* [PVE-User] PBS3 - can't add LDAP realm, same settings work fine with PVE7
@ 2023-07-12 13:53 Jan Vlach
2023-07-12 14:28 ` Stefan Sterz
0 siblings, 1 reply; 4+ messages in thread
From: Jan Vlach @ 2023-07-12 13:53 UTC (permalink / raw)
To: pve-user
Hello,
I’m preparing upgrade of our PVE7.4 + PBS2.4 infrastructure, I’ve started with PBS that boots in UEFI mode to verify that I have a re-bootable machine as per notes in upgrade guide.
I have LDAP authentication working successfully in PVE, but I can’t get it working in the PBS3
I’m trying to copy the settings from PVE, I’m missing Group classes and Group filter in PBS and I get weird error message on trying to add:
Could not search LDAP realm, base_dn could be incorrect: LDAP operation result rc=4 (sizeLimitExceeded), dn: “”, text: “”: rc=4 (sizeLimitExceeded), dn: “”, text: “”
bind user and server are redacted, there is no fallback server, password is managed by 1Password and is same. I can successfully lookup via ldapsearch from cli (no firewall). There’s no encryption.
What am I doing wrong?
Thank you,
JV
Detailed settings follow:
=== PVE7.4-15 settings ===
TAB: GENERAL TAB:
Realm: ldap
Base Domain Name: dc=economia,dc=cz
User Attribute Name: sAMAccountName
Default: True
Server: <redacted>
Fallback Server: <empty>
Port: Default
SSL: False
Verify Certificate: False, greyed out
Require TFA: none
Comment: LDAP
TAB: SYNC OPTIONS:
Bind User: CN=<redacted>,CN=Users,DC=economia,DC=cz
Bind Password: Unchanged, greyed out (I know this)
E-mail attribute: mail
Groupname attr.: sAMAccountName
Default Sync Options
Scope: Users and Groups
User classes: user
Group classes: group
User Filter: (MemberOf=CN=IT_OPS,OU=External,OU=Groups,DC=economia,DC=cz)
Group Filter: (|(sAMAccountName=IT_OPS))
Enable new users: Yes (Default)
Remove vanished options
ACL: True
Entry: True
Properties: True
=== PBS3 settings ====
TAB: GENERAL
Realm: ldap
Base Domain Name: dc=economia,dc=cz
User Attribute Name: sAMAccountName
Anonymous search: false
Bind Domain Name: CN=<redacted>,CN=Users,DC=economia,DC=cz // same user as above
Bind Password: <same as above, from 1Pass>
Server: <redacted>
Fallback Server: <empty>
Port: Default
Mode: LDAP
Verify certificate: greyed out, false
TAB: SYNC OPTINS:
First Name attribute: givenName // verified with cli ldapsearch
Last Name attribute: sn
E-Mail attribute: mail
Default sync options
Enable new users: Yes (Default)
User classes: user
User filter: (MemberOf=CN=IT_OPS,OU=External,OU=Groups,DC=economia,DC=cz)
!! I miss group classes
!! I miss Group Filter
Remove vanished options
ACL: True
Entry: True
Properties: True
On pressing add I get:
Could not search LDAP realm, base_dn could be incorrect: LDAP operation result rc=4 (sizeLimitExceeded), dn: “”, text: “”: rc=4 (sizeLimitExceeded), dn: “”, text: “”
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PVE-User] PBS3 - can't add LDAP realm, same settings work fine with PVE7
2023-07-12 13:53 [PVE-User] PBS3 - can't add LDAP realm, same settings work fine with PVE7 Jan Vlach
@ 2023-07-12 14:28 ` Stefan Sterz
2023-07-12 16:33 ` Jan Vlach
2023-07-12 16:40 ` Jan Vlach
0 siblings, 2 replies; 4+ messages in thread
From: Stefan Sterz @ 2023-07-12 14:28 UTC (permalink / raw)
To: Proxmox VE user list
Sorry just noticed I accidentally replied off-list, so here it is again
on-list:
Yeah, this is a known problem in PBS 3.0 that I am currently trying to
solve [1]. As a workaround you should be able to edit the file
`/etc/proxmox-backup/domains.cfg` directly and add your LDAP
configuration there. Sorry for the inconvenience.
Something like this should work:
ldap: ldap
base-dn dc=economia,dc=cz
bind-dn CN=<redacted>,CN=Users,DC=economia,DC=cz
mode ldap
server1 <server>
server2 <fallback>
user-attr sAMAccountName
You also need to add your bind password unter
`/etc/proxmox-backup/ldap_passwords.json` like so:
{
"ldap": "<password>"
}
Obviously you need to replace the values between the "<>" brackets with
your actually configuration.
[1]: https://forum.proxmox.com/threads/pbs-ldap-issue.130199/#post-570923
On 12.07.23 15:53, Jan Vlach wrote:
> Hello,
> I’m preparing upgrade of our PVE7.4 + PBS2.4 infrastructure, I’ve started with PBS that boots in UEFI mode to verify that I have a re-bootable machine as per notes in upgrade guide.
>
> I have LDAP authentication working successfully in PVE, but I can’t get it working in the PBS3
> I’m trying to copy the settings from PVE, I’m missing Group classes and Group filter in PBS and I get weird error message on trying to add:
>
> Could not search LDAP realm, base_dn could be incorrect: LDAP operation result rc=4 (sizeLimitExceeded), dn: “”, text: “”: rc=4 (sizeLimitExceeded), dn: “”, text: “”
>
> bind user and server are redacted, there is no fallback server, password is managed by 1Password and is same. I can successfully lookup via ldapsearch from cli (no firewall). There’s no encryption.
>
> What am I doing wrong?
> Thank you,
> JV
>
> Detailed settings follow:
>
> === PVE7.4-15 settings ===
>
> TAB: GENERAL TAB:
> Realm: ldap
> Base Domain Name: dc=economia,dc=cz
> User Attribute Name: sAMAccountName
> Default: True
> Server: <redacted>
> Fallback Server: <empty>
> Port: Default
> SSL: False
> Verify Certificate: False, greyed out
> Require TFA: none
> Comment: LDAP
>
> TAB: SYNC OPTIONS:
> Bind User: CN=<redacted>,CN=Users,DC=economia,DC=cz
> Bind Password: Unchanged, greyed out (I know this)
> E-mail attribute: mail
> Groupname attr.: sAMAccountName
> Default Sync Options
> Scope: Users and Groups
>
> User classes: user
> Group classes: group
> User Filter: (MemberOf=CN=IT_OPS,OU=External,OU=Groups,DC=economia,DC=cz)
> Group Filter: (|(sAMAccountName=IT_OPS))
> Enable new users: Yes (Default)
> Remove vanished options
> ACL: True
> Entry: True
> Properties: True
>
> === PBS3 settings ====
> TAB: GENERAL
> Realm: ldap
> Base Domain Name: dc=economia,dc=cz
> User Attribute Name: sAMAccountName
> Anonymous search: false
> Bind Domain Name: CN=<redacted>,CN=Users,DC=economia,DC=cz // same user as above
> Bind Password: <same as above, from 1Pass>
> Server: <redacted>
> Fallback Server: <empty>
> Port: Default
> Mode: LDAP
> Verify certificate: greyed out, false
>
> TAB: SYNC OPTINS:
> First Name attribute: givenName // verified with cli ldapsearch
> Last Name attribute: sn
> E-Mail attribute: mail
>
> Default sync options
> Enable new users: Yes (Default)
>
> User classes: user
> User filter: (MemberOf=CN=IT_OPS,OU=External,OU=Groups,DC=economia,DC=cz)
> !! I miss group classes
> !! I miss Group Filter
>
> Remove vanished options
> ACL: True
> Entry: True
> Properties: True
>
> On pressing add I get:
> Could not search LDAP realm, base_dn could be incorrect: LDAP operation result rc=4 (sizeLimitExceeded), dn: “”, text: “”: rc=4 (sizeLimitExceeded), dn: “”, text: “”
> _______________________________________________
> pve-user mailing list
> pve-user@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-user
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PVE-User] PBS3 - can't add LDAP realm, same settings work fine with PVE7
2023-07-12 14:28 ` Stefan Sterz
@ 2023-07-12 16:33 ` Jan Vlach
2023-07-12 16:40 ` Jan Vlach
1 sibling, 0 replies; 4+ messages in thread
From: Jan Vlach @ 2023-07-12 16:33 UTC (permalink / raw)
To: Proxmox VE user list
Hello Stefan,
no worries and thank you for a quick reply and directing me, where I should edit files manually as a workaround.
I’ve even managed to edit filter to see only users from the group I need.
I’m glad it’s known and you’re already working on it. I can wait for the full functionality when it’s available.
Thank you and have a nice one.
JV
> On 12. 7. 2023, at 16:28, Stefan Sterz <s.sterz@proxmox.com> wrote:
>
> Sorry just noticed I accidentally replied off-list, so here it is again
> on-list:
>
> Yeah, this is a known problem in PBS 3.0 that I am currently trying to
> solve [1]. As a workaround you should be able to edit the file
> `/etc/proxmox-backup/domains.cfg` directly and add your LDAP
> configuration there. Sorry for the inconvenience.
>
> Something like this should work:
>
> ldap: ldap
> base-dn dc=economia,dc=cz
> bind-dn CN=<redacted>,CN=Users,DC=economia,DC=cz
> mode ldap
> server1 <server>
> server2 <fallback>
> user-attr sAMAccountName
>
> You also need to add your bind password unter
> `/etc/proxmox-backup/ldap_passwords.json` like so:
>
> {
> "ldap": "<password>"
> }
>
> Obviously you need to replace the values between the "<>" brackets with
> your actually configuration.
>
> [1]: https://forum.proxmox.com/threads/pbs-ldap-issue.130199/#post-570923
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PVE-User] PBS3 - can't add LDAP realm, same settings work fine with PVE7
2023-07-12 14:28 ` Stefan Sterz
2023-07-12 16:33 ` Jan Vlach
@ 2023-07-12 16:40 ` Jan Vlach
1 sibling, 0 replies; 4+ messages in thread
From: Jan Vlach @ 2023-07-12 16:40 UTC (permalink / raw)
To: Proxmox VE user list
As a side note, it would be cool to have groups (from LDAP and/or locally) and set permissions on them. I can’t really see myself keeping all the users and permissions consistent correctly :-(
JV
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-07-12 16:40 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-07-12 13:53 [PVE-User] PBS3 - can't add LDAP realm, same settings work fine with PVE7 Jan Vlach
2023-07-12 14:28 ` Stefan Sterz
2023-07-12 16:33 ` Jan Vlach
2023-07-12 16:40 ` Jan Vlach
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.