Hi Alexander, What guy☺️👍 Thanks for a great update and explanation- this is awesome 👍👍
Thanks a lot! Best Regards, Bjarne Venlig hilsen/Best Regards, Bjarne Dein BTrust Kildemarken 96 DK-4600 Havdrup Denmark Phone: +45 22751289 LinkedIn: http://www.linkedin.com/in/bdein VAT no: DK44603624<https://datacvr.virk.dk/enhed/virksomhed/44603624> ________________________________ Fra: Alexander Bokovoy <[email protected]> Sendt: Thursday, October 2, 2025 4:46:45 PM Til: FreeIPA users list <[email protected]> Cc: Bjarne Dein <[email protected]> Emne: Re: [Freeipa-users] Re: FreeIPA - Proxmox - LDAP sync issue On Чцв, 02 кас 2025, Bjarne Dein via FreeIPA-users wrote: >Hi Alexander, > >Thanks for you fast reply. > >I hope you got the point, that the sync as such works perfect, and tho only >thing missing is the �Description� of each group that is missing, the groupid >itself is synced ok - right? > >So my Proxmox setup is as such: > > filter > (|(memberOf=cn=pve_users,cn=groups,cn=accounts,dc=btrust,dc=local)(memberOf=cn=pve_admins,cn=groups,cn=accounts,dc=btrust,dc=local)) > group_filter (|(cn=*pve*)(dc=ipa)(dc=btrust)(dc=local)) > group_name_attr cn > sync-defaults-options remove-vanished=acl;entry;properties,scope=both > sync_attributes > email=mail,firstname=givenName,lastname=sn,comment=description,description=description I'm not familiar with Proxmox setup but the output above looks incorrect from LDAP side because you don't need to have those (dc=..) entries in the group filter. You would need to specify group_filter: (cn=*pve*) group_dn: cn=groups,cn=accounts,dc=ipa,dc=btrust,dc=local base_dn: cn=accounts,dc=ipa,dc=btrust,dc=local group_classes: ipausergroup group_name_attr: cn Judging by the code in get_groups(), if you don't specify anything but the filter and base_dn, defaults will be used and they should be good enough. https://git.proxmox.com/?p=pve-access-control.git;a=blob;f=src/PVE/Auth/LDAP.pm;hb=HEAD#l353 =============================== sub get_groups { my ($class, $config, $realm, $dnmap) = @_; my $filter = $config->{group_filter}; my $basedn = $config->{group_dn} // $config->{base_dn}; my $attr = $config->{group_name_attr}; $config->{group_classes} //= 'groupOfNames, group, univentionGroup, ipausergroup'; my $classes = [PVE::Tools::split_list($config->{group_classes})]; my $ldap = $class->connect_and_bind($config, $realm); my $groups = PVE::LDAP::query_groups($ldap, $basedn, $classes, $filter, $attr); =============================== However, your problem is not in the wrong setup but in the fact that Proxmox only syncs three attributes for groups: - value of group_name_attr - member - uniqueMember Here is where groups are queried: https://git.proxmox.com/?p=pve-access-control.git;a=blob;f=src/PVE/Auth/LDAP.pm;hb=HEAD#l364 364 my $groups = PVE::LDAP::query_groups($ldap, $basedn, $classes, $filter, $attr); this calls into PVE:LDAP::query_groups() which is implemented in https://git.proxmox.com/?p=pve-common.git;a=blob;f=src/PVE/LDAP.pm;hb=HEAD#l193 where the actual LDAP search attributes are defined: 211 my $attrs = ['member', 'uniqueMember']; 212 push @$attrs, $group_name_attr if $group_name_attr; 213 my @args = ( 214 base => $base_dn, 215 scope => "subtree", 216 filter => $filter, 217 control => [$page], 218 attrs => $attrs, 219 ); So you can only specify one externally-provided attribute in group_name_attr. This means unless you'd change line 211 above to add 'description', it will not be fetched from LDAP when groups queried. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
