LDAP and Active Directory Integration
Overview
Proxmox VE can integrate with LDAP directories for centralized user authentication. This simplifies management by using existing enterprise identity credentials.
Supported Directories
- OpenLDAP
- Microsoft Active Directory
- Azure Active Directory
- Okta
- Google Workspace
Configuring LDAP Realm
Via Web UI
- Navigate to Datacenter → Authentication
- Click Add → LDAP
- Configure:
- Realm: LDAP
- Base DN:
dc=example,dc=com - Server:
ldap.example.com - Port: 389 (or 636 for SSL)
- SSL/TLS: Enable for production
- User Filter: LDAP search filter
Via CLI
# Add LDAP realm
pve realms add ldap --realm ldap.example.com \
--base-dn "dc=example,dc=com" \
--server1 ldap.example.com
# Add LDAP with SSL
pve realms add ldap --realm ldap.example.com \
--base-dn "dc=example,dc=com" \
--server1 ldap.example.com \
--port 636 \
--ssl verifyActive Directory Configuration
Basic AD Setup
# Add Active Directory realm
pve realms add active-directory --realm corp.example.com \
--base-dn "dc=corp,dc=example,dc=com" \
--server1 ad.corp.example.com \
--domain corp.example.com
# Add with multiple servers
pve realms add active-directory --realm corp.example.com \
--base-dn "dc=corp,dc=example,dc=com" \
--server1 ad1.corp.example.com \
--server2 ad2.corp.example.com \
--domain corp.example.comAD Group Mapping
Sync AD groups to Proxmox:
# Sync users
pveum ad sync corp.example.com
# Sync with group filter
pveum ad sync corp.example.com --group "Domain Admins"LDAP/AD User Sync
Manual Sync
# Sync all users
pveum ldap sync ldap.example.com
# Sync specific group
pveum ldap sync ldap.example.com --group "Proxmox-Users"
# Sync with role mapping
pveum ldap sync ldap.example.com --role PVEUserAuto-Sync Settings
# Enable automatic sync
pve realms update ldap --sync-config 1
# Set sync interval
pve realms update ldap --sync-interval 15LDAP Attributes
Default User Attributes
| LDAP Attribute | Proxmox Field |
|---|---|
| uid | User ID |
| cn | Real Name |
| memberOf | Groups |
Custom Attribute Mapping
# Configure custom attributes
pve realms update ldap --user-name-attr sAMAccountName \
--real-name-attr displayName \
--email-attr mail \
--group-attr memberOfLDAP Authentication
Bind DN Authentication
# Use bind DN for authentication
pve realms update ldap --bind-dn "cn=admin,dc=example,dc=com" \
--bind-pass "password"Kerberos Authentication
# Enable Kerberos
pve realms update ldap --kerberos 1
# Configure keytab
pve realms update ldap --keytab /etc/krb5.keytabTroubleshooting LDAP
Connection Test
# Test LDAP connection
pveum ldap test ldap.example.com
# Debug mode
pveum ldap test ldap.example.com --verboseCommon Issues
| Error | Solution |
|---|---|
| Cannot connect | Check server/port/firewall |
| Authentication failed | Verify bind DN/password |
| Users not found | Check base DN and filter |
| Groups not syncing | Verify group attribute |
Enterprise Integration
Azure AD
# Add Azure AD
pve realms add azure --realm azure.example.com \
--client-id "<application-id>" \
--tenant-id "<tenant-id>" \
--domain "example.onmicrosoft.com"Okta
Okta integration requires SAML or OAuth configuration.
Security Considerations
- Use SSL/TLS - Always encrypt LDAP traffic
- Service account - Use dedicated bind account
- Least privilege - Limit AD service account permissions
- Group filtering - Only sync necessary groups