On Чцв, 02 кас 2025, Bjarne Dein via FreeIPA-users wrote:
Hi Alexander,
Thanks for you fast reply.
I hope you got the point, that the sync as such works perfect, and tho only
thing missing is the �Description� of each group that is missing, the groupid
itself is synced ok - right?
So my Proxmox setup is as such:
filter
(|(memberOf=cn=pve_users,cn=groups,cn=accounts,dc=btrust,dc=local)(memberOf=cn=pve_admins,cn=groups,cn=accounts,dc=btrust,dc=local))
group_filter (|(cn=*pve*)(dc=ipa)(dc=btrust)(dc=local))
group_name_attr cn
sync-defaults-options remove-vanished=acl;entry;properties,scope=both
sync_attributes
email=mail,firstname=givenName,lastname=sn,comment=description,description=description
I'm not familiar with Proxmox setup but the output above looks incorrect from
LDAP
side because you don't need to have those (dc=..) entries in the group
filter.
You would need to specify
group_filter: (cn=*pve*)
group_dn: cn=groups,cn=accounts,dc=ipa,dc=btrust,dc=local
base_dn: cn=accounts,dc=ipa,dc=btrust,dc=local
group_classes: ipausergroup
group_name_attr: cn
Judging by the code in get_groups(), if you don't specify anything but
the filter and base_dn, defaults will be used and they should be good
enough.
https://git.proxmox.com/?p=pve-access-control.git;a=blob;f=src/PVE/Auth/LDAP.pm;hb=HEAD#l353
===============================
sub get_groups {
my ($class, $config, $realm, $dnmap) = @_;
my $filter = $config->{group_filter};
my $basedn = $config->{group_dn} // $config->{base_dn};
my $attr = $config->{group_name_attr};
$config->{group_classes} //= 'groupOfNames, group, univentionGroup,
ipausergroup';
my $classes = [PVE::Tools::split_list($config->{group_classes})];
my $ldap = $class->connect_and_bind($config, $realm);
my $groups = PVE::LDAP::query_groups($ldap, $basedn, $classes, $filter,
$attr);
===============================
However, your problem is not in the wrong setup but in the fact that
Proxmox only syncs three attributes for groups:
- value of group_name_attr
- member
- uniqueMember
Here is where groups are queried:
https://git.proxmox.com/?p=pve-access-control.git;a=blob;f=src/PVE/Auth/LDAP.pm;hb=HEAD#l364
364 my $groups = PVE::LDAP::query_groups($ldap, $basedn, $classes,
$filter, $attr);
this calls into PVE:LDAP::query_groups() which is implemented in
https://git.proxmox.com/?p=pve-common.git;a=blob;f=src/PVE/LDAP.pm;hb=HEAD#l193
where the actual LDAP search attributes are defined:
211 my $attrs = ['member', 'uniqueMember'];
212 push @$attrs, $group_name_attr if $group_name_attr;
213 my @args = (
214 base => $base_dn,
215 scope => "subtree",
216 filter => $filter,
217 control => [$page],
218 attrs => $attrs,
219 );
So you can only specify one externally-provided attribute in
group_name_attr.
This means unless you'd change line 211 above to add 'description', it
will not be fetched from LDAP when groups queried.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
