[pve-devel] LDAP integration with G Suite?

Dominik Csapak d.csapak at proxmox.com
Mon May 27 09:10:25 CEST 2019


On 5/24/19 2:42 PM, Victor Hooi wrote:
> Hi,

Hi,

> 
> Aha thank you! I can confirm this works for me as well (using verify = 1).

Great that you got it working :)

> 
> I would like to document this on the wiki - I was thinking this page?
> 
> https://pve.proxmox.com/wiki/User_Management
> 
> I do have a wiki account (username "Victorhooi") - however I don't seem to
> have permission to edit pages?

this page is auto-generated from our reference documentation,
to edit this, you have to send a patch for our 'pve-docs' repository[0].
For details on how to do this, please see our developer documentation[1].
Alternatively, you could open a bug[2] and post your proposed changes 
there and we can add it to our documentation.

> 
> Also - you're right in that I didn't quite understand the significance of
> LDAP. In this case, you do still need to type in your username and
> password, but it simply checks them against the LDAP source.
> 
> However, the holy grail is actually SSO - meaning the login prompt would
> actually redirect you to the G Suite (Google) login page - or if you are
> already logged in, it will use your existing session/cookie.
> 
> So maybe I'm looking for some kind of SAML integration? (old discussion
> <https://forum.proxmox.com/threads/http-authentication-saml-single-sign-on.33701/>)
> Or even just Google Sign-in
> <https://developers.google.com/identity/sign-in/web/sign-in>. Is this
> something we could start a bounty for? (I don't have the coding chops, or
> the Perl knowledge to implement this, let alone implement it well. However,
> I could certainly contribute to a bounty for it, if that would in any way
> help.)

Like Fabian already wrote in that thread, patches would be welcome,
but since this has a lower priority for us, i do not think anybody
from us has (currently) the time to implement it themselves.

Also we do not have a bounty program (or similar), but if you
can find something that is willing to implement it for you
that would also be fine. Just make sure that that someone
reads our developer documentation, and approaches us with
a rough outline beforehand.
(To avoid unnecessary work and patch revisions)

> 
> Thanks,
> Victor

I hope i could help you
Regards,
Dominik


0: https://git.proxmox.com/?p=pve-docs.git;a=summary
1: https://pve.proxmox.com/wiki/Developer_Documentation
2: https://bugzilla.proxmox.com

> 
> On Fri, May 24, 2019 at 6:49 PM Dominik Csapak <d.csapak at proxmox.com> wrote:
> 
>> hi,
>>
>> i now tested it successfully
>>
>> my /etc/pve/domains.cfg looks like this:
>>
>> ----8<----
>> ldap: google
>>           base_dn dc=anguslab,dc=io
>>           server1 ldap.google.com
>>           user_attr uid
>>           verify 1
>>           cert /root/google.crt
>>           certkey /root/google.key
>>           default 0
>>           port 636
>>           secure 1
>> ---->8----
>>
>>
>> important are three settings:
>>
>> user_attr uid
>> secure 1
>> verify 1 (this was missing)
>>
>> you need all 3 of those for it to work (verify is necessary so that our
>> code actually uses the client cert/key)
>>
>> now i can login with the user/password combo and the 'google' realm
>>
>> _______________________________________________
>> pve-devel mailing list
>> pve-devel at pve.proxmox.com
>> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 





More information about the pve-devel mailing list