[TUTORIAL] Proxmox authentification based on LDAP group membership / LDAP user synchronization - HOW TO manual

Martini

Member
Oct 22, 2020
7
11
23
Prague
www.z-type.cz
There is a lot of different opened forum threads how to set-up the LDAP authentication on PROXMOX VE. Unfortunately, there is missing some consolidated document how to do it and due to that, so I have decided to write a HOW-TO manual, how to have the LDAP authentication working including user’s replication.



So what's are the prerequisites

1) Installed PROXMOX VA - this should not be any issue J. Guys from Proxmox did a great job and the installation is extremely easy…​

2) Installed LDAP server. We are using the OpenLDAP ( https://www.openldap.org/). My recommendation is to set-up the LDAP in order to provide encrypted communication on port 636 ( LDAPs ) – you need to have SSL certificates. Also implement the memberof attribute. This will help you to implement users synchronization based on the group membership ( it means that if you wants to add user to Proxmox, just add it to appropriate LDAP group and that’s it.)​




Let’s show some screenshot and configuration – pictures are always better :-)

1) Create a regular LDAP user. In this case we created z-type_user1 who is a member of the domain dc-z-type, dc=cz and it is a part of OU=People
LDAP_user.jpg

2) Create a LDAP group for example proxmox_group and add newly created user z-type_new1 to be a member.​

LDAP_GROUP.JPG


3) You need to have a service account created in LDAP in order to access the LDAP tree from PROXMOX (this is due to security reasons) . This user will be used in the PROXMOX configuration.​

4) Now you can try to get the list of people who a members of LDAP proxmox_group via ldapsearch utility:​

ldapsearch -w <PASSWORD> -H ldaps://<LDAP_HOSTNAME> -b ou=People,dc=z-type,dc=cz -s one '(&(objectClass=inetorgPerson)(memberOf=cn=proxmox_group,ou=Groups,dc=z-type,dc=cz))' -D "uid=proxmox_srv,ou=Service,dc=z-type,dc=cz"

5) If all OK, you will be able to see list of people with all attributes which belongs to user. For example:​
LDAP_search_result.JPG





OK - now we have the LDAP server, LDAP user, LDAP group ready.

Now let’s witch to Proxmox VE

5) Create a new authentication REALM – meaning LOG in to PROXMOX VA, click to Datacenter, then choose Permissions and Authentication. Click Add and select LDAP SERVER. Fill the required information​

LDAP_SERVER_SETTING.JPG





5) Create a new Proxmox Group – in this case LDAP_Administrators​
Create_a_group.JPG




6) Assign administrator permissions to LDAP_Administrators​
Assing_GROUP.JPG



7) Now try to get users from LDAP ( For dry-run click on Preview button ) or Sync for the real user transfer.​
sync.JPG

Continue in thread REPLY ( - MAX 10 pictures limit )
 

Attachments

  • 1611745675615.png
    1611745675615.png
    10.1 KB · Views: 214
  • 1611745789785.png
    1611745789785.png
    11 KB · Views: 163
  • 1611745830794.png
    1611745830794.png
    11 KB · Views: 124
8) Output of Sync action should be like :​
sync_result.JPG



9) Replicated users should be visible in Users​
replicated_users.JPG



10) Just assign the new user to Admin group​
assing_admin_group.LDAP.JPG



11) If you want to synchronize users once per day you can create a crontab task on Proxmox server for example:​
crontab.JPG


This will synchronize LDAP users every day at 10AM​



In next thread I would like to describe how to synchronize groups from LDAP.

There might be also other variants how to implement the LDAP authentificiations / LDAP user synchronization, please consider this as a basic consolidated manual.

Let me know if this HOW TO is useful for you or in case of any questions

Stay safe and have a nice day.

JM
 
thank you for the post it was very helpful. however i am running into an issue after doing the sync where im not able to login with the user i did the sync with.

If i tail on journalctl while logging in, i get Authentication Failure; rhose=xxx.xxx.xxx.xxx (the server i tried to login from) user =me@domain.net msg=80090308: LdapErr: DSID-0c090446, comment: AcceptSecurityContect error, data 52e, v2580

this indicates that i used the wrong password. but its not the wrong password.

any thoughts?
 
Hello Lowerym,

thank you for the positive reaction related to my tutorial.

Based on provided error from the journalctl, it seems that there is an issue on the LDAP server which is unable to authenticate your user.

Basically the LDAP returns following error :
msg=80090308: LdapErr: DSID-0c090446, comment: AcceptSecurityContect error, data 52e, v2580


Could you check if this cannot be your case : https://stackoverflow.com/questions...ntext-error-data-52e-v2580-even-with-the-corr

Do you use the LDAP or LDAPS implementation? Are you able to connect via LDAP browser ( for example linux ldapsearch ) to your LDAP three by using the "me" user?
 
There is a lot of different opened forum threads how to set-up the LDAP authentication on PROXMOX VE. Unfortunately, there is missing some consolidated document how to do it and due to that, so I have decided to write a HOW-TO manual, how to have the LDAP authentication working including user’s replication.



So what's are the prerequisites

1) Installed PROXMOX VA - this should not be any issue J. Guys from Proxmox did a great job and the installation is extremely easy…​

2) Installed LDAP server. We are using the OpenLDAP ( https://www.openldap.org/). My recommendation is to set-up the LDAP in order to provide encrypted communication on port 636 ( LDAPs ) – you need to have SSL certificates. Also implement the memberof attribute. This will help you to implement users synchronization based on the group membership ( it means that if you wants to add user to Proxmox, just add it to appropriate LDAP group and that’s it.)​




Let’s show some screenshot and configuration – pictures are always better :)

1) Create a regular LDAP user. In this case we created z-type_user1 who is a member of the domain dc-z-type, dc=cz and it is a part of OU=People
View attachment 23034

2) Create a LDAP group for example proxmox_group and add newly created user z-type_new1 to be a member.​

View attachment 23035


3) You need to have a service account created in LDAP in order to access the LDAP tree from PROXMOX (this is due to security reasons) . This user will be used in the PROXMOX configuration.​

4) Now you can try to get the list of people who a members of LDAP proxmox_group via ldapsearch utility:​

ldapsearch -w <PASSWORD> -H ldaps://<LDAP_HOSTNAME> -b ou=People,dc=z-type,dc=cz -s one '(&(objectClass=inetorgPerson)(memberOf=cn=proxmox_group,ou=Groups,dc=z-type,dc=cz))' -D "uid=proxmox_srv,ou=Service,dc=z-type,dc=cz"

5) If all OK, you will be able to see list of people with all attributes which belongs to user. For example:​





OK - now we have the LDAP server, LDAP user, LDAP group ready.

Now let’s witch to Proxmox VE

5) Create a new authentication REALM – meaning LOG in to PROXMOX VA, click to Datacenter, then choose Permissions and Authentication. Click Add and select LDAP SERVER. Fill the required information​






5) Create a new Proxmox Group – in this case LDAP_Administrators​




6) Assign administrator permissions to LDAP_Administrators​



7) Now try to get users from LDAP ( For dry-run click on Preview button ) or Sync for the real user transfer.​

Continue in thread REPLY ( - MAX 10 pictures limit )

What i need to typin in Group Filter? Its required this field
 
What i need to typin in Group Filter? Its required this field
Hello Erazor, it depends if you would like to synchronize groups from LDAP to Proxmox.


I think this is not a required field for the basic setup - as it is visible from the screenshots provided before, but if you would like to synchronize your groups ( for example proxmox ldap group ) and bring the authentification on the next level you can use something like this to the Group filter


(&(ObjectClass=groupofnames)(cn=*proxmox*))

The prerequisite is to have LDAP configured to support ObjectClass groupofnames and name of the proxmox LDAP group should cointains string for example *proxmox*
 
Hello everyone, could you tell me how to transform this filter ((&(ObjectClass=groupofnames)(cn=*proxmox*))) in the "User Filter" line? when searching for such accounts using ldapsearch, it finds everything, but with the same settings, it does not find anyone in proxmox during synchronization. Can you suggest what is wrong?
 
If you prefer systemd timers, here are some templates for realm sync. Keep in mind allowed characters for systemd units when choosing realm name.

Adding service unit files:
Bash:
systemctl edit --full --force realm-sync@.service
systemctl edit --full --force realm-sync@.timer
Service unit template:
Code:
[Unit]
Description=pveum realm sync '%I' service
Wants=realm-sync@%i.timer

[Service]
Type=oneshot
ExecStart=/usr/sbin/pveum realm sync %i

[Install]
WantedBy=multi-user.target
Timer template - adjust OnCalendar to your liking:
Code:
[Unit]
Description=pveum realm sync '%I' timer
Requires=realm-sync@%i.service

[Timer]
Unit=realm-sync@%i.service
OnCalendar=hourly

[Install]
WantedBy=timers.target
Enable and start - replace "my-realm" with your realm name here:
Bash:
systemctl enable realm-sync@my-realm.timer
systemctl start realm-sync@my-realm.timer
And that should be it. You can sync multiple realms using same template by enabling and starting multiple timers using different realm names.
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!