domains.cfg¶

Description¶

The file /etc/proxmox-backup/domains.cfg is a configuration file for Proxmox Backup Server. It contains the realm configuration.

File Format¶

This file contains the list authentication realms.

Each user configuration section starts with the header <realm-type>: <name>, followed by the realm's configuration options.

For LDAP realms, the LDAP bind password is stored in ldap_passwords.json.

openid: master
      client-id pbs
      comment
      issuer-url http://192.168.0.10:8080/realms/master
      username-claim username

ldap: ldap-server
      base-dn OU=People,DC=ldap-server,DC=example,DC=com
      mode ldaps
      server1 192.168.0.10
      sync-attributes email=mail
      sync-defaults-options enable-new=0,remove-vanished=acl;entry
      user-attr uid
      user-classes inetorgperson,posixaccount,person,user

You can use the proxmox-backup-manager openid, proxmox-backup-manager ldap and proxmox-backup-manager ad commands to manipulate this file.

Options¶

Section type 'ad': AD realm configuration properties.

Required properties:

server1<string>: AD server address

Optional properties:

base-dn<string>

LDAP Domain

bind-dn<string>

LDAP Domain

capath<string>

CA certificate to use for the server. The path can point to either a file, or a directory. If it points to a file, the PEM-formatted X.509 certificate stored at the path will be added as a trusted certificate. If the path points to a directory, the directory replaces the system's default certificate store at /etc/ssl/certs - Every file in the directory will be loaded as a trusted certificate.

comment<string>

Comment.

default<boolean> (default=false)

True if you want this to be the default realm selected on login.

filter<string>

Custom LDAP search filter for user sync

modeldap|ldap+starttls|ldaps (default=ldap)

LDAP connection type

port<integer> (0 - 65535)

AD server Port

server2<string>

Fallback AD server address

sync-attributes[[email=<string>] [,firstname=<string>] [,lastname=<string>]]

Comma-separated list of key=value pairs for specifying which LDAP attributes map to which PBS user field. For example, to map the LDAP attribute mail to PBS's email, write email=mail.

email = <string>: Name of the LDAP attribute containing the user's email address
firstname = <string>: Name of the LDAP attribute containing the user's first name
lastname = <string>: Name of the LDAP attribute containing the user's last name

sync-defaults-options[[enable-new=<1|0>] [,remove-vanished=<string>]]

sync defaults options

enable-new = <boolean>: Enable new users after sync
remove-vanished = [acl|entry|properties, ...]: A semicolon-separated list of things to remove when they or the user vanishes during user synchronization. The following values are possible: entry removes the user when not returned from the sync; properties removes any properties on existing user that do not appear in the source. acl removes ACLs when the user is not returned from the sync.

user-classes[<string>, ...] (default=inetorgperson,posixaccount,person,user)

Comma-separated list of allowed objectClass values for user synchronization. For instance, if user-classes is set to person,user, then user synchronization will consider all LDAP entities where objectClass: person or objectClass: user.

verify<boolean> (default=false)

Verify server certificate

Section type 'ldap': LDAP configuration properties.

Required properties:

base-dn<string>: LDAP Domain
server1<string>: LDAP server address
user-attr<string>: Username attribute. Used to map a userid to LDAP to an LDAP dn.

Optional properties:

bind-dn<string>

LDAP Domain

capath<string>

CA certificate to use for the server. The path can point to either a file, or a directory. If it points to a file, the PEM-formatted X.509 certificate stored at the path will be added as a trusted certificate. If the path points to a directory, the directory replaces the system's default certificate store at /etc/ssl/certs - Every file in the directory will be loaded as a trusted certificate.

comment<string>

Comment.

default<boolean> (default=false)

True if you want this to be the default realm selected on login.

filter<string>

Custom LDAP search filter for user sync

modeldap|ldap+starttls|ldaps (default=ldap)

LDAP connection type

port<integer> (0 - 65535)

Port

server2<string>

Fallback LDAP server address

sync-attributes[[email=<string>] [,firstname=<string>] [,lastname=<string>]]

Comma-separated list of key=value pairs for specifying which LDAP attributes map to which PBS user field. For example, to map the LDAP attribute mail to PBS's email, write email=mail.

email = <string>: Name of the LDAP attribute containing the user's email address
firstname = <string>: Name of the LDAP attribute containing the user's first name
lastname = <string>: Name of the LDAP attribute containing the user's last name

sync-defaults-options[[enable-new=<1|0>] [,remove-vanished=<string>]]

sync defaults options

enable-new = <boolean>: Enable new users after sync
remove-vanished = [acl|entry|properties, ...]: A semicolon-separated list of things to remove when they or the user vanishes during user synchronization. The following values are possible: entry removes the user when not returned from the sync; properties removes any properties on existing user that do not appear in the source. acl removes ACLs when the user is not returned from the sync.

user-classes[<string>, ...] (default=inetorgperson,posixaccount,person,user)

Comma-separated list of allowed objectClass values for user synchronization. For instance, if user-classes is set to person,user, then user synchronization will consider all LDAP entities where objectClass: person or objectClass: user.

verify<boolean> (default=false)

Verify server certificate

Section type 'openid': OpenID configuration properties.

Required properties:

client-id<string>: OpenID Client ID
issuer-url<string>: OpenID Issuer Url

Optional properties:

acr-values[<string>, ...]: OpenID ACR List
autocreate<boolean> (default=false): Automatically create users if they do not exist.
client-key<string>: OpenID Client Key
comment<string>: Comment.
default<boolean> (default=false): True if you want this to be the default realm selected on login.
prompt<string>: OpenID Prompt
scopes[<string>, ...] (default=email profile): OpenID Scope List
username-claim<string>: Use the value of this attribute/claim as unique user name. It is up to the identity provider to guarantee the uniqueness. The OpenID specification only guarantees that Subject ('sub') is unique. Also make sure that the user is not allowed to change that attribute by himself!

Section type 'pam': Built-in PAM realm configuration properties.

Required properties:

typepam|pbs|openid|ldap|ad: type of the realm

Optional properties:

comment<string>: Comment.
default<boolean> (default=false): True if you want this to be the default realm selected on login.

Section type 'pbs': Built-in Proxmox Backup Server realm configuration properties.

Required properties:

typepam|pbs|openid|ldap|ad: type of the realm

Optional properties:

comment<string>: Comment.
default<boolean> (default=false): True if you want this to be the default realm selected on login.

Copyright and Disclaimer¶

This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details.

You should have received a copy of the GNU Affero General Public License along with this program. If not, see http://www.gnu.org/licenses/

Proxmox Backup

Navigation

Related Topics

domains.cfg¶

Description¶

File Format¶

Options¶

Copyright and Disclaimer¶