PBS and LDAP Auth issue

[Krupskij]

Trying to evaluate PBS i encountered a strange issue with LDAP.
Realm is set, sync successful, users retrieved and created.
But when one of LDAP users trying to authenticate with his LDAP credentials, it got "Authentication failed" message.
In /var/log/proxmox-backup/api/auth.log we see

2024-03-11T17:58:14+03:00: authentication failure; rhost=[::ffff:1.2.3.4]:65509 user=username@domain.local msg=found multiple users with attribute `uid=username`

Am i missing something in LDAP configuration?
Can you point me in right direction?

 

[sterzy]

Hi,

how did you configure the realm? Can you show us the content of /etc/proxmox-backup/domains.cfg?

 

[Krupskij]

/etc/proxmox-backup/domains.cfg

ldap: domain.local
        base-dn dc=domain,dc=local
        bind-dn uid=proxmox_backup_ldap,cn=users,cn=accounts,dc=domain,dc=local
        filter (memberof=cn=proxmox_backup_admins,cn=groups,cn=accounts,dc=domain,dc=local)
        mode ldap
        server1 freeipa1.domain.local
        server2 freeipa2.domain.local
        user-attr uid

 

[Krupskij]

Tcpdump'ed ldap traffic and found that server responds with two searchRes Entry:
one - uid=username,cn=users,cn=compat,dc=domain,dc=local
and two - uid=username,cn=users,cn=accounts,dc=domain,dc=local
Should i refine base-dn or filter?

 

[Krupskij]

Digged more deep and found that Proxmox Backup server behavior with two searchResEntry differs from Proxmox VE.

Proxmox VE accepts LDAP login with with two searchResEntry results, then make bind with
uid=username,cn=users,cn=compat,dc=domain,dc=local

Proxmox Backup Server showing different behavior - reports "Authentication failed", and not try to
make bind with uid=username,cn=users,cn=compat,dc=domain,dc=local

 

[Krupskij]

Hi,

how did you configure the realm? Can you show us the content of /etc/proxmox-backup/domains.cfg?

I've posted my config and some things found during investigation. Can you share some ideas what to do further?