Autenticazione su server AD in Proxmox

La prima parte consente di creare il servizio di autenticazione. Può essere sufficiente, se poi si creano gli utenti in Proxmox manualmente.

• Predisporre un'utenza senza privilegi per il binding in AD, ad esempio con username ldapsvc nel container Users. ATTENZIONE: il nome mostrato nella snaping mmc deve essere ldapsvc non la descrizione. Nel caso rinominarlo con F2.
• In proxmox definire il REALM di autenticazione:
  • Authentication - Add - Active Directory Server
  • Realm - chose some name that speaks to you (or the one in cat /etc/krb5.conf )
  • Base Domain Name= dc=ad,dc=example,dc=com
  • User Attribute Name: sAMAccountName
  • Default - does not really matter
  • Server - input the IP or the host name of Domain Controller, whatever works in your setup
  • Port: I have it running on 636
  • SSL - is clicked for me
  • require TFA: none

• This alone will enable the authentication to the AD itself, however, if you do not go on and sync the groups and their members from the AD, create manually the users as users in the freshly created Realm and assign a group to them with the proper permissions

È possibile importare sia utenti che gruppi da AD, evitanto di crearli manualmente. Si può filtrare ciò che si vuole importare. L'importazione (sync) viene fatto manualmente.

You are going into sync options Tab

• Create a few groups in the AD, which will handle your proxmox access - for instance proxSupers, proxAdmins, proxUsers, proxReadOnly
• Assign members to the groups
• Now back in Prox
• Bind user: CN=proxmox,OU=serviceAccounts,OU=company_users,DC=company,DC=local

• Per ottenere la stringa corretta, da Windows fare:

dsquery user dc=ad,dc=example,dc=com -name ldapsvc

"CN=ldapsvc,CN=Users,DC=ad,DC=example,DC=com

• Pass: from your AD user proxmox
• e-Mail attribute: mail
• groupname attr: sAMAccountName
• User classes: user or empty
• Group classes: group or empty
• The next part is the most important one!
• Please take a look here if you want - the standard syntax for filtering LDAP structures:
• https://confluence.atlassian.com/kb/how-to-write-ldap-search-filters-792496933.html
• User Filter (this is to filter only the users, that will be imported, not the entire AD): (|(memberOf=CN=proxAdmins,OU=PROXMOX,OU=COMPANY_GROUPS,DC=company,DC=local)(memberOf=CN=proxSupers,OU=PROXMOX,OU=COMPANY_GROUPS,DC=company,DC=local)(memberOf=CN=proxReadOnly,OU=PROXMOX,OU=COMPANY_GROUPS,DC=company,DC=local))

• Per ottenere la stringa, da windows fare:

dsquery group dc=ad,dc=example,dc=com -name itm

"CN=itm,CN=Users,DC=ad,DC=example,DC=com"

Esempio:

(memberOf=CN=itm,CN=Users,DC=ad,DC=example,DC=com)

Group Filter (to filter, which groups to import): (|(sAMAccountName=prox*)) or empty

• Select Users&Groups, Full, Enable New, Purge if you want to add automatically new users, purge the ones that are not in AD and etc.
• Now go into the interface with root account!!!!
• And synchronize the groups and users.
• All groups should import just fine and users will be in the groups
• After that assign permissions to the imported groups.
• And you are ready.
• Sync the groups and users when there is a change and you are ready.

• (1) Active Directory Configuration with Prox | Proxmox Support Forum

• (1) [TUTORIAL - How to join a Proxmox cluster to an Active Directory Domain | Proxmox Support Forum]