We have UCS providing our Active Directory domain, and we need to sync our AD users in PVE, but I cannot seem to get this to work (it worked fine with AD on Windows Server 2012).
Bind User = uid=Administrator,cn=Domain Admins,dc=mt,dc=house
Hi @ucs_mt ,
Transport encryption is required, you don’t have it enabled within Proxmox when configuring the LDAP simple bind to UCS, hence the connection fails. Probably it was not enabled when using Windows Server 2012, thats why it worked there, but of cause it was not secure, as everyone could read passwords for all users in plain text when sniffing on the wire.
To solve this issue, you have to import the UCS root CA on all Proxmox servers, to allow them to trust the connection. When this is done, you need to enable transport encryption in the PVE config when configuring the simple bind.
Haiyaa… I noticed from the PVE screenshots that you are trying to use an administrative user with very high domain rights for the simple bind. Of cause, this would work, but be advised that this is a very high security risk.
My recommendation is to create within UCS a separate srv_proxmox (ServiceAccount, aka. “Simple authentication account”) and to use this account for the simple bind between PVE and UCS. But NOT the Administrator 
…
Knowledge sharing: UCS offers an integrated Identity Management System, means the alternative of using an external LDAP server for user authentication in PVE is to use SAML/OpenID Connect. Benefit is SSO.
documentation
- UCS 3.5. SSL certificate management — Univention Corporate Server - Manual for users and administrators
- UCS 3.9. OpenID Connect Provider — Univention Corporate Server - Manual for users and administrators
- UCS 6. User management — Univention Corporate Server - Manual for users and administrators
- PVE User Management
Best Lutz
2 Likes
Thank you for your reply. It set us on the right path and we were able to get it working.
We also know that it’s not good practice to use the domain admin user for this, but we pay UCS per license, so we have to see if we have an extra seat for this additional user. 
1 Like
Sorry @ucs_mt, my reply “rant” regarding the Administrator was not meant offensive, with the additional context you provided I see that this could be read that way - sorry! Yes, licence considerations play a role, thanks for sharing that. As Berliner Linux User Group e.V. we do not have such constraints - as we use only the free components, so it is super easy to forget about that little fact…
However, in this specific case, maybe worth to get in contact with UCS support or your CSM. As I think (I could be wrong on that, as said, we do not have this license constraints…) that a “Simple authentication account” does not count as a user you have to pay for.
1 Like
No need to apologize - no offense taken 
Good point about the “Simple authentication account”. We will look into that.
Thanks again.