[SOLVED] Tutorial : Auto add LDAP users to Proxmox Realm as Administrators

[Donovan Hoare]

Hi All.

Below is my solution for automatically adding proxmox users to Proxmox from an LDAP database.
I wrote this ruby Script as i found it annoying to have to add a user to my LDAP database then have to manually goto 20+ proxmox clusters and add the users manually to the realm as well.
It was not an option for me anymore.

So what the below ruby script will do, It connects to my ldap server and searches for users under proxmox users under groups.
It then loops over members in the list and adds them as users in proxmox under the LDAP realm and then adds them to admin groups.

You will have to edit the settings for DC, usernames and passwords.
Then i use crontab and call every hour to add new users.

Please note im not worried about security as all this is done in private lans and restricted IP addresses, so please be cautious on how you run this.
I also dont do error checking on if a user exists in proxmox, it will just try add it again, proxmox will just not add if already added.
I hope this helps.


As per above image my ldapserver has an OU (Organisation unit ) called groups
I then have a posix group called proxmoxusers
Distinguished Name: cn=proxmoxusers,ou=groups,dc=example,dc=co,dc=za

1st step. -> On Proxmox Gui
Datacenter -> Permissions -> Authentication -> Add LDAP server
Realm: ldap
Server: <ldap_server_ip_or_hostname>
Base Domain Name : ou=users,dc=example,dc=co,dc=za
User Attribute name : uid

2nd Step -> On Proxmox Host Console

# apt install git python-mysqldb sshpass nano sudo ruby
# gem install net-ldap
# pveum groupadd admin -comment "System Administrators"
# pveum aclmod / -group admin -role Administrator
# echo "$((RANDOM%60)) */1   * * *   root    /media/atsscripts/getusercheck_proxmox.rb >/dev/null 2>&1" >> /etc/crontab

# mkdir /media/atsscripts/
# nano /media/atscripts/getusercheck_proxmox.rb
{
#Add below
#============================================================

#!/usr/bin/env ruby

#gem install net-ldap
require 'rubygems'
require 'net/ldap'


ldap = Net::LDAP.new :host => '<ldapserverip>',
     :port => 389,
     :auth => {
           :method => :simple,
           :username => "cn=admin, dc=example, dc=co, dc=za",
           :password => "<loginpassword>"
     }

filter = Net::LDAP::Filter.eq( "cn", "proxmoxusers*" )
treebase = "ou=groups,dc=example, dc=co, dc=za"

ldap.search( :base => treebase, :filter => filter ) do |entry|
  puts "DN: #{entry.dn}"
  entry.each do |attribute, values|
    p attribute
    if "#{attribute}" == "memberuid"
      puts "   #{attribute}:"
      values.each do |value|
        system("pveum useradd #{value}@ldap -comment 'Added Via ATS Script'")
        system("pveum usermod #{value}@ldap -group admin")
        puts "      --->#{value}"
      end
    end
  end
end

p ldap.get_operation_result
#============================================================
#Add above
}

chmod 770 /media/atscripts/getusercheck_proxmox.rb

 

[Alwin]

As a suggestion. You could run this script from remote and use the API. This way you won't need to install ruby on the nodes. And you can target any node in the cluster.

 

[Glowsome]

@Alwin as PVE has a default LDAP capabillity i would even go for an enhancement of this.

As the current only is aimed at authentication, via a mapping of the UID (or whatever attribute is selected) extending it to include a groupmembership which then lists its rights ...

This way the need for specifying attibutes on multiple machines is no longer needed ... for example
if you were to use LDAP :

• create groups according to permissionroles as created in PVE
• when authenticating via LDAP dont only authenticate the user, but also after authentication retrieve the permissionroles as specified and apply to the authenticated user.

As an admin one of my standards is to have a 'single point of administration' .. in my case a LDAP-capable directory (eDirectory) where if possible not only authentication is done, but also authorisation according to group-membership or other attributes.

So having this automated in PVE would give it an enourmous advantage in management.

 

[Alwin]

As the current only is aimed at authentication, via a mapping of the UID (or whatever attribute is selected) extending it to include a groupmembership which then lists its rights ...

See here -> https://bugzilla.proxmox.com/show_bug.cgi?id=544

 

[Glowsome]

@Alwin i understand the statement, but :

This position goes against the concept of what most companies have in regards of management from a single point.
As administering in non-intergration means additional tasks for IT-administration departments ( even if the PVE administration/administration should only be a limited number of users).
In some cases this can even influence a decision to not take PVE as a solution.

I know its a hassle to develop such features, but from my position the PVE product would have a better placement if it were able to fit into authentication and authorisation options such as :

- LDAP group
- SAML2

If i had the capabillities to develop such i would with all my heart dive into it to get this done... unfortunately to even start contributing i would have to start from scratch, buildup knowledge, and then readup on the/a current module and then buildup a proper authentication module.

 

[T.Herrmann]

LDAP group was planed for PVE 6.1 but we are still waiting for.

 

[Donovan Hoare]

Hi All.
The reason i didn't write this to use the API, is that my cluster has no direct access via the internet, It is solely on a Private VPN.
Therefor pushing to the API is not an option for me, However, the pull works well for my circumstance.
That is why i also mention security was not my biggest concern as there is no direct internet access.

and the installation of ruby is such a small overhead.
However this is the 1st concept, Maybe someone can improve on this.