kanidm/examples/proxmox.md
2024-12-04 21:42:34 +01:00

2.5 KiB

Proxmox PVE/PBS

Proxmox OIDC limitation

As of December 2024 OIDC implementation in proxmox supports only authentication. Authorization has to be done manually. Mapping user to specific groups won't work yet (steps 2,3,4).

Patch for this feature exists, but it hasn't been tested extensively: https://lore.proxmox.com/pve-devel/20240901165512.687801-1-thomas@atskinner.net/ See also: https://forum.proxmox.com/threads/openid-connect-default-group.103394/

On Kanidm

1. Create the proxmox resource server

kanidm system oauth2 create proxmox "proxmox" https://yourproxmox.example.com

2. Create the appropriate group(s)

kanidm group create proxmox_users --name idm_admin
kanidm group create proxmox_admins --name idm_admin

3. Add the appropriate users to the group

kanidm group add-members proxmox_users user.name
kanidm group add-members proxmox_admins user.name

4. scope map

kanidm system oauth2 update-claim-map-join 'proxmox' 'proxmox_role' array
kanidm system oauth2 update-claim-map 'proxmox' 'proxmox_role' 'proxmox_admins' 'admin'
kanidm system oauth2 update-claim-map 'proxmox' 'proxmox_role' 'proxmox_users' 'user'

5. Add the scopes

kanidm system oauth2 update-scope-map proxmox proxmox_users email profile openid

6. Get the client secret

kanidm system oauth2 show-basic-secret proxmox

Copy the value that is returned.

On proxmox server

Using WebGUI

Go to https://yourproxmox.example.com Select Datacenter->Realms->Add->OpenID Connect Server Issuer URL:

Realm: give some proper name or anything that's meaningful

Client ID: name given in step 1 (resource server)

Client Key: secret from step 6

Autocreate Users: Automatically create users if they do not exist. Users are stored in Proxmox Cluster File System (pmxcfs) - /etc/pve/user.cfg

Using CLI

Login to proxmox node and execute:

pveum realm add kanidm --type openid --issuer-url https://idm.example.com/oauth2/openid/proxmox --client-id proxmox --client-key="secret from step 6" --username-claim username --scopes="email profile openid" --autocreate