[pve-devel] LDAP integration with G Suite?

Thu May 23 08:34:45 CEST 2019

On 5/23/19 6:34 AM, Victor Hooi wrote:
> *(Sending again with screenshots removed)*
> 
> Hi,

Hi,

> 
> Aha, I am glad to know it's meant to work out of the box - I merely had
> some concerns around support for LDAP certificate authentication (forum post
> <https://forum.proxmox.com/threads/ldap-authentication-does-it-support-client-certificates.52439/>).
> If I get this working, it would be good to get this added to the wiki
> perhaps.
> 
> However, I'm not able to get it working.
> 
> I have verified with ldapsearch that I can successfully lookup users
> against the Google Secure LDAP service:
> 
> $ LDAPTLS_REQCERT=allow LDAPTLS_CERT=Google_2022_05_22_3494.crt
> LDAPTLS_KEY=Google_2022_05_22_3494.key ldapsearch -H ldaps://
> ldap.google.com:636 -b dc=anguslab,dc=io '(uid=victorhooi)'
> SASL/EXTERNAL authentication started
> SASL username: st=California,c=US,ou=GSuite,cn=LDAP Client,l=Mountain
> View,o=Google Inc.
> SASL SSF: 0
> # extended LDIF
> #
> # LDAPv3
> # base <dc=anguslab,dc=io> with scope subtree
> # filter: (uid=victorhooi)
> # requesting: ALL
> #
> 
> # victorhooi, Users, anguslab.io
> dn: uid=victorhooi,ou=Users,dc=anguslab,dc=io
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: posixAccount
> uid: victorhooi
> googleUid: victorhooi
> posixUid: victorhooi
> cn: victorhooi
> cn: Victor Hooi
> sn: Hooi
> displayName: Victor Hooi
> givenName: Victor
> mail: victorhooi at anguslab.io
> memberOf: cn=chat-eng,ou=Groups,dc=anguslab,dc=io
> memberOf: cn=drive-eng,ou=Groups,dc=anguslab,dc=io
> memberOf: cn=gsuite-tses,ou=Groups,dc=anguslab,dc=io
> memberOf: cn=meet-eng,ou=Groups,dc=anguslab,dc=io
> uidNumber: 950057616
> gidNumber: 950057616
> homeDirectory: /home/victorhooi
> loginShell: /bin/bash
> gecos:
> 
> # search result
> search: 3
> result: 0 Success
> 
> # numResponses: 2
> # numEntries: 1
> 
> I then added a new LDAP authentication realm using pvesh like so:
> 
> # pvesh create /access/domains --realm gsuiteldap --type ldap --base_dn
> dc=anguslab,dc=io --server1 ldap.google.com --port 636 --cert
> /root/Google_2022_05_22_3494.crt --certkey /root/Google_2022_05_22_3494.key
> --user_attr victorhooi
> 
> (I'm not sure about what I should set as the user_attr value - since it's
> using certificate - but the command seemed to complete successfully).

the user_attr value is the attribute on which we match the username
e.g. in you output above you should set it to 'uid' we
get the user with the username set in that field

> 
> I then added a user with the same username in the Proxmox Web UI:
> 
> <screenshot removed>
> 
> I then logged out as "root", and tried to login as the new user. Oddly
> enough - even when I selected the LDAP authentication realm - it's still
> asking me for both a username and password. I would have thought it would
> just be a username, and it'd somehow delegate to G Suite's SSO webpage?

i guess there is some misunderstanding, pve authenticates via ldap,
meaning that you supply a username and password, which will be verified
by the ldap sever, if it succeeds, you are successfully authenticated

> 
> <screenshot removed>
> 
> Anyhow - even after I enter in my G Suite username and password, it still
> does not work (Login failed. Please try again.).

probably because of the user_attr, since you have given 'victorhooi'
it searches for a user with the attribute 'victorhooi=victorhooi'
(which i guess does not exists)

> 
> Are there some logfiles to help troubleshoot what's going on? Or is there
> some issue with the steps above?

there is the documentation (if you did not found it already): 
https://pve.proxmox.com/wiki/User_Management

the journal should contain an error log if the authentication fails
(with the ldap error message)

i must admit, the whole ldap part is very underdocumented and some parts 
are still missing (ldap+starttls is missing for example)

i hope this helps

regards
Dominik