LDAP user sync

Axel Bock

New Member
Jan 4, 2018
3
0
1
45
Hi forum, AFAIK I need to create all LDAP users manually in Proxmox as well. That is - in my eyes - a bit weird, cause LDAP should be the central point of user management. If I have to manually mirror the users I really don't get the point of the whole thing (actually, I find it kind of counter-productive, to say the least).

Nonetheless we now configured it, but it is annoying as hell, and so I have one question:

So is there any way to have an auto-sync of the users from LDAP to Proxmox? Or - is something planned in that regard?

Thanks in advance :) ,
Axel.
 
Thanks for the facts :) . I will escalate the issue I guess.

And your tip with foreman ... we have Foreman, but we want to migrate it to run *in* Proxmox on a VM - so I might have a chicken-egg-problem here :D .

Nonetheless - that's an interesting proposition since we actually use it already. How do you do this exactly? I'd be really interested.
 
Nonetheless - that's an interesting proposition since we actually use it already. How do you do this exactly? I'd be really interested.
In a very simple way. On all us constomers there are the same users form us office as service operator's. So we have this one user.cfg saved on foreman. On changes (new employee...), we do this only on the file on foreman, checksum changes and the file we changend on all PVE-Groupmembers. I know it is a workaround. Better would be that you can manager everything from ldap ;(
 
I wrote a small script I can share, that might help.
You can run this script crontab on the server.

It uses ldapsearch so first you need to install that on your proxmoxmachine.
apt-get install ldap-utils

Here is the script
---------------------------------- ad2proxmox-------------------------
#!/bin/bash
# script that adds AD users from a specific group into proxmox based on mailaddress

# change config here
#User that had read access to AD to read all accounts
LDAPBINDUSER='CN=ldapuser,CN=Managed Service Accounts,DC=example,DC=com'
# DN where the Base of the search is..
LDAPBINDDN="CN=Users,DC=example,DC=com"
# the URL of the server and port to connect to.
LDAPURL="ldap://dc.example.com:3268"
# filter to filter out the accounts we want to add.. we use member of Staff group
LDAPFILTER='(&('objectClass=organizationalPerson')('memberOf="cn=Staff,cn=Users,dc=example,dc=com"')(!('mail=Administrator@example.com')))'
# where ldapsearch is.. default for proxmoxmachines
LDAPEXEC="/usr/bin/ldapsearch"
# the password for the LDAPBINDUSER
LDAPPASSWD='!!4rf/&hhfhdHKL!!'
# where the pveum command to add users are. default for proxmox
PVEUMEXE="/usr/sbin/pveum"
# what group you want your LDAP users to be part of in proxmox. I use a group that have Audit rights.
PVEGROUP="users"

$LDAPEXEC -w $LDAPPASSWD -H $LDAPURL -D "$LDAPBINDUSER" -b "$LDAPBINDDN" -s sub $LDAPFILTER mail > tmp1

while read ii
do
if [[ $ii == "mail: "* ]]; then
usermail=$( echo $ii| awk '{ print $2 }' )

echo $usermail

$PVEUMEXE user add $usermail --groups $PVEGROUP

fi
done < tmp1
rm tmp1

-----------------------------------------------------------------------------------------

Enjoy!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!