[SOLVED] User Filter in LDAP only working for the first group

E

Elleni

Active Member
Jul 6, 2020
174
10
38
51
We have successfully created an LDAPS connection. The following filters are used for users and groups:

User Filter:
(|(MemberOf=CN=IT_Proxmox_Admins,OU=Administrative_Groups,OU=Groups,OU=Site,OU=XY,DC=domain,DC=tld)(CN=IT_Proxmox_Users,OU=Administrative_Groups,OU=Groups,OU=site,OU=XY,DC=domain,DC=tld)))

Group Filter:
(|(sAMAccountName=IT_Proxmox_Admins)(sAMAccountName=IT_Proxmox_Users))

When syncing, both groups are displayed in ProxMox, but only the list of users in the first user group are available in ProxMox. I was able to verify this by changing the order of the groups in the user filter. If the group Proxmox_Admins is exchanged with the group ProxMox_Users group, only the users of the first mentioned group ProxMox_Users are displayed and vice-versa.

Question: Is the user filter set incorrectly, or is this a bug? We would like to set the user filter in the sync options so that the users of both groups are imported into ProxMox.
This works well with one group, but the users in the second group are not imported.
 
Last edited:
hi,

can you provide the pveversion (pveversion -v) and the output of a sync task? (does not matter if it's a dry run or not) if possible for both configurations

thanks!
 
  • Like
Reactions: Elleni
Hi,

sure.
Code: 
root@hostname:~# pveversion -v
proxmox-ve: 8.3.0 (running kernel: 6.8.12-8-pve)
pve-manager: 8.3.4 (running version: 8.3.4/65224a0f9cd294a3)
proxmox-kernel-helper: 8.1.1
proxmox-kernel-6.8: 6.8.12-8
proxmox-kernel-6.8.12-8-pve-signed: 6.8.12-8
proxmox-kernel-6.8.12-4-pve-signed: 6.8.12-4
ceph-fuse: 17.2.7-pve3
corosync: 3.1.7-pve3
criu: 3.17.1-2+deb12u1
glusterfs-client: 10.3-5
ifupdown2: 3.2.0-1+pmx11
ksm-control-daemon: 1.5-1
libjs-extjs: 7.0.0-5
libknet1: 1.28-pve1
libproxmox-acme-perl: 1.6.0
libproxmox-backup-qemu0: 1.5.1
libproxmox-rs-perl: 0.3.5
libpve-access-control: 8.2.0
libpve-apiclient-perl: 3.3.2
libpve-cluster-api-perl: 8.0.10
libpve-cluster-perl: 8.0.10
libpve-common-perl: 8.2.9
libpve-guest-common-perl: 5.1.6
libpve-http-server-perl: 5.2.0
libpve-network-perl: 0.10.0
libpve-rs-perl: 0.9.2
libpve-storage-perl: 8.3.3
libspice-server1: 0.15.1-1
lvm2: 2.03.16-2
lxc-pve: 6.0.0-1
lxcfs: 6.0.0-pve2
novnc-pve: 1.5.0-1
proxmox-backup-client: 3.3.3-1
proxmox-backup-file-restore: 3.3.3-1
proxmox-firewall: 0.6.0
proxmox-kernel-helper: 8.1.1
proxmox-mail-forward: 0.3.1
proxmox-mini-journalreader: 1.4.0
proxmox-offline-mirror-helper: 0.6.7
proxmox-widget-toolkit: 4.3.6
pve-cluster: 8.0.10
pve-container: 5.2.4
pve-docs: 8.3.1
pve-edk2-firmware: 4.2023.08-4
pve-esxi-import-tools: 0.7.2
pve-firewall: 5.1.0
pve-firmware: 3.14-3
pve-ha-manager: 4.0.6
pve-i18n: 3.4.0
pve-qemu-kvm: 9.0.2-5
pve-xtermjs: 5.3.0-3
qemu-server: 8.3.8
smartmontools: 7.3-pve1
spiceterm: 3.3.0
swtpm: 0.8.0+pve1
vncterm: 1.8.0
zfsutils-linux: 2.2.7-pve1

With the Admin Group as first in user filter:
starting sync for realm domain.tld
Code: 
got data from server, updating users and groups
syncing users (remove-vanished opts: acl;entry;properties)
deleting outdated existing users first
adding user 'user1@domain.tld'
adding user 'user2@domain.tld'
syncing groups (remove-vanished opts: acl;entry;properties)
deleting outdated existing groups first
overwriting group 'IT_Proxmox_Admins-domain.tld'
overwriting group 'IT_Proxmox_Users-domain.tld'
successfully updated users and groups configuration
TASK OK

and now just switched the groups:
Code: 
starting sync for realm domain.tld
got data from server, updating users and groups
syncing users (remove-vanished opts: acl;entry;properties)
deleting outdated existing users first
remove user 'user1@domain.tld'
purge users 'user1@domain.tld' ACL entries
remove user 'user2@domain.tld'
purge users 'user2@domain.tld' ACL entries
adding user 'user3@domain.tld'
adding user 'user4@domain.tld'
syncing groups (remove-vanished opts: acl;entry;properties)
deleting outdated existing groups first
overwriting group 'IT_Proxmox_Admins-domain.tld'
overwriting group 'IT_Proxmox_Users-domain.tld'
successfully updated users and groups configuration
TASK OK
 
Last edited:
Hello Elleni! For my understanding:

Elleni said:
User Filter:
(|(MemberOf=CN=IT_Proxmox_Admins,OU=Administrative_Groups,OU=Groups,OU=Site,OU=XY,DC=domain,DC=tld)(CN=IT_Proxmox_Users,OU=Administrative_Groups,OU=Groups,OU=site,OU=XY,DC=domain,DC=tld)))
Click to expand...
Could it be that you actually want to use MemberOf=CN=... also for the second group? If I understand you correctly, you want to filter for users which are part of either of the groups, meaning that you need MemberOf= in both cases. In case I understood you correctly, this would explain why it worked for the first group, but not for the second one.

A recommendation from my side: LDAP filters are sometimes hard to read, so for more complex filters you might want to use a toll for displaying the query in an easily readable form. I can recommend the LDAP filter analyzer for this purpose.
 
  • Like
Reactions: Elleni
Dear, you nailed it! Thanks a lot. Will check this next time I need to troubleshoot a query. In everycase added the MemberOf= also bevore the second part, and now I get the users of both groups!

Thanks for your valuable support, really appreciated.
 
  • Like
Reactions: l.leahu-vladucu
You must log in or register to reply here.
Top Bottom