[TUTORIAL] Proxmox authentification based on LDAP group membership / LDAP user synchronization - HOW TO manual

Martini

New Member
Oct 22, 2020
3
6
3
Prague
www.z-type.cz
There is a lot of different opened forum threads how to set-up the LDAP authentication on PROXMOX VE. Unfortunately, there is missing some consolidated document how to do it and due to that, so I have decided to write a HOW-TO manual, how to have the LDAP authentication working including user’s replication.



So what's are the prerequisites

1) Installed PROXMOX VA - this should not be any issue J. Guys from Proxmox did a great job and the installation is extremely easy…​

2) Installed LDAP server. We are using the OpenLDAP ( https://www.openldap.org/). My recommendation is to set-up the LDAP in order to provide encrypted communication on port 636 ( LDAPs ) – you need to have SSL certificates. Also implement the memberof attribute. This will help you to implement users synchronization based on the group membership ( it means that if you wants to add user to Proxmox, just add it to appropriate LDAP group and that’s it.)​




Let’s show some screenshot and configuration – pictures are always better :)

1) Create a regular LDAP user. In this case we created z-type_user1 who is a member of the domain dc-z-type, dc=cz and it is a part of OU=People
LDAP_user.jpg

2) Create a LDAP group for example proxmox_group and add newly created user z-type_new1 to be a member.​

LDAP_GROUP.JPG


3) You need to have a service account created in LDAP in order to access the LDAP tree from PROXMOX (this is due to security reasons) . This user will be used in the PROXMOX configuration.​

4) Now you can try to get the list of people who a members of LDAP proxmox_group via ldapsearch utility:​

ldapsearch -w <PASSWORD> -H ldaps://<LDAP_HOSTNAME> -b ou=People,dc=z-type,dc=cz -s one '(&(objectClass=inetorgPerson)(memberOf=cn=proxmox_group,ou=Groups,dc=z-type,dc=cz))' -D "uid=proxmox_srv,ou=Service,dc=z-type,dc=cz"

5) If all OK, you will be able to see list of people with all attributes which belongs to user. For example:​
LDAP_search_result.JPG





OK - now we have the LDAP server, LDAP user, LDAP group ready.

Now let’s witch to Proxmox VE

5) Create a new authentication REALM – meaning LOG in to PROXMOX VA, click to Datacenter, then choose Permissions and Authentication. Click Add and select LDAP SERVER. Fill the required information​

LDAP_SERVER_SETTING.JPG





5) Create a new Proxmox Group – in this case LDAP_Administrators​
Create_a_group.JPG




6) Assign administrator permissions to LDAP_Administrators​
Assing_GROUP.JPG



7) Now try to get users from LDAP ( For dry-run click on Preview button ) or Sync for the real user transfer.​
sync.JPG

Continue in thread REPLY ( - MAX 10 pictures limit )
 

Attachments

  • 1611745675615.png
    1611745675615.png
    10.1 KB · Views: 96
  • 1611745789785.png
    1611745789785.png
    11 KB · Views: 71
  • 1611745830794.png
    1611745830794.png
    11 KB · Views: 56
  • Like
Reactions: mahyuddin

Martini

New Member
Oct 22, 2020
3
6
3
Prague
www.z-type.cz
8) Output of Sync action should be like :​
sync_result.JPG



9) Replicated users should be visible in Users​
replicated_users.JPG



10) Just assign the new user to Admin group​
assing_admin_group.LDAP.JPG



11) If you want to synchronize users once per day you can create a crontab task on Proxmox server for example:​
crontab.JPG


This will synchronize LDAP users every day at 10AM​



In next thread I would like to describe how to synchronize groups from LDAP.

There might be also other variants how to implement the LDAP authentificiations / LDAP user synchronization, please consider this as a basic consolidated manual.

Let me know if this HOW TO is useful for you or in case of any questions

Stay safe and have a nice day.

JM
 

lowerym

Member
Feb 17, 2021
35
2
8
38
thank you for the post it was very helpful. however i am running into an issue after doing the sync where im not able to login with the user i did the sync with.

If i tail on journalctl while logging in, i get Authentication Failure; rhose=xxx.xxx.xxx.xxx (the server i tried to login from) user =me@domain.net msg=80090308: LdapErr: DSID-0c090446, comment: AcceptSecurityContect error, data 52e, v2580

this indicates that i used the wrong password. but its not the wrong password.

any thoughts?
 

Martini

New Member
Oct 22, 2020
3
6
3
Prague
www.z-type.cz
Hello Lowerym,

thank you for the positive reaction related to my tutorial.

Based on provided error from the journalctl, it seems that there is an issue on the LDAP server which is unable to authenticate your user.

Basically the LDAP returns following error :
msg=80090308: LdapErr: DSID-0c090446, comment: AcceptSecurityContect error, data 52e, v2580


Could you check if this cannot be your case : https://stackoverflow.com/questions...ntext-error-data-52e-v2580-even-with-the-corr

Do you use the LDAP or LDAPS implementation? Are you able to connect via LDAP browser ( for example linux ldapsearch ) to your LDAP three by using the "me" user?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!