proxmox-mirrors/proxmox-backup
1
0
Fork 1
mirror of https://git.proxmox.com/git/proxmox-backup synced 2025-05-03 12:44:51 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

docs: user-management: add section about AD realm support

Browse Source 
Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
Reviewed-by: Lukas Wagner <l.wagner@proxmox.com>
Tested-by: Lukas Wagner <l.wagner@proxmox.com>
This commit is contained in:
Christoph Heiss 2024-01-12 17:16:06 +01:00 committed by Thomas Lamprecht
parent 1819989bd0
commit a819f056c2
2 changed files with 48 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/config/domains/format.rst
View File

@ -23,5 +23,5 @@ For LDAP realms, the LDAP bind password is stored in ``ldap_passwords.json``.
user-classes inetorgperson,posixaccount,person,user user-classes inetorgperson,posixaccount,person,user
You can use the ``proxmox-backup-manager openid`` and ``proxmox-backup-manager ldap`` commands to manipulate You can use the ``proxmox-backup-manager openid``, ``proxmox-backup-manager
this file. ldap`` and ``proxmox-backup-manager ad`` commands to manipulate this file.

57
docs/user-management.rst
View File

@ -27,6 +27,9 @@ choose the realm when you add a new user. Possible realms are:
:ldap: LDAP server. Users can authenticate against external LDAP servers. :ldap: LDAP server. Users can authenticate against external LDAP servers.
:ad: Active Directory server. Users can authenticate against external Active
Directory servers.
After installation, there is a single user, ``root@pam``, which corresponds to After installation, there is a single user, ``root@pam``, which corresponds to
the Unix superuser. User configuration information is stored in the file the Unix superuser. User configuration information is stored in the file
``/etc/proxmox-backup/user.cfg``. You can use the ``proxmox-backup-manager`` ``/etc/proxmox-backup/user.cfg``. You can use the ``proxmox-backup-manager``
@ -646,15 +649,47 @@ A full list of all configuration parameters can be found at :ref:`domains.cfg`.
server, you must also add them as a user of that realm in Proxmox Backup server, you must also add them as a user of that realm in Proxmox Backup
Server. This can be carried out automatically with syncing. Server. This can be carried out automatically with syncing.
User Synchronization in LDAP realms .. _user_realms_ad:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
It is possible to automatically sync users for LDAP-based realms, rather than Active Directory
having to add them to Proxmox VE manually. Synchronization options can be set ~~~~~~~~~~~~~~~~
in the LDAP realm configuration dialog window in the GUI and via the
``proxmox-backup-manager ldap create/update`` command. Proxmox Backup Server can also utilize external Microsoft Active Directory
User synchronization can started in the GUI at servers for user authentication.
Configuration > Access Control > Realms by selecting a realm and pressing the To achieve this, a realm of the type ``ad`` has to be configured.
`Sync` button. In the sync dialog, some of the default options set in the realm
configuration can be overridden. Alternatively, user synchronization can also For an Active Directory realm, the authentication domain name and the server
be started via the ``proxmox-backup-manager ldap sync`` command. address must be specified. Most options from :ref:`user_realms_ldap` apply to
Active Directory as well, most importantly the bind credentials ``bind-dn``
and ``password``. This is typically required by default for Microsoft Active
Directory. The ``bind-dn`` can be specified either in AD-specific
``user@company.net`` syntax or the commen LDAP-DN syntax.
The authentication domain name must only be specified if anonymous bind is
requested. If bind credentials are given, the domain name is automatically
inferred from the bind users' base domain, as reported by the Active Directory
server.
A full list of all configuration parameters can be found at :ref:`domains.cfg`.
.. note:: In order to allow a particular user to authenticate using the Active
Directory server, you must also add them as a user of that realm in Proxmox
Backup Server. This can be carried out automatically with syncing.
.. note:: Currently, case-insensitive usernames are not supported.
User Synchronization in LDAP/AD realms
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
It is possible to automatically sync users for LDAP and AD-based realms, rather
than having to add them to Proxmox Backup Server manually. Synchronization
options can be set in the LDAP realm configuration dialog window in the GUI and
via the ``proxmox-backup-manager ldap`` and ``proxmox-backup-manager ad``
commands, respectively.
User synchronization can be started in the GUI under **Configuration > Access
Control > Realms** by selecting a realm and pressing the `Sync` button. In the
sync dialog, some of the default options set in the realm configuration can be
overridden. Alternatively, user synchronization can also be started via the
``proxmox-backup-manager ldap sync`` and ``proxmox-backup-manager ad sync``
command, respectively.