User Filter in LDAP only working for the first group

[Elleni]

We have successfully created an LDAPS connection. The following filters are used for users and groups:

User Filter:
(|(MemberOf=CN=IT_Proxmox_Admins,OU=Administrative_Groups,OU=Groups,OU=Site,OU=XY,DC=domain,DC=tld)(CN=IT_Proxmox_Users,OU=Administrative_Groups,OU=Groups,OU=site,OU=XY,DC=domain,DC=tld)))

Group Filter:
(|(sAMAccountName=IT_Proxmox_Admins)(sAMAccountName=IT_Proxmox_Users))

When syncing, both groups are displayed in ProxMox, but only the list of users in the first user group are available in ProxMox. I was able to verify this by changing the order of the groups in the user filter. If the group Proxmox_Admins is exchanged with the group ProxMox_Users group, only the users of the first mentioned group ProxMox_Users are displayed and vice-versa.

Question: Is the user filter set incorrectly, or is this a bug? We would like to set the user filter in the sync options so that the users of both groups are imported into ProxMox.
This works well with one group, but the users in the second group are not imported.

 

[dcsapak]

hi,

can you provide the pveversion (pveversion -v) and the output of a sync task? (does not matter if it's a dry run or not) if possible for both configurations

thanks!

 

[Elleni]

Hi,

sure.

root@hostname:~# pveversion -v
proxmox-ve: 8.3.0 (running kernel: 6.8.12-8-pve)
pve-manager: 8.3.4 (running version: 8.3.4/65224a0f9cd294a3)
proxmox-kernel-helper: 8.1.1
proxmox-kernel-6.8: 6.8.12-8
proxmox-kernel-6.8.12-8-pve-signed: 6.8.12-8
proxmox-kernel-6.8.12-4-pve-signed: 6.8.12-4
ceph-fuse: 17.2.7-pve3
corosync: 3.1.7-pve3
criu: 3.17.1-2+deb12u1
glusterfs-client: 10.3-5
ifupdown2: 3.2.0-1+pmx11
ksm-control-daemon: 1.5-1
libjs-extjs: 7.0.0-5
libknet1: 1.28-pve1
libproxmox-acme-perl: 1.6.0
libproxmox-backup-qemu0: 1.5.1
libproxmox-rs-perl: 0.3.5
libpve-access-control: 8.2.0
libpve-apiclient-perl: 3.3.2
libpve-cluster-api-perl: 8.0.10
libpve-cluster-perl: 8.0.10
libpve-common-perl: 8.2.9
libpve-guest-common-perl: 5.1.6
libpve-http-server-perl: 5.2.0
libpve-network-perl: 0.10.0
libpve-rs-perl: 0.9.2
libpve-storage-perl: 8.3.3
libspice-server1: 0.15.1-1
lvm2: 2.03.16-2
lxc-pve: 6.0.0-1
lxcfs: 6.0.0-pve2
novnc-pve: 1.5.0-1
proxmox-backup-client: 3.3.3-1
proxmox-backup-file-restore: 3.3.3-1
proxmox-firewall: 0.6.0
proxmox-kernel-helper: 8.1.1
proxmox-mail-forward: 0.3.1
proxmox-mini-journalreader: 1.4.0
proxmox-offline-mirror-helper: 0.6.7
proxmox-widget-toolkit: 4.3.6
pve-cluster: 8.0.10
pve-container: 5.2.4
pve-docs: 8.3.1
pve-edk2-firmware: 4.2023.08-4
pve-esxi-import-tools: 0.7.2
pve-firewall: 5.1.0
pve-firmware: 3.14-3
pve-ha-manager: 4.0.6
pve-i18n: 3.4.0
pve-qemu-kvm: 9.0.2-5
pve-xtermjs: 5.3.0-3
qemu-server: 8.3.8
smartmontools: 7.3-pve1
spiceterm: 3.3.0
swtpm: 0.8.0+pve1
vncterm: 1.8.0
zfsutils-linux: 2.2.7-pve1

With the Admin Group as first in user filter:
starting sync for realm domain.tld

got data from server, updating users and groups
syncing users (remove-vanished opts: acl;entry;properties)
deleting outdated existing users first
adding user 'user1@domain.tld'
adding user 'user2@domain.tld'
syncing groups (remove-vanished opts: acl;entry;properties)
deleting outdated existing groups first
overwriting group 'IT_Proxmox_Admins-domain.tld'
overwriting group 'IT_Proxmox_Users-domain.tld'
successfully updated users and groups configuration
TASK OK

and now just switched the groups:

starting sync for realm domain.tld
got data from server, updating users and groups
syncing users (remove-vanished opts: acl;entry;properties)
deleting outdated existing users first
remove user 'user1@domain.tld'
purge users 'user1@domain.tld' ACL entries
remove user 'user2@domain.tld'
purge users 'user2@domain.tld' ACL entries
adding user 'user3@domain.tld'
adding user 'user4@domain.tld'
syncing groups (remove-vanished opts: acl;entry;properties)
deleting outdated existing groups first
overwriting group 'IT_Proxmox_Admins-domain.tld'
overwriting group 'IT_Proxmox_Users-domain.tld'
successfully updated users and groups configuration
TASK OK