LDAP authentication with non-anonymous bind

hrhansen

New Member
Jul 15, 2013
1
1
1
Odense, Denmark, Denmark
Hi Proxmoxers.

I have a small feature request: Our LDAP server requires authentication to do _anything_. Adding support for this to PVE/Auth/LDAP.pm is just a few lines of code (see patch), but I couldn't find where to add this to the web GUI. Where would I do that? And what is the procedure to submit patches?

Thanks
 

Attachments

  • ldap-bind.diff.txt
    1.4 KB · Views: 250
  • Like
Reactions: naisanza
Did anything ever happen with this patch? Was this ever added to ProxmoxVE?
I'd really like to see this as well.
 
Just noticed this still isn't in Proxmox v3.4.
Any reason why this hasn't been added?

Running an LDAP server with anonymous binds is a security issue in my book.
 
I applied the patch to the file /usr/share/perl5/PVE/Auth/LDAP.pm then restart pveproxy but the authentification is not working.

The bind_dn and the bind_pw have been added in /etc/pve/domains.cfg. I added the user in Proxmox with a administrator role. Anything else missing ?

I receive a Login failed message when I try. I turned on debugging on my LDAP server but I don't see the request from the PVE server.

A simple ldapsearch is working from the same server so I think the authentification is not working at all.

Anybody can help ?

Thanks
 
Hi!

I could use it too. Any news on submitting this to git?

What services do I need to restart if I apply this patch manually? I restarted only pveproxy, but this did not help.
I edited /etc/pve/domains.cfg file, added bind_dn and bind_pw.
 
If you are able to manually patch it for your system your probably familiar with basic development skills.

As you have ways to test and verify it (contrary to me atm.), it would be nice if you could sent it to out developer list, so it get's it way to the git repos.

look at http://pve.proxmox.com/wiki/Developer_Documentation for help.

btw. the code is in the pve-access-control package.

restart pve-cluster and pve manager if possible.
 
Last edited:
Hi!

I can confirm that the bind patch is working.

But getting authentication from LDAP requires node reboot. I tried restarting three services, but it did not help.

Code:
service pve-cluster restart && service pve-manager restart && service pveproxy restart

After a reboot, Proxmox binded LDAP authentication is working properly.

So, what service holds LDAP.pm file in memory? Can I restart it without restarting all KVMs and nodes one by one?
 
Pvedaemon restart helps to re-read LDAP.pm file

Code:
service pvedaemon restart

And it does not affect VMs.
 
Is there any chance this goes upstream?

Anonymous LDAP really isn't a good idea from a security perspective.
 
The attached patch file ldap-bind.diff.txt contains an error!
On line 21 a comma (,) is missing after the }
 
Available with pve-saccess-control>=4.0-19, `bind_dn`, with the password read from `/etc/pve/priv/ldap/<realm>.pw`
 
Thanks! Will try it out in a couple of months, when upgrading to Proxmox 4.0!
 
Available with pve-saccess-control>=4.0-19, `bind_dn`, with the password read from `/etc/pve/priv/ldap/<realm>.pw`
Hi,
are there any examples or docu about that?

I tried to use ldap with authentication but without luck. I guess I make an mistake anywhere?
Code:
pveversion -v | grep access
libpve-access-control: 4.0-19

grep ldap: /etc/pve/domains.cfg
ldap: Pve-Ldap

ls -lsa /etc/pve/priv/ldap/*.pw
1 -rw------- 1 root www-data 10 Sep 30 11:54 /etc/pve/priv/ldap/Pve-Ldap.pw

grep bind /etc/pve/datacenter.cfg
bind_dn: "cn=binduser,ou=system,o=company"

syslog:
Sep 30 12:12:29 pve02 pvedaemon[3313]: authentication failure; rhost=192.168.2.66 user=udo@Pve-Ldap msg=no entries returned
such ldapsearch with the cleartext-pw, like in /etc/pve/priv/ldap/Pve-Ldap.pw work:
Code:
ldapsearch -h 192.168.2.66 -b ou=section,ou=people,o=company -D 'cn=binduser,ou=system,o=company' -W
any hints?

Udo
 
Doc examples are on my todo list (as well as the GUI side of this). bind_dn is a property of the realm/domain, so it should be in /etc/pve/domans.cfg, not datacenter.cfg.
Code:
# /etc/pve/domains.cfg
ldap: test-ldap
        server1 fc00:c::2100
        base_dn ou=People,dc=testldap,dc=foo
        bind_dn uid=pve-server,ou=People,dc=testldap,dc=foo
        user_attr uid
 
Doc examples are on my todo list (as well as the GUI side of this). bind_dn is a property of the realm/domain, so it should be in /etc/pve/domans.cfg, not datacenter.cfg.
Code:
# /etc/pve/domains.cfg
ldap: test-ldap
        server1 fc00:c::2100
        base_dn ou=People,dc=testldap,dc=foo
        bind_dn uid=pve-server,ou=People,dc=testldap,dc=foo
        user_attr uid
Hi,
THANKS!

is running...

Udo
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!