Proxmox 8 web console authentication to freeipa

D

dsexton18

Member
Jul 3, 2023
41
1
8
Configuring FreeIPA LDAP server with ProxmoxI am trying to figure out how to configure Proxmox web console to authenticate with freeipa. I tried the steps located here. But get bad ldap user search. I was able to configure proxmox os to authenticate to freeipa but clearly the web console requires additional configuration.
 
I added the ipabind group and created group permissions and assigned the ipabind group admin role to /. Not sure what path it needs obviously the group has more permissions than it needs. I am confused about what path the group needs and which role is required for least privileges.
 
Then please show us your entire config, which user you log in with, which group he is in on your FreeIPA and what error message you get.
 
Bind user: uid=ipabind,cn=users,cn=accounts,dc=lnx,dc=corp,dc=lan
Group filter: (|(cn=*pve*)(dc=lnx)(dc=corp)(dc=lan))
user filter: memberOf=cn=pve-group,cn=groups,cn=accounts,dc=lnx,dc=corp,dc=lan

I am able to login proxmox web console using ipabind user but not admin which is a member of the pve-group.
 
I am able to login using the admin user and password from idM but I had to add the user to proxmox and to the pve-group in proxmox . I had assumed I any user in the pve-group in freeipa could log in to the web console assuming they had a role assigned to the group.
 
dsexton18 said:
assume I have not added them as a user in proxmox.
Click to expand...
Probably, that would be the documentation I sent you directly in my first post.

Please also the output of tail -n +1 /etc/pve/{domains,user}.cfg (in code tags please!)
 
Code: 
==> /etc/pve/user.cfg <==
user:ipabind@lxn.corp.lan:1:0::::::
user:root@pam:1:0:::mail@example.com:::
token:root@pam!foreman:0:1::
token:root@pam!packer:0:1::
token:root@pam!proxmox:0:1::
user:svc.proxmox@pve:1:0::::::
user:svc_packer@pam:1:0::::::
token:svc_packer@pam!packer:0:1::

group:admin:svc.proxmox@pve::
group:ipabind:ipabind@lxn.corp.lan::
group:pve-group:::

pool:proxmox::100,104,900:iso_smb,pve2,vm_data,vm_data2:


acl:1:/:@ipabind:PVEAdmin:
acl:1:/access/realm:@ipabind:Administrator:
acl:1:/nodes:@admin:PVEAdmin:
acl:1:/pool:@admin:PVEAdmin:
acl:1:/pool/proxmox:svc.proxmox@pve:Administrator:
acl:1:/storage:@admin:PVEAdmin:
acl:1:/storage/vm_data:@admin:PVEAdmin:
acl:1:/vms:@admin:PVEAdmin:
 
The user admin@lxn.corp.lan was not synchronized.

Every user from the FreeIPA must be in this group: ipabind.

You have to change the acl:1:/:@ipabind:PVEAdmin: to acl:1:/:@ipabind:Administrator:. You can remove the entry acl:1:/access/realm:@ipabind:Administrator:.
 
Last edited:
Thanks for all your help. None of the users are synchronized.

I had expected once I had the relm setup correctly that I could sync users and groups. I could assign the user or group a role in proxmox.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom