LDAP: automatically add LDAP users to their LDAP groups

[datdenkikniet]

Hi,

I'm trying to set up LDAP authentication and group+user syncing on my homelab proxmox VE server. The users and groups are imported just fine, but I cannot seem to get the sync tool to automatically add my users to the LDAP groups that are also imported. After scouring the wiki and googling around, it seems likely that this is impossible with PVE without modifications (but I haven't been able to find anyone saying so definitively), or that I am missing some kind of configuration.

I've attached my user.cfg, domains.cfg below, and a screenshot of my current LDAP layout.

Could anyone point me in the right direction, or confirm that this, indeed, is not possible?

Jona

Spoiler: configs

user.cfg:

user:ou-ser@LDAP-local:1:0::::::
user:standalone-user@LDAP-local:1:0::::::
user:root@pam:1:0::::::

group:testgroup-LDAP-local:::
group:testou-LDAP-local:::

domains.cfg:

pve: pve
        comment Proxmox VE authentication server

pam: pam
        comment Linux PAM standard authentication

ldap: LDAP-local
        base_dn DC=ldap-server,DC=internal
        server1 ldap-server.internal
        user_attr uid
        default 0
        group_classes organizationalUnit, posixGroup
        secure 0
        sync-defaults-options full=1,purge=1,scope=both

 

[t.lamprecht]

Hi,

this is possible. The group must refer to the members with their full DN though, else we cannot do that mapping.

 

[datdenkikniet]

Hello,

I've now added the user to the LDAP group by their full DN, but nothing seems to have changed. The user is still not part of the automatically created specialtest-LDAP-local group. Any pointers?

Regards,

Jona

 

[datdenkikniet]

Okay, after some digging through the source code (...), I think I've figured it out:

The solution proposed by @t.lamprecht does indeed work, but the group object that you create must have an attribute with the name member (for a list) or uniqueMember (for only one specific user), if I'm getting it right.

Since my current LDAP solution does not allow me to add an attribute with that name (but does allow me to do so with the memberUid attribute), I've had to change PVE/LDAP.pm (located at /usr/share/perl5/PVE/LDAP.pm for me) a little (I've attached my patch file for good measure. It breaks the members and uniqueMember attributes, but replaces it with the memberUid attribute which supports no, one, or more users), but it seems to be working now with the posixGroup object class.

Perhaps a "user list attribute" of sorts can be worked into the web UI? (I would contribute, but RN I still have a very hard time understanding the web UI framework that is used by Proxmox, and my perl skills are abysmal)

Spoiler: PVE/LDAP.pm patch

204c204
<     my $attrs = [ 'member', 'uniqueMember' ];
---
>     my $attrs = [ 'memberUid', 'member', 'uniqueMember' ];
227c227
<
---
>  
233,236c233
<           my $members = [$entry->get_value('member')];
<           if (!scalar(@$members)) {
<               $members = [$entry->get_value('uniqueMember')];
<           }
---
>           my $members = [$entry->get_value('memberUid')];

 

[t.lamprecht]

Okay, after some digging through the source code (...), I think I've figured it out:

Isn't it nice that one can even do that? Open Source really rules and empowers

The solution proposed by @t.lamprecht does indeed work, but the group object that you create must have an attribute with the name member (for a list) or uniqueMember (for only one specific user), if I'm getting it right.

Yes, because those are the two attributes used for most groups that make sense with a full DN. IIRC, I had some discussion with @dcsapak a while ago about the attribute for posixGroup members, but AFAICR we came to the fact that the way posixGroups are defined (without full DN) normally does not work anyway - don't take my exact word for that though, as said it was quite a bit ago..

You could try using a "groupOfNames" (gon) objectClass instead of a posixGroup, there you'd get the "member" attribute for each member.

Perhaps a "user list attribute" of sorts can be worked into the web UI?

I would be open for that in general, we also could pick up "memberUid" to the $attrs list, but as said not sure if posixGroups and full DN make sense, need to rethink/discuss that.

(I would contribute, but RN I still have a very hard time understanding the web UI framework that is used by Proxmox, and my perl skills are abysmal)

kudos to being able to still hack it "right" for yourself!

 

[datdenkikniet]

Isn't it nice that one can even do that? Open Source really rules and empowers

Yes, open source (and Proxmox VE) is incredible! Tinkering with Proxmox has learned me so many new things

You could try using a "groupOfNames" (gon) objectClass instead of a posixGroup, there you'd get the "member" attribute for each member.

Aaah, I see, I was just using the wrong group object, that explains a lot, lol.

Yes, because those are the two attributes used for most groups that make sense with a full DN. IIRC, I had some discussion with @dcsapak a while ago about the attribute for posixGroup members, but AFAICR we came to the fact that the way posixGroups are defined (without full DN) normally does not work anyway - don't take my exact word for that though, as said it was quite a bit ago..

Okay, that makes a lot of sense.

You could try using a "groupOfNames" (gon) objectClass instead of a posixGroup, there you'd get the "member" attribute for each member.

I would be open for that in general, we also could pick up "memberUid" to the $attrs list, but as said not sure if posixGroups and full DN make sense, need to rethink/discuss that.

I understand. I have almost no experience with LDAP, which is probably why I couldn't really figure it out the "LDAP-way". Maybe making any changes isn't actually necessary, but perhaps some kind of documentation that mentions the member and uniqueMember attributes, and/or the groupOfNames object to ensure that users that are only just getting started with LDAP (like me) have an indication for which one to use.

Thank you for the response!