Proxmox Active Directory Sync

June 29, 2024

Active Directory Sync

Active Directory user and group sync is a powerful feature within hypervisor environments, allowing the user to manage resource access in their environment without requiring additional logins. Essentially it allows for Active Directory users to have a Single Sign-On that applies to both Windows and the hypervisor resources.

This functionality has long been included in VMware, and is available at a premium as vCenter is required, so it may come as a surprise to learn that Active Directory sync is a feature of Proxmox, and can be used whether you have a single node or a large cluster.

Setup

In your Active Directory environment, you need to create a sync user for Proxmox - this user should be given a complex password and set to never expire (unless you want to manage the password rotation between Proxmox and Active Directory on a regular basis), and which the user cannot change.

Proxmox Active Directory 1

If you are testing, you should also create additional users and groups so that you have something to sync across (you would expect these to already exist in a production environment).

Next, as login to Proxmox with a browser as root@pam. Within the Datacenter section, click on “Realms” and then click on “Add”, and “Active Directory Server”.

Proxmox Active Directory 2

In the dialog box, create a name for the Realm, enter the Active Directory domain, and IP address of the Active Directory Domain Controller Server - you should also enter the details of a secondary server in the “Failover Server” section, if you have one.

Proxmox Active Directory 3

Click on the “Sync Options” tab, and then open a PowerShell window on your Active Directory server.

Run the following command:

Get-ADUser <sync-username-you-created-earlier>

For example:

Get-ADUser proxmoxsync

You should get some user details returned by the command.

Proxmox Active Directory 4

Copy the distinguished name from the response into the “Bind User” field, and enter the user’s password in the “Bind Password” field. You should also set the scope ( eg Users and Groups), and any other user/group filters and classes to specify which users and groups will be synced to Proxmox.

Proxmox Active Directory 5

In the Realms section, click on your new AD realm and then on “Sync” - you can now click on Preview to see what will be synchronised across to Proxmox.

Proxmox Active Directory 6

You can then click on “Sync” to run the sync job manually.

When this completes, you should create a sync job for the Realm.

Proxmox Active Directory 7

Choose your Realm and select a Schedule, then click Create.

Proxmox Active Directory 8

The sync will now run on the schedule, synchronising the changes to users and groups across from Active Directory.

User and Group permissions can now be assigned to Active Directory users within Proxmox.

Video Demonstration

A video demonstration of the feature can be seen here