SSH or X... with ldapauth on another host, this works? Does server1 works only with IP?

 

[hidalgo]

Then the error looks likes on the ldapserver... when you login normal with SSH or X... with ldapauth on another host, this works? Does server1 works only with IP?

Thank you. I have to speak with our LDAP guy. Hope he can help me.

 

[FEG2034]

Thank you. I have to speak with our LDAP guy. Hope he can help me.

Hi :
I have similar problem like this

authentication failure; rhost=23.45.78.90 user=user@domain1 msg=no entries returned

I can ldapsearch our user account on PVE host. But I have no idea about how to fill in the suitable "base_dn" based on the explanation of wiki.

# user1 of People at our LDAP
dn: CN=[User Name],OU=[Department Name in traditional Chinese],OU=User,OU=C156,DC=[Company],DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
...
objectGUI:: di4ijo13n1wi3==
sAMAccountName: ABC12345

# /etc/pve/domains.cfg
ldap: realm-name
    base_dn OU=User,OU=C156,DC=[Company],DC=com
    server1 [LDAP Server IP]
    user_attr sAMAccountName
    port 389
    bind_dn [Authenticate User]

PS. The password of bind_dn has been stored in /etc/pve/priv/ldap/realm-name.pw