Manage authentication realms in Proxmox

[lae]

By default pam and pve are realms created within Proxmox for authenticating users into Proxmox. This supports most use cases. However, Proxmox supports LDAP/AD realms, which some users may want:

https://pve.proxmox.com/wiki/User_Management#pveum_authentication_realms

This role should introduce a proxmox_realm (or something else) module to help manage and create these realms.

For new contributors:

There are existing modules in library/ that can be used for reference for this issue. The PVE API documentation is also available at https://pve.proxmox.com/pve-docs/api-viewer/.

[trickert76]

I'd like to make a try with LDAP in the next months.

[trickert76]

Hint for myself: pvesh get /access/domains

[edv-pi]

I dont know why but task Configure domains.cfg in taks/main.yml:399 is conflicting with the other domain.cfg related tasks. At some point the config gets written correct but after this task the syntax is wrong. if i exclude this task it is working

[edv-pi]

removing the task from main seems to be enough to fix it

[lae]

The tasks were duplicated on accident when I merged both #95 and #220 in order to keep @jfpanisset's commit as-is in history, but the second PR also had the same commit with a different hash. This could've been avoided if #220 was stacked on top of #95 (base branch), maybe, though maybe that doesn't work on PRs from forks.

This should be fixed in WIP branch release/v1.9.0.

[lae]

Referenced PRs do introduce support for auth realms but not implemented in the manner described in this ticket, so I'm leaving this open for now as a request to implement a proxmox_realm or similar module. Current implementation takes full responsibility for domain.cfg whereas if this were implemented using a module and PVE API changes could be managed in a more off-hands approach (and we wouldn't have to risk having incorrect syntax in the file itself).

[trickert76]

Oh. I forgot this ticket completely. Will have a look on it. What do you think, should be solved with the module? All realm specific getter/setter?

[trickert76]

When I look into the API documentation there is a lot of possible attributes and so a lot of possible wrong usage. I would prefer to have a module per authentication method. So the module could be a little bit cleaner. Something like

LDAP Realms

proxmox_realm_ldap:
    realm:
    base_dn:
    user_attr:
    server:
    fallback_server:
    port:

and integrate also the sync options for LDAP (bind dn, filter, etc) or build a separate sync module too.

AD Realms

proxmox_realm_active_directory:
    realm:
    domain:
    server:
    fallback_server:
    port:

OpenID Realms

proxmox_realm_openid:
    realm:
    issuer:
    client-id:
    client-secret:
    autocreate:
    username-claim:

Then a task must filter out per type with when: 'ldap' in realm_type, what kind of realm to configure...

And I would try use the pveum command line tool, because we could run into a chicken and egg problem for authentication of admin users before configuring the realm etc.

[lae]

I'm not really sure about creating separate modules considering a lot of code would probably get duplicated (or at least referenced if using a shared library)? We already do something similar for storage types in the proxmox_storage module. From my PoV it would just be this module retrofitted for realms, I think?

Also can you elaborate on the chicken and egg problem? I would assume pvesh would just configure the realms without needing to authenticate anything in advance...