From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id AD5C8D095 for ; Wed, 12 Jul 2023 16:28:53 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 902AB30444 for ; Wed, 12 Jul 2023 16:28:23 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Wed, 12 Jul 2023 16:28:22 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id C708E436A6 for ; Wed, 12 Jul 2023 16:28:21 +0200 (CEST) Message-ID: Date: Wed, 12 Jul 2023 16:28:20 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0 Content-Language: en-US To: Proxmox VE user list References: <847090B6-B75A-47F7-80EC-5868B1C8CDFA@volny.cz> From: Stefan Sterz In-Reply-To: <847090B6-B75A-47F7-80EC-5868B1C8CDFA@volny.cz> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.298 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_NUMSUBJECT 0.5 Subject ends in numbers excluding current years NICE_REPLY_A -0.089 Looks like a legit reply (A) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: Re: [PVE-User] PBS3 - can't add LDAP realm, same settings work fine with PVE7 X-BeenThere: pve-user@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE user list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Jul 2023 14:28:53 -0000 Sorry just noticed I accidentally replied off-list, so here it is again on-list: Yeah, this is a known problem in PBS 3.0 that I am currently trying to solve [1]. As a workaround you should be able to edit the file `/etc/proxmox-backup/domains.cfg` directly and add your LDAP configuration there. Sorry for the inconvenience. Something like this should work: ldap: ldap base-dn dc=economia,dc=cz bind-dn CN=,CN=Users,DC=economia,DC=cz mode ldap server1 server2 user-attr sAMAccountName You also need to add your bind password unter `/etc/proxmox-backup/ldap_passwords.json` like so: { "ldap": "" } Obviously you need to replace the values between the "<>" brackets with your actually configuration. [1]: https://forum.proxmox.com/threads/pbs-ldap-issue.130199/#post-570923 On 12.07.23 15:53, Jan Vlach wrote: > Hello, > I’m preparing upgrade of our PVE7.4 + PBS2.4 infrastructure, I’ve started with PBS that boots in UEFI mode to verify that I have a re-bootable machine as per notes in upgrade guide. > > I have LDAP authentication working successfully in PVE, but I can’t get it working in the PBS3 > I’m trying to copy the settings from PVE, I’m missing Group classes and Group filter in PBS and I get weird error message on trying to add: > > Could not search LDAP realm, base_dn could be incorrect: LDAP operation result rc=4 (sizeLimitExceeded), dn: “”, text: “”: rc=4 (sizeLimitExceeded), dn: “”, text: “” > > bind user and server are redacted, there is no fallback server, password is managed by 1Password and is same. I can successfully lookup via ldapsearch from cli (no firewall). There’s no encryption. > > What am I doing wrong? > Thank you, > JV > > Detailed settings follow: > > === PVE7.4-15 settings === > > TAB: GENERAL TAB: > Realm: ldap > Base Domain Name: dc=economia,dc=cz > User Attribute Name: sAMAccountName > Default: True > Server: > Fallback Server: > Port: Default > SSL: False > Verify Certificate: False, greyed out > Require TFA: none > Comment: LDAP > > TAB: SYNC OPTIONS: > Bind User: CN=,CN=Users,DC=economia,DC=cz > Bind Password: Unchanged, greyed out (I know this) > E-mail attribute: mail > Groupname attr.: sAMAccountName > Default Sync Options > Scope: Users and Groups > > User classes: user > Group classes: group > User Filter: (MemberOf=CN=IT_OPS,OU=External,OU=Groups,DC=economia,DC=cz) > Group Filter: (|(sAMAccountName=IT_OPS)) > Enable new users: Yes (Default) > Remove vanished options > ACL: True > Entry: True > Properties: True > > === PBS3 settings ==== > TAB: GENERAL > Realm: ldap > Base Domain Name: dc=economia,dc=cz > User Attribute Name: sAMAccountName > Anonymous search: false > Bind Domain Name: CN=,CN=Users,DC=economia,DC=cz // same user as above > Bind Password: > Server: > Fallback Server: > Port: Default > Mode: LDAP > Verify certificate: greyed out, false > > TAB: SYNC OPTINS: > First Name attribute: givenName // verified with cli ldapsearch > Last Name attribute: sn > E-Mail attribute: mail > > Default sync options > Enable new users: Yes (Default) > > User classes: user > User filter: (MemberOf=CN=IT_OPS,OU=External,OU=Groups,DC=economia,DC=cz) > !! I miss group classes > !! I miss Group Filter > > Remove vanished options > ACL: True > Entry: True > Properties: True > > On pressing add I get: > Could not search LDAP realm, base_dn could be incorrect: LDAP operation result rc=4 (sizeLimitExceeded), dn: “”, text: “”: rc=4 (sizeLimitExceeded), dn: “”, text: “” > _______________________________________________ > pve-user mailing list > pve-user@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-user