Thanks for all the great inputs here!
Now - I have got the sync between FreeIPA and Proxmox to work just great, except for one “tiny” detail - Group Description (aka described name of the group)
It was also a bit tricky with the Users real names, but found a good hint to make a couple of changes in `/etc/pve/domains.cfg` like: Code: sync_attributes email=mail,firstname=givenName,lastname=sn,comment=description Whereas Users are now all good, I still only have the group id synced.
Does anyone have a fix for this?
On Чцв, 02 кас 2025, Bjarne Dein via FreeIPA-users wrote:
Thanks for all the great inputs here!
Now - I have got the sync between FreeIPA and Proxmox to work just great, except for one “tiny” detail - Group Description (aka described name of the group)
It was also a bit tricky with the Users real names, but found a good hint to make a couple of changes in `/etc/pve/domains.cfg` like: Code: sync_attributes email=mail,firstname=givenName,lastname=sn,comment=description Whereas Users are now all good, I still only have the group id synced.
Does anyone have a fix for this?
What LDAP filter does proxmox use to retrieve this information?
If they'd include (objectclass=posixgroup) into the LDAP search terms, they should get read rights to 'description' field. They also need to be authenticated.
We have the following access control:
aci: (targetattr = "businesscategory || cn || createtimestamp || description | | entryusn || gidnumber || ipaexternalmember || ipantsecurityidentifier || ip auniqueid || membermanager || mepmanagedby || modifytimestamp || o || objectc lass || ou || owner || seealso")(targetfilter = "(|(objectclass=ipausergroup) (objectclass=posixgroup))")(version 3.0;acl "permission:System: Read Groups"; allow (compare,read,search) userdn = "ldap:///anyone";)
It means anyone authenticated to LDAP and asking for either (objectclass=ipausergroup) or (objectclass=posixgroup) would be able to read/compare/search any of the mentioned attributes.
Hi Alexander,
Thanks for you fast reply.
I hope you got the point, that the sync as such works perfect, and tho only thing missing is the “Description” of each group that is missing, the groupid itself is synced ok - right?
So my Proxmox setup is as such:
filter (|(memberOf=cn=pve_users,cn=groups,cn=accounts,dc=btrust,dc=local)(memberOf=cn=pve_admins,cn=groups,cn=accounts,dc=btrust,dc=local)) group_filter (|(cn=*pve*)(dc=ipa)(dc=btrust)(dc=local)) group_name_attr cn sync-defaults-options remove-vanished=acl;entry;properties,scope=both sync_attributes email=mail,firstname=givenName,lastname=sn,comment=description,description=description
Best Regards,
Bjarne Dein Sendt fra Outlook til iOShttps://aka.ms/o0ukef ________________________________ Fra: Alexander Bokovoy abokovoy@redhat.com Sendt: Thursday, October 2, 2025 1:22:59 PM Til: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Bjarne Dein bjarne.dein@btrust.dk Emne: Re: [Freeipa-users] FreeIPA - Proxmox - LDAP sync issue
On Чцв, 02 кас 2025, Bjarne Dein via FreeIPA-users wrote:
Thanks for all the great inputs here!
Now - I have got the sync between FreeIPA and Proxmox to work just great, except for one “tiny” detail - Group Description (aka described name of the group)
It was also a bit tricky with the Users real names, but found a good hint to make a couple of changes in `/etc/pve/domains.cfg` like: Code: sync_attributes email=mail,firstname=givenName,lastname=sn,comment=description Whereas Users are now all good, I still only have the group id synced.
Does anyone have a fix for this?
What LDAP filter does proxmox use to retrieve this information?
If they'd include (objectclass=posixgroup) into the LDAP search terms, they should get read rights to 'description' field. They also need to be authenticated.
We have the following access control:
aci: (targetattr = "businesscategory || cn || createtimestamp || description | | entryusn || gidnumber || ipaexternalmember || ipantsecurityidentifier || ip auniqueid || membermanager || mepmanagedby || modifytimestamp || o || objectc lass || ou || owner || seealso")(targetfilter = "(|(objectclass=ipausergroup) (objectclass=posixgroup))")(version 3.0;acl "permission:System: Read Groups"; allow (compare,read,search) userdn = "ldap:///anyone";)
It means anyone authenticated to LDAP and asking for either (objectclass=ipausergroup) or (objectclass=posixgroup) would be able to read/compare/search any of the mentioned attributes.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
On Чцв, 02 кас 2025, Bjarne Dein via FreeIPA-users wrote:
Hi Alexander,
Thanks for you fast reply.
I hope you got the point, that the sync as such works perfect, and tho only thing missing is the �Description� of each group that is missing, the groupid itself is synced ok - right?
So my Proxmox setup is as such:
filter (|(memberOf=cn=pve_users,cn=groups,cn=accounts,dc=btrust,dc=local)(memberOf=cn=pve_admins,cn=groups,cn=accounts,dc=btrust,dc=local)) group_filter (|(cn=*pve*)(dc=ipa)(dc=btrust)(dc=local)) group_name_attr cn sync-defaults-options remove-vanished=acl;entry;properties,scope=both sync_attributes email=mail,firstname=givenName,lastname=sn,comment=description,description=description
I'm not familiar with Proxmox setup but the output above looks incorrect from LDAP side because you don't need to have those (dc=..) entries in the group filter.
You would need to specify
group_filter: (cn=*pve*) group_dn: cn=groups,cn=accounts,dc=ipa,dc=btrust,dc=local base_dn: cn=accounts,dc=ipa,dc=btrust,dc=local group_classes: ipausergroup group_name_attr: cn
Judging by the code in get_groups(), if you don't specify anything but the filter and base_dn, defaults will be used and they should be good enough.
https://git.proxmox.com/?p=pve-access-control.git;a=blob;f=src/PVE/Auth/LDAP... =============================== sub get_groups { my ($class, $config, $realm, $dnmap) = @_;
my $filter = $config->{group_filter}; my $basedn = $config->{group_dn} // $config->{base_dn}; my $attr = $config->{group_name_attr}; $config->{group_classes} //= 'groupOfNames, group, univentionGroup, ipausergroup'; my $classes = [PVE::Tools::split_list($config->{group_classes})];
my $ldap = $class->connect_and_bind($config, $realm);
my $groups = PVE::LDAP::query_groups($ldap, $basedn, $classes, $filter, $attr); ===============================
However, your problem is not in the wrong setup but in the fact that Proxmox only syncs three attributes for groups:
- value of group_name_attr - member - uniqueMember
Here is where groups are queried: https://git.proxmox.com/?p=pve-access-control.git;a=blob;f=src/PVE/Auth/LDAP...
364 my $groups = PVE::LDAP::query_groups($ldap, $basedn, $classes, $filter, $attr);
this calls into PVE:LDAP::query_groups() which is implemented in https://git.proxmox.com/?p=pve-common.git;a=blob;f=src/PVE/LDAP.pm;hb=HEAD#l...
where the actual LDAP search attributes are defined:
211 my $attrs = ['member', 'uniqueMember']; 212 push @$attrs, $group_name_attr if $group_name_attr; 213 my @args = ( 214 base => $base_dn, 215 scope => "subtree", 216 filter => $filter, 217 control => [$page], 218 attrs => $attrs, 219 );
So you can only specify one externally-provided attribute in group_name_attr.
This means unless you'd change line 211 above to add 'description', it will not be fetched from LDAP when groups queried.
Hi Alexander,
What guy☺️👍 Thanks for a great update and explanation- this is awesome 👍👍
Thanks a lot!
Best Regards, Bjarne
Venlig hilsen/Best Regards,
Bjarne Dein
BTrust
Kildemarken 96
DK-4600 Havdrup
Denmark
Phone: +45 22751289
LinkedIn: http://www.linkedin.com/in/bdein
VAT no: DK44603624https://datacvr.virk.dk/enhed/virksomhed/44603624
________________________________ Fra: Alexander Bokovoy abokovoy@redhat.com Sendt: Thursday, October 2, 2025 4:46:45 PM Til: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Bjarne Dein bjarne.dein@btrust.dk Emne: Re: [Freeipa-users] Re: FreeIPA - Proxmox - LDAP sync issue
On Чцв, 02 кас 2025, Bjarne Dein via FreeIPA-users wrote:
Hi Alexander,
Thanks for you fast reply.
I hope you got the point, that the sync as such works perfect, and tho only thing missing is the �Description� of each group that is missing, the groupid itself is synced ok - right?
So my Proxmox setup is as such:
filter (|(memberOf=cn=pve_users,cn=groups,cn=accounts,dc=btrust,dc=local)(memberOf=cn=pve_admins,cn=groups,cn=accounts,dc=btrust,dc=local)) group_filter (|(cn=*pve*)(dc=ipa)(dc=btrust)(dc=local)) group_name_attr cn sync-defaults-options remove-vanished=acl;entry;properties,scope=both sync_attributes email=mail,firstname=givenName,lastname=sn,comment=description,description=description
I'm not familiar with Proxmox setup but the output above looks incorrect from LDAP side because you don't need to have those (dc=..) entries in the group filter.
You would need to specify
group_filter: (cn=*pve*) group_dn: cn=groups,cn=accounts,dc=ipa,dc=btrust,dc=local base_dn: cn=accounts,dc=ipa,dc=btrust,dc=local group_classes: ipausergroup group_name_attr: cn
Judging by the code in get_groups(), if you don't specify anything but the filter and base_dn, defaults will be used and they should be good enough.
https://git.proxmox.com/?p=pve-access-control.git;a=blob;f=src/PVE/Auth/LDAP... =============================== sub get_groups { my ($class, $config, $realm, $dnmap) = @_;
my $filter = $config->{group_filter}; my $basedn = $config->{group_dn} // $config->{base_dn}; my $attr = $config->{group_name_attr}; $config->{group_classes} //= 'groupOfNames, group, univentionGroup, ipausergroup'; my $classes = [PVE::Tools::split_list($config->{group_classes})];
my $ldap = $class->connect_and_bind($config, $realm);
my $groups = PVE::LDAP::query_groups($ldap, $basedn, $classes, $filter, $attr); ===============================
However, your problem is not in the wrong setup but in the fact that Proxmox only syncs three attributes for groups:
- value of group_name_attr - member - uniqueMember
Here is where groups are queried: https://git.proxmox.com/?p=pve-access-control.git;a=blob;f=src/PVE/Auth/LDAP...
364 my $groups = PVE::LDAP::query_groups($ldap, $basedn, $classes, $filter, $attr);
this calls into PVE:LDAP::query_groups() which is implemented in https://git.proxmox.com/?p=pve-common.git;a=blob;f=src/PVE/LDAP.pm;hb=HEAD#l...
where the actual LDAP search attributes are defined:
211 my $attrs = ['member', 'uniqueMember']; 212 push @$attrs, $group_name_attr if $group_name_attr; 213 my @args = ( 214 base => $base_dn, 215 scope => "subtree", 216 filter => $filter, 217 control => [$page], 218 attrs => $attrs, 219 );
So you can only specify one externally-provided attribute in group_name_attr.
This means unless you'd change line 211 above to add 'description', it will not be fetched from LDAP when groups queried.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Bjarne Dein