How to allow whole AD users group authenticate into Proxmox server.
In examples admin-devops is used as AD group name, You need to replace it.
1) Create new Realm for AD group in Proxmox.
In Proxmox GUI go to Datacenter -> Permissions -> Realms -> Add -> AD Server
Realm - easy to read name like "Admin-devops"
Port default, No SSL, No TFA.
Sync Options
Bind User - CN=service-ldap,OU=Dienstkonten,OU=GOD,DC=god,DC=de
Bind Password - take from Admins Password Vault for user service-ldap
User Filter - (memberOf=CN=admin-devops,OU=Gruppen,OU=GOD,DC=god,DC=de)
Group Filter - (|(sAMAccountName=admin-devops))
Scope - Users and Groups
Enable new users - Yes
Remove Vanished - All Yes - ACL, Entry, Properties
2) Select just created entry, press Sync button above
Scope - Users and Groups, Enable new - Yes, All checkmarks in Remove section
Preview - inspect if You are able to get users.
Sync - if Preview results were successful, then Sync
3) Permissions -> Users You should be able to see imported users
4) Just press on Permissions -> Add -> Group Permission
You have to add ACL to just imported Group
Path - / (Or other)
Group - Your just created group (It contains AD Group name and Realm name)
Role - Administrator (Or other)
5) Add automatic Syncing, as Proxmox has no such functionality
Go to Proxmox server shell (with root login)
crontab -e
add line 0,10,20,30,40,50 * * * * /usr/sbin/pveum realm sync "Admin-devops" --remove-vanished entry
> /dev/null 2 > &1
Use actual Realm name in the line above instead of "Admin-devops"
6) Add temporary some user to Your AD group, wait until next cron job, check in Proxmox interface if user is created
Test if just imported user can login into Proxmox using created Realm in logon screen and AD credentials
Delete temporary user, wait for cron job, check in Proxmox interface if user is removed
You are Done.