OpenLDAP configuration on Proxmox 4.4

J

jimmyjoe

Active Member
Proxmox Subscriber
Jan 12, 2015
94
2
28
Does LDAP authentication currenly work under Proxmox 4.4? Under Datacenter > Permissions > Authentication > Add > LDAP Server I've added a realm (myrealm I guess? Is this an OpenLDAP thing?) a Base Domain Name (which I think is the same as a DN ou=sales,dc=my,dc=domain, and a server IP of 10.10.10.25 on port 389 (for debugging). I've left SSL, default and TFA options un-ticked.

When I try to login to the Proxmox server (IP 10.10.10.10) with an LDAP account (with realm myrealm selected in login window) I get "Login failed. Please try again"

On my LDAP server (10.10.10.25), I never even see (tcpdump -nn -s0 -A src 10.10.10.10 or dst 10.10.10.10) a connection come in from my Proxmox system. If I telnet from the Proxmox server to 10.10.10.25 on port 389, I can see tcpdump logging the connection so I know it's not a firewall problem.

I don't see any specific ldap support packages mentioned on under http://pve.proxmox.com/wiki/User_Management so wondering what the specific problem here. Thanks.
 
Ok that works. I didn't realize I needed to create the user first. That also answers my second question: how to allow Proxmox access to only certain users in LDAP. That problem is also solved doing it this way.
 
I have no real answer for TLS yet, but I created a local replica from a TLS master and used it. IIRC, there was a patch last year or the year before that added TLS (I implemented my solution before that). Maybe there are some instructions in the git log.
 
I'm using SSL on port 636. TLS is nice but I've seen handshakes fail and the session will continue in clear text if you don't take special precautions on the server (Openldap anyway). At least on 636, if the handshake fails, the entire session fails. You won't leak credentials accidentally. At any rate, self-signed cert or "real" cert, the client needs to know about the CA signing the cert it's going to receive from the server upon connect.. On Devuan Linux (and probably other Linux), you need to add your CA cert to /etc/ssl/certs and then create a symlink of the cert hash. I think the command `update-ca-certificates` will create hashes for all the certs in /etc/ssl/certs but not certain. I did it differently in my notes for setting up master/slave:

:: Adding a Certificate Authority to openldap client (such as for Incommon SSL cert)
$ scp incommon_intermediate_bundle.crt root@ldapslave:/etc/ssl/certs/

$ ssh root@ldapslave

# cd /etc/ssl/certs

# openssl s_client -host ldapmaster.host.com -port 636 -showcerts -CApath /etc/ssl/certs/ 2>/dev/null | egrep 'Verify return code:'
Verify return code: 21 (unable to verify the first certificate)

# openssl x509 -noout -hash -in incommon_intermediate_bundle.crt
(returns b4261fc2)

# ln -s incommon_intermediate_bundle.crt b4261fc2.0

# openssl s_client -host ldapmaster.host.com -port 636 -showcerts -CApath /etc/ssl/certs/ 2>/dev/null | egrep 'Verify return code:'
Verify return code: 0 (ok)

# also, after adding and hashing certs, ldapsearch -x -ZZ still failed.
# this finally worked in /etc/ldap.conf
...
tls_reqcert allow
TLS_CACERTDIR /etc/ssl/certs
...​
 
@jimmyjoe
Thank you for your work. I've tested it here, auth overldap does here also work with "tls_reqcert demand". So cert is trusted, but not in the webinterface. Looks likes an bug. I do an Bugreport.
 
Hi,

I want to ask you about LDAP and Active Directory on Proxmox. I have a virtual machine (Windows Server 2008 R2) on Proxmox and there are users on virtual machine. Each user connect to virtual machine with RDP. I want this users connect to virtual machine by authorize each user with LDAP. Can I do this? Can I define each user by using Active Directory on Proxmox? Please, help me.
 
Alper ÖZATILGAN said:
Hi,

I want to ask you about LDAP and Active Directory on Proxmox. I have a virtual machine (Windows Server 2008 R2) on Proxmox and there are users on virtual machine. Each user connect to virtual machine with RDP. I want this users connect to virtual machine by authorize each user with LDAP. Can I do this? Can I define each user by using Active Directory on Proxmox? Please, help me.
Click to expand...
Yes, but not with RDP. You can give access to the Proxmox Webinterface: https://pve.proxmox.com/wiki/User_Management This works also with ADS.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back