[pve-devel] LDAP integration with G Suite?
Victor Hooi
victorhooi at yahoo.com
Thu May 23 06:34:12 CEST 2019
*(Sending again with screenshots removed)*
Hi,
Aha, I am glad to know it's meant to work out of the box - I merely had
some concerns around support for LDAP certificate authentication (forum post
<https://forum.proxmox.com/threads/ldap-authentication-does-it-support-client-certificates.52439/>).
If I get this working, it would be good to get this added to the wiki
perhaps.
However, I'm not able to get it working.
I have verified with ldapsearch that I can successfully lookup users
against the Google Secure LDAP service:
$ LDAPTLS_REQCERT=allow LDAPTLS_CERT=Google_2022_05_22_3494.crt
LDAPTLS_KEY=Google_2022_05_22_3494.key ldapsearch -H ldaps://
ldap.google.com:636 -b dc=anguslab,dc=io '(uid=victorhooi)'
SASL/EXTERNAL authentication started
SASL username: st=California,c=US,ou=GSuite,cn=LDAP Client,l=Mountain
View,o=Google Inc.
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <dc=anguslab,dc=io> with scope subtree
# filter: (uid=victorhooi)
# requesting: ALL
#
# victorhooi, Users, anguslab.io
dn: uid=victorhooi,ou=Users,dc=anguslab,dc=io
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
uid: victorhooi
googleUid: victorhooi
posixUid: victorhooi
cn: victorhooi
cn: Victor Hooi
sn: Hooi
displayName: Victor Hooi
givenName: Victor
mail: victorhooi at anguslab.io
memberOf: cn=chat-eng,ou=Groups,dc=anguslab,dc=io
memberOf: cn=drive-eng,ou=Groups,dc=anguslab,dc=io
memberOf: cn=gsuite-tses,ou=Groups,dc=anguslab,dc=io
memberOf: cn=meet-eng,ou=Groups,dc=anguslab,dc=io
uidNumber: 950057616
gidNumber: 950057616
homeDirectory: /home/victorhooi
loginShell: /bin/bash
gecos:
# search result
search: 3
result: 0 Success
# numResponses: 2
# numEntries: 1
I then added a new LDAP authentication realm using pvesh like so:
# pvesh create /access/domains --realm gsuiteldap --type ldap --base_dn
dc=anguslab,dc=io --server1 ldap.google.com --port 636 --cert
/root/Google_2022_05_22_3494.crt --certkey /root/Google_2022_05_22_3494.key
--user_attr victorhooi
(I'm not sure about what I should set as the user_attr value - since it's
using certificate - but the command seemed to complete successfully).
I then added a user with the same username in the Proxmox Web UI:
<screenshot removed>
I then logged out as "root", and tried to login as the new user. Oddly
enough - even when I selected the LDAP authentication realm - it's still
asking me for both a username and password. I would have thought it would
just be a username, and it'd somehow delegate to G Suite's SSO webpage?
<screenshot removed>
Anyhow - even after I enter in my G Suite username and password, it still
does not work (Login failed. Please try again.).
Are there some logfiles to help troubleshoot what's going on? Or is there
some issue with the steps above?
Regards,
Victor
On Wed, May 22, 2019 at 4:38 PM Dominik Csapak <d.csapak at proxmox.com> wrote:
> On 5/22/19 3:16 AM, Victor Hooi wrote:
> > Hi,
>
> Hi,
>
> >
> > I'm interested in getting Proxmox's LDAP integrated with the Secure LDAP
> > feature from G Suite.
> >
> > Does anybody know how difficult this would be, or what would be involved?
>
> As far as i can see from their guide[0], this should generally work
> out of the box if you add an ldap realm in pve with the provided
> credentials/login data.
>
> You still have to add the specific users to pve by hand (as with all
> realms) and assign permissions to them.
>
> >
> > Is there any provision for some kind of feature bounty with the Proxmox
> > team, which we could contribute to?
>
> Not that i know of, but patches are always welcome :)
>
> >
> > Regards,
> > Victor
>
> I hope i could help
>
> Regards, Dominik
>
> 0: https://support.google.com/a/answer/9089736
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
More information about the pve-devel
mailing list