[pve-devel] LDAP integration with G Suite?

Victor Hooi victorhooi at yahoo.com
Thu May 23 11:02:46 CEST 2019 

Sorry, I was incorrect - there actually is a line logged in /var/log/syslog
when I get the "Login failed. Please try again.":

```
May 23 18:41:48 syd1 pvedaemon[84179]: authentication failure;
rhost=127.0.0.1 user=victorhooi at gsuiteldap msg=no entries returned
```

Is that what you meant by "journal"? (i.e. /var/log/syslog) Let me know if
there's other logfiles I should be looking for.

I noticed in the log line above the user is printed as
"victorhooi at gsuiteldap" - is this the actual username that Proxmox
attempted to query the LDAP server on?

I thought I'd try changing the realm to "anguslab.io" since that is the
actual G Suite domain - however, I get the same error:

```
May 23 18:55:42 syd1 pvedaemon[77112]: authentication failure;
rhost=127.0.0.1 user=victorhooi at anguslab.io msg=no entries returned
```

I believe the username should be "victorhooi" - what does Proxmox actually
send to the LDAP server?

Or any other theories on why it's not working?

On Thu, May 23, 2019 at 4:45 PM Victor Hooi <victorhooi at yahoo.com> wrote:

> I tried changing user_attr to "uid", and I still get "Login failed. Please
> try again."
>
> You mentioned the journal should contain an error log if the
> authentication fails - where is this journal please?
>
> (I didn't see anything in /var/log/messages, or in the "Cluster log" in
> the Web UI).
>
> On Thu, May 23, 2019 at 4:34 PM Dominik Csapak <d.csapak at proxmox.com>
> wrote:
>
>> On 5/23/19 6:34 AM, Victor Hooi wrote:
>> > *(Sending again with screenshots removed)*
>> >
>> > Hi,
>>
>> Hi,
>>
>> >
>> > Aha, I am glad to know it's meant to work out of the box - I merely had
>> > some concerns around support for LDAP certificate authentication (forum
>> post
>> > <
>> https://forum.proxmox.com/threads/ldap-authentication-does-it-support-client-certificates.52439/
>> >).
>> > If I get this working, it would be good to get this added to the wiki
>> > perhaps.
>> >
>> > However, I'm not able to get it working.
>> >
>> > I have verified with ldapsearch that I can successfully lookup users
>> > against the Google Secure LDAP service:
>> >
>> > $ LDAPTLS_REQCERT=allow LDAPTLS_CERT=Google_2022_05_22_3494.crt
>> > LDAPTLS_KEY=Google_2022_05_22_3494.key ldapsearch -H ldaps://
>> > ldap.google.com:636 -b dc=anguslab,dc=io '(uid=victorhooi)'
>> > SASL/EXTERNAL authentication started
>> > SASL username: st=California,c=US,ou=GSuite,cn=LDAP Client,l=Mountain
>> > View,o=Google Inc.
>> > SASL SSF: 0
>> > # extended LDIF
>> > #
>> > # LDAPv3
>> > # base <dc=anguslab,dc=io> with scope subtree
>> > # filter: (uid=victorhooi)
>> > # requesting: ALL
>> > #
>> >
>> > # victorhooi, Users, anguslab.io
>> > dn: uid=victorhooi,ou=Users,dc=anguslab,dc=io
>> > objectClass: top
>> > objectClass: person
>> > objectClass: organizationalPerson
>> > objectClass: inetOrgPerson
>> > objectClass: posixAccount
>> > uid: victorhooi
>> > googleUid: victorhooi
>> > posixUid: victorhooi
>> > cn: victorhooi
>> > cn: Victor Hooi
>> > sn: Hooi
>> > displayName: Victor Hooi
>> > givenName: Victor
>> > mail: victorhooi at anguslab.io
>> > memberOf: cn=chat-eng,ou=Groups,dc=anguslab,dc=io
>> > memberOf: cn=drive-eng,ou=Groups,dc=anguslab,dc=io
>> > memberOf: cn=gsuite-tses,ou=Groups,dc=anguslab,dc=io
>> > memberOf: cn=meet-eng,ou=Groups,dc=anguslab,dc=io
>> > uidNumber: 950057616
>> > gidNumber: 950057616
>> > homeDirectory: /home/victorhooi
>> > loginShell: /bin/bash
>> > gecos:
>> >
>> > # search result
>> > search: 3
>> > result: 0 Success
>> >
>> > # numResponses: 2
>> > # numEntries: 1
>> >
>> > I then added a new LDAP authentication realm using pvesh like so:
>> >
>> > # pvesh create /access/domains --realm gsuiteldap --type ldap --base_dn
>> > dc=anguslab,dc=io --server1 ldap.google.com --port 636 --cert
>> > /root/Google_2022_05_22_3494.crt --certkey
>> /root/Google_2022_05_22_3494.key
>> > --user_attr victorhooi
>> >
>> > (I'm not sure about what I should set as the user_attr value - since
>> it's
>> > using certificate - but the command seemed to complete successfully).
>>
>> the user_attr value is the attribute on which we match the username
>> e.g. in you output above you should set it to 'uid' we
>> get the user with the username set in that field
>>
>> >
>> > I then added a user with the same username in the Proxmox Web UI:
>> >
>> > <screenshot removed>
>> >
>> > I then logged out as "root", and tried to login as the new user. Oddly
>> > enough - even when I selected the LDAP authentication realm - it's still
>> > asking me for both a username and password. I would have thought it
>> would
>> > just be a username, and it'd somehow delegate to G Suite's SSO webpage?
>>
>> i guess there is some misunderstanding, pve authenticates via ldap,
>> meaning that you supply a username and password, which will be verified
>> by the ldap sever, if it succeeds, you are successfully authenticated
>>
>> >
>> > <screenshot removed>
>> >
>> > Anyhow - even after I enter in my G Suite username and password, it
>> still
>> > does not work (Login failed. Please try again.).
>>
>> probably because of the user_attr, since you have given 'victorhooi'
>> it searches for a user with the attribute 'victorhooi=victorhooi'
>> (which i guess does not exists)
>>
>> >
>> > Are there some logfiles to help troubleshoot what's going on? Or is
>> there
>> > some issue with the steps above?
>>
>> there is the documentation (if you did not found it already):
>> https://pve.proxmox.com/wiki/User_Management
>>
>> the journal should contain an error log if the authentication fails
>> (with the ldap error message)
>>
>> i must admit, the whole ldap part is very underdocumented and some parts
>> are still missing (ldap+starttls is missing for example)
>>
>> i hope this helps
>>
>> regards
>> Dominik
>>
>>
>> _______________________________________________
>> pve-devel mailing list
>> pve-devel at pve.proxmox.com
>> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>>
>

More information about the pve-devel mailing list