[pve-devel] LDAP integration with G Suite?

Victor Hooi victorhooi at yahoo.com
Thu May 23 13:11:17 CEST 2019


Hi,

I thought I'd try setting the "secure" value to true:

```
# pvesh create /access/domains --realm anguslab.io --type ldap --base_dn
dc=anguslab,dc=io --server1 ldap.google.com --port 636 --cert
/root/Google_2022_05_22_3494.crt --certkey /root/Google_20
22_05_22_3494.key --user_attr victorhooi --secure 1
```

Now, instead of "no entries returned", I get "invalid username":

```
May 23 21:02:41 syd1 pvedaemon[77112]: authentication failure;
rhost=127.0.0.1 user=victorhooi at anguslab.io msg=Invalid username
```

Does that tell us anything? (i.e. should secure be on?)

Thanks,
Victor

On Thu, May 23, 2019 at 8:56 PM Victor Hooi <victorhooi at yahoo.com> wrote:

> Hi,
>
> Thanks for clarifying about the log line. So in this case, it seems it did
> query by the right uid.
>
> In that case I'm pretty stumped - as you can see from the OP - ldapsearch
> was able to successfully query against the same LDAP server::
>
> ```
> $ LDAPTLS_REQCERT=allow LDAPTLS_CERT=Google_2022_05_22_3494.crt
> LDAPTLS_KEY=Google_2022_05_22_3494.key ldapsearch -H ldaps://
> ldap.google.com:636 -b dc=anguslab,dc=io '(uid=victorhooi)'
> SASL/EXTERNAL authentication started
> SASL username: st=California,c=US,ou=GSuite,cn=LDAP Client,l=Mountain
> View,o=Google Inc.
> SASL SSF: 0
> # extended LDIF
> #
> # LDAPv3
> # base <dc=anguslab,dc=io> with scope subtree
> # filter: (uid=victorhooi)
> # requesting: ALL
> #
>
> # victorhooi, Users, anguslab.io
> dn: uid=victorhooi,ou=Users,dc=anguslab,dc=io
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: posixAccount
> uid: victorhooi
> googleUid: victorhooi
> posixUid: victorhooi
> cn: victorhooi
> cn: Victor Hooi
> sn: Hooi
> displayName: Victor Hooi
> givenName: Victor
> mail: victorhooi at anguslab.io
> memberOf: cn=chat-eng,ou=Groups,dc=anguslab,dc=io
> memberOf: cn=drive-eng,ou=Groups,dc=anguslab,dc=io
> memberOf: cn=gsuite-tses,ou=Groups,dc=anguslab,dc=io
> memberOf: cn=meet-eng,ou=Groups,dc=anguslab,dc=io
> uidNumber: 950057616
> gidNumber: 950057616
> homeDirectory: /home/victorhooi
> loginShell: /bin/bash
> gecos:
>
> # search result
> search: 3
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
> ```
> Is there some way to enable more verbose logging?
>
> G Suite LDAP uses self-signed certificates (hence LDAPTLS_REQCERT=allow
> in the above) - but I notice per the docs that by default, Proxmox
> doesn't verify the SSL certificate, so it can't be that.
>
> Any other ideas on what's going on?
>
> Cheers,
> Victor
>
> On Thu, May 23, 2019 at 7:27 PM Andreas Steinel <a.steinel at gmail.com>
> wrote:
>
>> On Thu, May 23, 2019 at 11:03 AM Victor Hooi <victorhooi at yahoo.com>
>> wrote:
>>
>> > I noticed in the log line above the user is printed as
>> > "victorhooi at gsuiteldap" - is this the actual username that Proxmox
>> > attempted to query the LDAP server on?
>> >
>>
>> No, this is the internal PVE name
>>   <username>@<realm>
>>
>> --
>> With kind regards / Mit freundlichen Grüßen
>>
>> Andreas Steinel
>> M.Sc. Visual Computing
>> M.Sc. Informatik
>> _______________________________________________
>> pve-devel mailing list
>> pve-devel at pve.proxmox.com
>> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>>
>



More information about the pve-devel mailing list