[pve-devel] LDAP integration with G Suite?

Fri May 24 08:33:46 CEST 2019

Hi,

Of course, here is a slightly sanitised user.cfg - I have sent you the full
file in a separate email:

```
root at syd1:~# cat /etc/pve/user.cfg
user:root at pam:1:0:::victorhooi at example.com:::
user:victorhooi at anguslab.io:1:0::::::
<some users removed>

<some groups removed>

pool:windows_7::100::

<some acls removed>
```

Here is my full domains.cfg:

```
root at syd1:~# cat /etc/pve/domains.cfg
pam: pam
        comment Linux PAM standard authentication

pve: pve
        comment Proxmox VE authentication server

ldap: anguslab.io
        base_dn dc=anguslab,dc=io
        server1 ldap.google.com
        user_attr uid
        cert /root/Google_2022_05_22_3494.crt
        certkey /root/Google_2022_05_22_3494.key
        port 636
        secure 0
```

Here is the output of pveversion -v:

```
root at syd1:~# pveversion -v
proxmox-ve: 5.4-1 (running kernel: 4.15.18-14-pve)
pve-manager: 5.4-6 (running version: 5.4-6/aa7856c5)
pve-kernel-4.15: 5.4-2
pve-kernel-4.15.18-14-pve: 4.15.18-39
pve-kernel-4.15.18-12-pve: 4.15.18-36
pve-kernel-4.15.18-11-pve: 4.15.18-34
pve-kernel-4.15.18-9-pve: 4.15.18-30
ceph: 12.2.12-pve1
corosync: 2.4.4-pve1
criu: 2.11.1-1~bpo90
glusterfs-client: 3.8.8-1
ksm-control-daemon: 1.2-2
libjs-extjs: 6.0.1-2
libpve-access-control: 5.1-10
libpve-apiclient-perl: 2.0-5
libpve-common-perl: 5.0-52
libpve-guest-common-perl: 2.0-20
libpve-http-server-perl: 2.0-13
libpve-storage-perl: 5.0-43
libqb0: 1.0.3-1~bpo9
lvm2: 2.02.168-pve6
lxc-pve: 3.1.0-3
lxcfs: 3.0.3-pve1
novnc-pve: 1.0.0-3
proxmox-widget-toolkit: 1.0-28
pve-cluster: 5.0-37
pve-container: 2.0-39
pve-docs: 5.4-2
pve-edk2-firmware: 1.20190312-1
pve-firewall: 3.0-21
pve-firmware: 2.0-6
pve-ha-manager: 2.0-9
pve-i18n: 1.1-4
pve-libspice-server1: 0.14.1-2
pve-qemu-kvm: 3.0.1-2
pve-xtermjs: 3.12.0-1
qemu-server: 5.0-51
smartmontools: 6.5+svn4324-1
spiceterm: 3.0-5
vncterm: 1.5-3
zfsutils-linux: 0.7.13-pve1~bpo2
```

I also created a test G Suite account for you, and a test G Suite LDAP
service with separate certificates - I included that in the separate email
as well. You can use ldapsearch against the endpoint, or you could link
your own Proxmox instance against it.

It is very strange that this doesn't work, and that the audit records on
the server side don't show any attempts.

Thanks,
Victor

On Fri, May 24, 2019 at 4:11 PM Dominik Csapak <d.csapak at proxmox.com> wrote:

> On 5/23/19 5:46 PM, Victor Hooi wrote:
> > G Suite also has audit records for the Secure LDAP service:
> >
> > https://i.imgur.com/rvV9BXL.png
> >
> > In this case - I can see entries for each time I used ldapsearch.
> >
> > However, I do *not* see any entries for each time I try to login on
> > Proxmox. So it seems like it's not even hitting the server, yet Proxmox
> is
> > saying "no entries returned"?
> >
>
> mhmm.. a 'normal' ldap server works here without problems,
>
> can you post your /etc/pve/user.cfg and /etc/pve/domain.cfg
> (you can also send it to me directly if you do not want to send
> them on the list)
>
> so that i can check if i see anything in the configuration that might be
> wrong (also what is your 'pveversion -v' ?)
>
> i have no access to a gsuite account, so i cannot test this directly
>
> regards dominik
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>