[pve-devel] LDAP integration with G Suite?

Victor Hooi victorhooi at yahoo.com
Fri May 24 14:42:33 CEST 2019 

Hi,

Aha thank you! I can confirm this works for me as well (using verify = 1).

I would like to document this on the wiki - I was thinking this page?

https://pve.proxmox.com/wiki/User_Management

I do have a wiki account (username "Victorhooi") - however I don't seem to
have permission to edit pages?

Also - you're right in that I didn't quite understand the significance of
LDAP. In this case, you do still need to type in your username and
password, but it simply checks them against the LDAP source.

However, the holy grail is actually SSO - meaning the login prompt would
actually redirect you to the G Suite (Google) login page - or if you are
already logged in, it will use your existing session/cookie.

So maybe I'm looking for some kind of SAML integration? (old discussion
<https://forum.proxmox.com/threads/http-authentication-saml-single-sign-on.33701/>)
Or even just Google Sign-in
<https://developers.google.com/identity/sign-in/web/sign-in>. Is this
something we could start a bounty for? (I don't have the coding chops, or
the Perl knowledge to implement this, let alone implement it well. However,
I could certainly contribute to a bounty for it, if that would in any way
help.)

Thanks,
Victor

On Fri, May 24, 2019 at 6:49 PM Dominik Csapak <d.csapak at proxmox.com> wrote:

> hi,
>
> i now tested it successfully
>
> my /etc/pve/domains.cfg looks like this:
>
> ----8<----
> ldap: google
>          base_dn dc=anguslab,dc=io
>          server1 ldap.google.com
>          user_attr uid
>          verify 1
>          cert /root/google.crt
>          certkey /root/google.key
>          default 0
>          port 636
>          secure 1
> ---->8----
>
>
> important are three settings:
>
> user_attr uid
> secure 1
> verify 1 (this was missing)
>
> you need all 3 of those for it to work (verify is necessary so that our
> code actually uses the client cert/key)
>
> now i can login with the user/password combo and the 'google' realm
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>

More information about the pve-devel mailing list