Hi Alexander,
Thanks for you fast reply.
I hope you got the point, that the sync as such works perfect, and tho only
thing missing is the “Description” of each group that is missing, the groupid
itself is synced ok - right?
So my Proxmox setup is as such:
filter
(|(memberOf=cn=pve_users,cn=groups,cn=accounts,dc=btrust,dc=local)(memberOf=cn=pve_admins,cn=groups,cn=accounts,dc=btrust,dc=local))
group_filter (|(cn=*pve*)(dc=ipa)(dc=btrust)(dc=local))
group_name_attr cn
sync-defaults-options remove-vanished=acl;entry;properties,scope=both
sync_attributes
email=mail,firstname=givenName,lastname=sn,comment=description,description=description
Best Regards,
Bjarne Dein
Sendt fra Outlook til iOS<https://aka.ms/o0ukef>
________________________________
Fra: Alexander Bokovoy <[email protected]>
Sendt: Thursday, October 2, 2025 1:22:59 PM
Til: FreeIPA users list <[email protected]>
Cc: Bjarne Dein <[email protected]>
Emne: Re: [Freeipa-users] FreeIPA - Proxmox - LDAP sync issue
On Чцв, 02 кас 2025, Bjarne Dein via FreeIPA-users wrote:
>Thanks for all the great inputs here!
>
>Now - I have got the sync between FreeIPA and Proxmox to work just great,
>except for one “tiny” detail - Group Description (aka described name of the
>group)
>
>It was also a bit tricky with the Users real names, but found a good hint to
>make a couple of changes in `/etc/pve/domains.cfg` like:
>Code:
>sync_attributes email=mail,firstname=givenName,lastname=sn,comment=description
>Whereas Users are now all good, I still only have the group id synced.
>
>Does anyone have a fix for this?
What LDAP filter does proxmox use to retrieve this information?
If they'd include (objectclass=posixgroup) into the LDAP search terms,
they should get read rights to 'description' field. They also need to be
authenticated.
We have the following access control:
aci: (targetattr = "businesscategory || cn || createtimestamp || description |
| entryusn || gidnumber || ipaexternalmember || ipantsecurityidentifier || ip
auniqueid || membermanager || mepmanagedby || modifytimestamp || o || objectc
lass || ou || owner || seealso")(targetfilter = "(|(objectclass=ipausergroup)
(objectclass=posixgroup))")(version 3.0;acl "permission:System: Read Groups";
allow (compare,read,search) userdn = "ldap:///anyone";;)
It means anyone authenticated to LDAP and asking for either
(objectclass=ipausergroup) or (objectclass=posixgroup) would be able to
read/compare/search any of the mentioned attributes.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
