Proxmox & LDAP

E

eferrandi

New Member
Oct 29, 2024
2
0
1
Hello,

I'm trying to connect my Proxmox server to an LDAP server located internally.
Here is my configuration:

Code: 
ldap: ldap-ext
        base_dn ou=company,o=group,c=fr
        server1 ldap.fqdn
        user_attr uid
        bind_dn uid=proxmox,ou=system,ou=company,o=group,c=fr
        default 0
        filter memberof=cn=tests,ou=groups,ou=company,o=group,c=fr
        group_classes groupOfNames
        group_filter (|(cn=IT*)(ou=groups)(ou=company)(o=group)(dc=fr))
        group_name_attr cn
        sync-defaults-options remove-vanished=acl;entry;properties,scope=both
        sync_attributes email=mail
        user_classes inetOrgPerson

When I import the users and groups, I can see the users and the link with the groups, the synchro is good. But when I try to connect, I get a “Login failed. Please try again”.

Looking at the logs, I see the same thing:
Code: 
proxmox1 pvedaemon[53456]: authentication failure; rhost=::ffff:192.168.1.1 user=test@ldap-ext msg=Invalid credentials

Users are functional on other tools (grafana, jenkins, gitlab...) connected to LDAP.

Is the LDAP server connection configuration correct?

Thanks for your help
 
Last edited:
Hi eferrandi,

I most certainly can reproduce the error for a failing user login when I type the wrong password for a user.

What confuses me is the log entry -- your config names the ldap 'ldap-ext', but the error comes from user 'test@ldap'. This should say 'test@ldap-ext' if things are right.

Is it possible, that you have some remainders from previous syncs/config attempts? You might consider double-checking what you have in Datacenter->Permissions->Realms and Datacenter->Permissions->Users.

Best,
Daniel
 
Hi Daniel,
Thank you for your reply.
It's a typo in my thread, the realm name is ldap-ext, I've just fixed it.

Is it possible to clean the previous remainders? I've already made several syncs by activating all the “Remove Vanished Options” boxes.
Also, when I change the group for user filter (filter memberof), the users change, so I assume that synchronization works.
 
Last edited:
Hi eferrandi,

If you have an old realm, which is not in use anymore, you might just remove it from Datacenter->Permissions->Realms, and then remove the User entries associated with that realms from Datacenter->Permissions->Users. They will not be autoremoved, but you can sort the list to ease things.

If your sync works, you should actually be able to login with the users visible in Datacenter->Permissions->Users (but by default without any permissions and not being able to see more than the node names). PVE will not store the users' passwords (despite the bind users' one, if you have your LDAP locked down), if I understand correctly.

Have you already tried with another user? Maybe the 'test' user's password has been changed on the LDAP-side?

Best,
Daniel
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back