[pve-devel] LDAP integration with G Suite?

Victor Hooi victorhooi at yahoo.com
Thu May 23 12:56:31 CEST 2019 

Hi,

Thanks for clarifying about the log line. So in this case, it seems it did
query by the right uid.

In that case I'm pretty stumped - as you can see from the OP - ldapsearch
was able to successfully query against the same LDAP server::

```
$ LDAPTLS_REQCERT=allow LDAPTLS_CERT=Google_2022_05_22_3494.crt
LDAPTLS_KEY=Google_2022_05_22_3494.key ldapsearch -H ldaps://
ldap.google.com:636 -b dc=anguslab,dc=io '(uid=victorhooi)'
SASL/EXTERNAL authentication started
SASL username: st=California,c=US,ou=GSuite,cn=LDAP Client,l=Mountain
View,o=Google Inc.
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <dc=anguslab,dc=io> with scope subtree
# filter: (uid=victorhooi)
# requesting: ALL
#

# victorhooi, Users, anguslab.io
dn: uid=victorhooi,ou=Users,dc=anguslab,dc=io
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
uid: victorhooi
googleUid: victorhooi
posixUid: victorhooi
cn: victorhooi
cn: Victor Hooi
sn: Hooi
displayName: Victor Hooi
givenName: Victor
mail: victorhooi at anguslab.io
memberOf: cn=chat-eng,ou=Groups,dc=anguslab,dc=io
memberOf: cn=drive-eng,ou=Groups,dc=anguslab,dc=io
memberOf: cn=gsuite-tses,ou=Groups,dc=anguslab,dc=io
memberOf: cn=meet-eng,ou=Groups,dc=anguslab,dc=io
uidNumber: 950057616
gidNumber: 950057616
homeDirectory: /home/victorhooi
loginShell: /bin/bash
gecos:

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1
```
Is there some way to enable more verbose logging?

G Suite LDAP uses self-signed certificates (hence LDAPTLS_REQCERT=allow in
the above) - but I notice per the docs that by default, Proxmox doesn't
verify the SSL certificate, so it can't be that.

Any other ideas on what's going on?

Cheers,
Victor

On Thu, May 23, 2019 at 7:27 PM Andreas Steinel <a.steinel at gmail.com> wrote:

> On Thu, May 23, 2019 at 11:03 AM Victor Hooi <victorhooi at yahoo.com> wrote:
>
> > I noticed in the log line above the user is printed as
> > "victorhooi at gsuiteldap" - is this the actual username that Proxmox
> > attempted to query the LDAP server on?
> >
>
> No, this is the internal PVE name
>   <username>@<realm>
>
> --
> With kind regards / Mit freundlichen Grüßen
>
> Andreas Steinel
> M.Sc. Visual Computing
> M.Sc. Informatik
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>

More information about the pve-devel mailing list