PDM 1.0.1 unable to add AD realm with anonymous search

[czechsys]

Hi,

trying to add AD realm with anonymous search (without bind user):

api error (status = 400: Could not search LDAP realm, base_dn could be incorrect: LDAP operation result: rc=1 (operationsError), dn: "", text: "00002020: Operation unavailable without authentication": rc=1 (operationsError), dn: "", text: "00002020: Operation unavailable without authentication")

The same setup works for PVE 9.1.1 (without bind user):

ad: SUB.EXAMPLE.ORG
        comment AD authentication
        domain sub.example.org
        server1 FQDN1
        base_dn DC=sub,DC=example,DC=org
        case-sensitive 1
        default 1
        mode ldaps
        server2 FQDN2

The optical difference is missing field "domain" (aka base_dn) in PDM GUI.

 

[sterzy]

Interesting that the error here is about missing authentication, are you sure that both address the same AD realm from the same network?

 

[sterzy]

The PDM (and PBS) implementations of our AD realm support try to guess the base-dn parameter from the default naming context that your AD realm uses. If this doesn't match the actual base-dn you want to use this won't work. For now, you should be able to add the realm manually by adding the following to the file /etc/proxmox-datacenter-manager/access/domains.cfg:

ad: SUB.EXAMPLE.ORG
    base-dn DC=sub,DC=examplae,DC=org
    mode ldaps
    server1 FQDN1
    server2 FQDN2
    comment AD authentication

Note that there is no support for case insensitivity for AD/LDAP realms in PDM/PBS yet.

 

[czechsys]

Adding domains.cfg with "base-dn" works. But with "base_dn" don't:

api error (status = 400: parsing "/etc/proxmox-datacenter-manager/access/domains.cfg" failed: line 2 - unknown property 'base_dn')

The returned error in the first post use "base_dn".

Next, in the "Sync options", when trying to change anything, "Update" button generate the same error with "base_dn":

api error (status = 400: Could not search LDAP realm, base_dn could be incorrect: LDAP operation result: rc=1 (operationsError), dn: "", text: "00002020: Operation unavailable without authentication": rc=1 (operationsError), dn: "", text: "00002020: Operation unavailable without authentication")

Maybe "base-dn" and "base_dn" mistake in code?

Adding AD realm with sub.example.org generate the same error as in the first post, so case insentivity don't matter there now.


Plus, when adding user with AD realm, it requires password in the input fields.

 

[sterzy]

The returned error in the first post use "base_dn".

Yes, due to naming conventions base_dn is used in our Rust code base, but the configuration expects base-dn. I understand this is confusing, though. In the configuration you should use base-dn.

Next, in the "Sync options", when trying to change anything, "Update" button generate the same error with "base_dn":

Yes, every time you try to update something, PDM will try to use the new configuration to query the AD realm. If that doesn't work out, it refuses to update the configuration. This is intended to act as validation for the provided configuration.

Adding AD realm with sub.example.org generate the same error as in the first post, so case insentivity don't matter there now.

Alright, thanks for testing that. Though the capitalization will also matter once we get this to work.

Neither PBS nor PDM allow you to set a base-dn in the UI at all. Instead, they try to ask the AD realm itself for its “default naming context”. If the base-dn isn't the default naming context, you will get the above error. I am currently working on a patch already that should improve the behaviour here. Can you test the following still, though: If you add the realm manually by adding it into the domains.cfg, as outlined above, and try to do a sync (ideally with “Preview only” enabled), what error do you get?

 

[czechsys]

With manual "base-dn" configuration and any change in the "Sync Options"

api error (status = 400: Could not search LDAP realm, base_dn could be incorrect: LDAP operation result: rc=1 (operationsError), dn: "", text: "00002020: Operation unavailable without authentication": rc=1 (operationsError), dn: "", text: "00002020: Operation unavailable without authentication")

Btw, i don't se any "Preview only" element.

 

[sterzy]

Are you triggering that error by editing the realm through the UI? Please don't edit the realm through the UI. Instead, add the realm as intended to the file /etc/proxmox-datacenter-manager/access/domains.cfg. Then use the “Sync” Button in the UI under Configuration > Access Control > Realms. A dialog should open and there you should see a checkbox with the label “Preview Only”.

00002020: Operation unavailable without authentication

This still indicates that you do need to be authenticated to use this AD realm. So are you sure this exact AD realm can be used without a bind domain name and password?

 

[czechsys]

AD realm is created manually in domains.cfg. This works
Editing via gui "Sync options" failing.
"Sync" via gui Realms failing - unedited error message:

2025-12-10T10:53:48+01:00: this is a DRY RUN - changes will not be persisted
2025-12-10T10:53:48+01:00: TASK ERROR: LDAP operation result: rc=1 (operationsError), dn: "", text: "00002020: Operation unavailable without authentication": rc=1 (operationsError), dn: "", text: "00002020: Operation unavailable without authentication"

And maybe one missed info before:
Plus, when adding user with AD realm via GUI, it requires password in the input fields.

Maybe there is information mismatch. I want to use AD login as on the PVE (users without entering password created manually, not synced), nothing more now. So yes, our AD maybe require login for any other non-login task.

 

[sterzy]

"Sync" via gui Realms failing - unedited error message:

Alright, that means for the settings you are providing your AD realm expects some kind of authentication:

00002020: Operation unavailable without authentication

Can you tell me the differences between your PVE and PDM AD realm exactly?

Plus, when adding user with AD realm via GUI, it requires password in the input fields.

Yes, currently a bind-dn is only supported in combination with a bind password. Are you using a bind-dn in Proxmox VE?

 

[czechsys]

PVE (9.1.1):

domains.cfg:
ad: SUB.EXAMPLE.ORG
        comment AD authentication
        domain sub.example.org
        server1 fqdn1
        base_dn DC=sub,DC=example,DC=org
        case-sensitive 1
        default 1
        mode ldaps
        server2 fqdn2

user.cfg:
user:someuser@SUB.EXAMPLE.ORG:1:0:Firstname:LastName::::
group:administrators:someuser@SUB.EXAMPLE.ORG::

PDM:

domains.cfg
SUB.EXAMPLE.ORG
    base-dn dc=sub,dc=example,dc=org
    mode ldaps
    server1 fqdn1
    server2 fqdn2
    comment AD authentication

I don't use binding user on PVE.