[pve-devel] LDAP integration with G Suite?

Victor Hooi victorhooi at yahoo.com
Thu May 23 08:45:15 CEST 2019


I tried changing user_attr to "uid", and I still get "Login failed. Please
try again."

You mentioned the journal should contain an error log if the authentication
fails - where is this journal please?

(I didn't see anything in /var/log/messages, or in the "Cluster log" in the
Web UI).

On Thu, May 23, 2019 at 4:34 PM Dominik Csapak <d.csapak at proxmox.com> wrote:

> On 5/23/19 6:34 AM, Victor Hooi wrote:
> > *(Sending again with screenshots removed)*
> >
> > Hi,
>
> Hi,
>
> >
> > Aha, I am glad to know it's meant to work out of the box - I merely had
> > some concerns around support for LDAP certificate authentication (forum
> post
> > <
> https://forum.proxmox.com/threads/ldap-authentication-does-it-support-client-certificates.52439/
> >).
> > If I get this working, it would be good to get this added to the wiki
> > perhaps.
> >
> > However, I'm not able to get it working.
> >
> > I have verified with ldapsearch that I can successfully lookup users
> > against the Google Secure LDAP service:
> >
> > $ LDAPTLS_REQCERT=allow LDAPTLS_CERT=Google_2022_05_22_3494.crt
> > LDAPTLS_KEY=Google_2022_05_22_3494.key ldapsearch -H ldaps://
> > ldap.google.com:636 -b dc=anguslab,dc=io '(uid=victorhooi)'
> > SASL/EXTERNAL authentication started
> > SASL username: st=California,c=US,ou=GSuite,cn=LDAP Client,l=Mountain
> > View,o=Google Inc.
> > SASL SSF: 0
> > # extended LDIF
> > #
> > # LDAPv3
> > # base <dc=anguslab,dc=io> with scope subtree
> > # filter: (uid=victorhooi)
> > # requesting: ALL
> > #
> >
> > # victorhooi, Users, anguslab.io
> > dn: uid=victorhooi,ou=Users,dc=anguslab,dc=io
> > objectClass: top
> > objectClass: person
> > objectClass: organizationalPerson
> > objectClass: inetOrgPerson
> > objectClass: posixAccount
> > uid: victorhooi
> > googleUid: victorhooi
> > posixUid: victorhooi
> > cn: victorhooi
> > cn: Victor Hooi
> > sn: Hooi
> > displayName: Victor Hooi
> > givenName: Victor
> > mail: victorhooi at anguslab.io
> > memberOf: cn=chat-eng,ou=Groups,dc=anguslab,dc=io
> > memberOf: cn=drive-eng,ou=Groups,dc=anguslab,dc=io
> > memberOf: cn=gsuite-tses,ou=Groups,dc=anguslab,dc=io
> > memberOf: cn=meet-eng,ou=Groups,dc=anguslab,dc=io
> > uidNumber: 950057616
> > gidNumber: 950057616
> > homeDirectory: /home/victorhooi
> > loginShell: /bin/bash
> > gecos:
> >
> > # search result
> > search: 3
> > result: 0 Success
> >
> > # numResponses: 2
> > # numEntries: 1
> >
> > I then added a new LDAP authentication realm using pvesh like so:
> >
> > # pvesh create /access/domains --realm gsuiteldap --type ldap --base_dn
> > dc=anguslab,dc=io --server1 ldap.google.com --port 636 --cert
> > /root/Google_2022_05_22_3494.crt --certkey
> /root/Google_2022_05_22_3494.key
> > --user_attr victorhooi
> >
> > (I'm not sure about what I should set as the user_attr value - since it's
> > using certificate - but the command seemed to complete successfully).
>
> the user_attr value is the attribute on which we match the username
> e.g. in you output above you should set it to 'uid' we
> get the user with the username set in that field
>
> >
> > I then added a user with the same username in the Proxmox Web UI:
> >
> > <screenshot removed>
> >
> > I then logged out as "root", and tried to login as the new user. Oddly
> > enough - even when I selected the LDAP authentication realm - it's still
> > asking me for both a username and password. I would have thought it would
> > just be a username, and it'd somehow delegate to G Suite's SSO webpage?
>
> i guess there is some misunderstanding, pve authenticates via ldap,
> meaning that you supply a username and password, which will be verified
> by the ldap sever, if it succeeds, you are successfully authenticated
>
> >
> > <screenshot removed>
> >
> > Anyhow - even after I enter in my G Suite username and password, it still
> > does not work (Login failed. Please try again.).
>
> probably because of the user_attr, since you have given 'victorhooi'
> it searches for a user with the attribute 'victorhooi=victorhooi'
> (which i guess does not exists)
>
> >
> > Are there some logfiles to help troubleshoot what's going on? Or is there
> > some issue with the steps above?
>
> there is the documentation (if you did not found it already):
> https://pve.proxmox.com/wiki/User_Management
>
> the journal should contain an error log if the authentication fails
> (with the ldap error message)
>
> i must admit, the whole ldap part is very underdocumented and some parts
> are still missing (ldap+starttls is missing for example)
>
> i hope this helps
>
> regards
> Dominik
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>



More information about the pve-devel mailing list