Viewing docs for Proxmox Virtual Environment (Proxmox VE) v8.0.0
published on Sunday, Apr 5, 2026 by Daniel Muehlbachler-Pietrzykowski
published on Sunday, Apr 5, 2026 by Daniel Muehlbachler-Pietrzykowski
Viewing docs for Proxmox Virtual Environment (Proxmox VE) v8.0.0
published on Sunday, Apr 5, 2026 by Daniel Muehlbachler-Pietrzykowski
published on Sunday, Apr 5, 2026 by Daniel Muehlbachler-Pietrzykowski
Manages an LDAP authentication realm in Proxmox VE.
LDAP realms allow Proxmox to authenticate users against an LDAP directory service.
Privileges Required
| Path | Attribute |
|---|---|
| /access/domains | Realm.Allocate |
Notes
Password Security
The bindPassword is sent to Proxmox and stored securely, but it’s never returned by the API. This means:
- Terraform cannot detect if the password was changed outside of Terraform
- You must maintain the password in your Terraform configuration or use a variable
- The password will be marked as sensitive in Terraform state
LDAP vs LDAPS
- LDAP (port 389): Unencrypted connection. Not recommended for production.
- LDAPS (port 636): Encrypted connection using SSL/TLS. Recommended for production.
- LDAP+StartTLS: Upgrades plain LDAP connection to TLS. Alternative to LDAPS.
User Synchronization
To trigger synchronization, use the proxmoxve.realm.Sync resource.
Common Configuration Scenarios
Anonymous Binding
For testing or public LDAP servers, omit bindDn and bindPassword to use anonymous binding:
import * as pulumi from "@pulumi/pulumi";
import * as proxmoxve from "@muhlba91/pulumi-proxmoxve";
const anonymous = new proxmoxve.realm.Ldap("anonymous", {
realm: "public-ldap",
server1: "ldap.example.com",
baseDn: "ou=users,dc=example,dc=com",
userAttr: "uid",
});
import pulumi
import pulumi_proxmoxve as proxmoxve
anonymous = proxmoxve.realm.Ldap("anonymous",
realm="public-ldap",
server1="ldap.example.com",
base_dn="ou=users,dc=example,dc=com",
user_attr="uid")
package main
import (
"github.com/muhlba91/pulumi-proxmoxve/sdk/v8/go/proxmoxve/realm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := realm.NewLdap(ctx, "anonymous", &realm.LdapArgs{
Realm: pulumi.String("public-ldap"),
Server1: pulumi.String("ldap.example.com"),
BaseDn: pulumi.String("ou=users,dc=example,dc=com"),
UserAttr: pulumi.String("uid"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using ProxmoxVE = Pulumi.ProxmoxVE;
return await Deployment.RunAsync(() =>
{
var anonymous = new ProxmoxVE.Realm.Ldap("anonymous", new()
{
Realm = "public-ldap",
Server1 = "ldap.example.com",
BaseDn = "ou=users,dc=example,dc=com",
UserAttr = "uid",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import io.muehlbachler.pulumi.proxmoxve.realm.Ldap;
import io.muehlbachler.pulumi.proxmoxve.realm.LdapArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var anonymous = new Ldap("anonymous", LdapArgs.builder()
.realm("public-ldap")
.server1("ldap.example.com")
.baseDn("ou=users,dc=example,dc=com")
.userAttr("uid")
.build());
}
}
resources:
anonymous:
type: proxmoxve:realm:Ldap
properties:
realm: public-ldap
server1: ldap.example.com
baseDn: ou=users,dc=example,dc=com
userAttr: uid
Secure LDAPS with Failover
import * as pulumi from "@pulumi/pulumi";
import * as proxmoxve from "@muhlba91/pulumi-proxmoxve";
const secure = new proxmoxve.realm.Ldap("secure", {
realm: "secure-ldap",
server1: "ldap1.example.com",
server2: "ldap2.example.com",
port: 636,
baseDn: "ou=users,dc=example,dc=com",
bindDn: "cn=readonly,dc=example,dc=com",
bindPassword: ldapPassword,
mode: "ldaps",
verify: true,
caPath: "/etc/pve/priv/ca.crt",
});
import pulumi
import pulumi_proxmoxve as proxmoxve
secure = proxmoxve.realm.Ldap("secure",
realm="secure-ldap",
server1="ldap1.example.com",
server2="ldap2.example.com",
port=636,
base_dn="ou=users,dc=example,dc=com",
bind_dn="cn=readonly,dc=example,dc=com",
bind_password=ldap_password,
mode="ldaps",
verify=True,
ca_path="/etc/pve/priv/ca.crt")
package main
import (
"github.com/muhlba91/pulumi-proxmoxve/sdk/v8/go/proxmoxve/realm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := realm.NewLdap(ctx, "secure", &realm.LdapArgs{
Realm: pulumi.String("secure-ldap"),
Server1: pulumi.String("ldap1.example.com"),
Server2: pulumi.String("ldap2.example.com"),
Port: pulumi.Int(636),
BaseDn: pulumi.String("ou=users,dc=example,dc=com"),
BindDn: pulumi.String("cn=readonly,dc=example,dc=com"),
BindPassword: pulumi.Any(ldapPassword),
Mode: pulumi.String("ldaps"),
Verify: pulumi.Bool(true),
CaPath: pulumi.String("/etc/pve/priv/ca.crt"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using ProxmoxVE = Pulumi.ProxmoxVE;
return await Deployment.RunAsync(() =>
{
var secure = new ProxmoxVE.Realm.Ldap("secure", new()
{
Realm = "secure-ldap",
Server1 = "ldap1.example.com",
Server2 = "ldap2.example.com",
Port = %!v(PANIC=Format method: fatal: A failure has occurred: unexpected literal type in GenLiteralValueExpression: cty.NumberIntVal(636) (example.pp:4,18-21)),
BaseDn = "ou=users,dc=example,dc=com",
BindDn = "cn=readonly,dc=example,dc=com",
BindPassword = ldapPassword,
Mode = "ldaps",
Verify = true,
CaPath = "/etc/pve/priv/ca.crt",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import io.muehlbachler.pulumi.proxmoxve.realm.Ldap;
import io.muehlbachler.pulumi.proxmoxve.realm.LdapArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var secure = new Ldap("secure", LdapArgs.builder()
.realm("secure-ldap")
.server1("ldap1.example.com")
.server2("ldap2.example.com")
.port(%!v(PANIC=Format method: fatal: A failure has occurred: unexpected literal type in GenLiteralValueExpression: cty.NumberIntVal(636) (example.pp:4,18-21)))
.baseDn("ou=users,dc=example,dc=com")
.bindDn("cn=readonly,dc=example,dc=com")
.bindPassword(ldapPassword)
.mode("ldaps")
.verify(true)
.caPath("/etc/pve/priv/ca.crt")
.build());
}
}
resources:
secure:
type: proxmoxve:realm:Ldap
properties:
realm: secure-ldap
server1: ldap1.example.com
server2: ldap2.example.com
port: 636
baseDn: ou=users,dc=example,dc=com
bindDn: cn=readonly,dc=example,dc=com
bindPassword: ${ldapPassword}
mode: ldaps
verify: true
caPath: /etc/pve/priv/ca.crt
With Group Synchronization
import * as pulumi from "@pulumi/pulumi";
import * as proxmoxve from "@muhlba91/pulumi-proxmoxve";
const withGroups = new proxmoxve.realm.Ldap("with_groups", {
realm: "corporate-ldap",
server1: "ldap.corp.example.com",
baseDn: "ou=users,dc=corp,dc=example,dc=com",
bindDn: "cn=svc_ldap,ou=services,dc=corp,dc=example,dc=com",
bindPassword: ldapPassword,
mode: "ldap+starttls",
groupDn: "ou=groups,dc=corp,dc=example,dc=com",
groupFilter: "(objectClass=groupOfNames)",
groupNameAttr: "cn",
syncAttributes: "email=mail,firstname=givenName,lastname=sn",
syncDefaultsOptions: "scope=both,enable-new=1",
});
import pulumi
import pulumi_proxmoxve as proxmoxve
with_groups = proxmoxve.realm.Ldap("with_groups",
realm="corporate-ldap",
server1="ldap.corp.example.com",
base_dn="ou=users,dc=corp,dc=example,dc=com",
bind_dn="cn=svc_ldap,ou=services,dc=corp,dc=example,dc=com",
bind_password=ldap_password,
mode="ldap+starttls",
group_dn="ou=groups,dc=corp,dc=example,dc=com",
group_filter="(objectClass=groupOfNames)",
group_name_attr="cn",
sync_attributes="email=mail,firstname=givenName,lastname=sn",
sync_defaults_options="scope=both,enable-new=1")
package main
import (
"github.com/muhlba91/pulumi-proxmoxve/sdk/v8/go/proxmoxve/realm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := realm.NewLdap(ctx, "with_groups", &realm.LdapArgs{
Realm: pulumi.String("corporate-ldap"),
Server1: pulumi.String("ldap.corp.example.com"),
BaseDn: pulumi.String("ou=users,dc=corp,dc=example,dc=com"),
BindDn: pulumi.String("cn=svc_ldap,ou=services,dc=corp,dc=example,dc=com"),
BindPassword: pulumi.Any(ldapPassword),
Mode: pulumi.String("ldap+starttls"),
GroupDn: pulumi.String("ou=groups,dc=corp,dc=example,dc=com"),
GroupFilter: pulumi.String("(objectClass=groupOfNames)"),
GroupNameAttr: pulumi.String("cn"),
SyncAttributes: pulumi.String("email=mail,firstname=givenName,lastname=sn"),
SyncDefaultsOptions: pulumi.String("scope=both,enable-new=1"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using ProxmoxVE = Pulumi.ProxmoxVE;
return await Deployment.RunAsync(() =>
{
var withGroups = new ProxmoxVE.Realm.Ldap("with_groups", new()
{
Realm = "corporate-ldap",
Server1 = "ldap.corp.example.com",
BaseDn = "ou=users,dc=corp,dc=example,dc=com",
BindDn = "cn=svc_ldap,ou=services,dc=corp,dc=example,dc=com",
BindPassword = ldapPassword,
Mode = "ldap+starttls",
GroupDn = "ou=groups,dc=corp,dc=example,dc=com",
GroupFilter = "(objectClass=groupOfNames)",
GroupNameAttr = "cn",
SyncAttributes = "email=mail,firstname=givenName,lastname=sn",
SyncDefaultsOptions = "scope=both,enable-new=1",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import io.muehlbachler.pulumi.proxmoxve.realm.Ldap;
import io.muehlbachler.pulumi.proxmoxve.realm.LdapArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var withGroups = new Ldap("withGroups", LdapArgs.builder()
.realm("corporate-ldap")
.server1("ldap.corp.example.com")
.baseDn("ou=users,dc=corp,dc=example,dc=com")
.bindDn("cn=svc_ldap,ou=services,dc=corp,dc=example,dc=com")
.bindPassword(ldapPassword)
.mode("ldap+starttls")
.groupDn("ou=groups,dc=corp,dc=example,dc=com")
.groupFilter("(objectClass=groupOfNames)")
.groupNameAttr("cn")
.syncAttributes("email=mail,firstname=givenName,lastname=sn")
.syncDefaultsOptions("scope=both,enable-new=1")
.build());
}
}
resources:
withGroups:
type: proxmoxve:realm:Ldap
name: with_groups
properties:
realm: corporate-ldap
server1: ldap.corp.example.com
baseDn: ou=users,dc=corp,dc=example,dc=com
bindDn: cn=svc_ldap,ou=services,dc=corp,dc=example,dc=com
bindPassword: ${ldapPassword}
mode: ldap+starttls
groupDn: ou=groups,dc=corp,dc=example,dc=com
groupFilter: (objectClass=groupOfNames)
groupNameAttr: cn
syncAttributes: email=mail,firstname=givenName,lastname=sn
syncDefaultsOptions: scope=both,enable-new=1
See Also
Create Ldap Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new Ldap(name: string, args: LdapArgs, opts?: CustomResourceOptions);@overload
def Ldap(resource_name: str,
args: LdapArgs,
opts: Optional[ResourceOptions] = None)
@overload
def Ldap(resource_name: str,
opts: Optional[ResourceOptions] = None,
base_dn: Optional[str] = None,
server1: Optional[str] = None,
realm: Optional[str] = None,
cert_path: Optional[str] = None,
mode: Optional[str] = None,
cert_key_path: Optional[str] = None,
ca_path: Optional[str] = None,
comment: Optional[str] = None,
default: Optional[bool] = None,
filter: Optional[str] = None,
group_classes: Optional[str] = None,
group_dn: Optional[str] = None,
group_filter: Optional[str] = None,
group_name_attr: Optional[str] = None,
case_sensitive: Optional[bool] = None,
port: Optional[int] = None,
bind_password: Optional[str] = None,
secure: Optional[bool] = None,
bind_dn: Optional[str] = None,
server2: Optional[str] = None,
ssl_version: Optional[str] = None,
sync_attributes: Optional[str] = None,
sync_defaults_options: Optional[str] = None,
user_attr: Optional[str] = None,
user_classes: Optional[str] = None,
verify: Optional[bool] = None)func NewLdap(ctx *Context, name string, args LdapArgs, opts ...ResourceOption) (*Ldap, error)public Ldap(string name, LdapArgs args, CustomResourceOptions? opts = null)type: proxmoxve:realm:Ldap
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args LdapArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args LdapArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args LdapArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args LdapArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args LdapArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var ldapResource = new ProxmoxVE.Realm.Ldap("ldapResource", new()
{
BaseDn = "string",
Server1 = "string",
Realm = "string",
CertPath = "string",
Mode = "string",
CertKeyPath = "string",
CaPath = "string",
Comment = "string",
Default = false,
Filter = "string",
GroupClasses = "string",
GroupDn = "string",
GroupFilter = "string",
GroupNameAttr = "string",
CaseSensitive = false,
Port = 0,
BindPassword = "string",
BindDn = "string",
Server2 = "string",
SslVersion = "string",
SyncAttributes = "string",
SyncDefaultsOptions = "string",
UserAttr = "string",
UserClasses = "string",
Verify = false,
});
example, err := realm.NewLdap(ctx, "ldapResource", &realm.LdapArgs{
BaseDn: pulumi.String("string"),
Server1: pulumi.String("string"),
Realm: pulumi.String("string"),
CertPath: pulumi.String("string"),
Mode: pulumi.String("string"),
CertKeyPath: pulumi.String("string"),
CaPath: pulumi.String("string"),
Comment: pulumi.String("string"),
Default: pulumi.Bool(false),
Filter: pulumi.String("string"),
GroupClasses: pulumi.String("string"),
GroupDn: pulumi.String("string"),
GroupFilter: pulumi.String("string"),
GroupNameAttr: pulumi.String("string"),
CaseSensitive: pulumi.Bool(false),
Port: pulumi.Int(0),
BindPassword: pulumi.String("string"),
BindDn: pulumi.String("string"),
Server2: pulumi.String("string"),
SslVersion: pulumi.String("string"),
SyncAttributes: pulumi.String("string"),
SyncDefaultsOptions: pulumi.String("string"),
UserAttr: pulumi.String("string"),
UserClasses: pulumi.String("string"),
Verify: pulumi.Bool(false),
})
var ldapResource = new Ldap("ldapResource", LdapArgs.builder()
.baseDn("string")
.server1("string")
.realm("string")
.certPath("string")
.mode("string")
.certKeyPath("string")
.caPath("string")
.comment("string")
.default_(false)
.filter("string")
.groupClasses("string")
.groupDn("string")
.groupFilter("string")
.groupNameAttr("string")
.caseSensitive(false)
.port(0)
.bindPassword("string")
.bindDn("string")
.server2("string")
.sslVersion("string")
.syncAttributes("string")
.syncDefaultsOptions("string")
.userAttr("string")
.userClasses("string")
.verify(false)
.build());
ldap_resource = proxmoxve.realm.Ldap("ldapResource",
base_dn="string",
server1="string",
realm="string",
cert_path="string",
mode="string",
cert_key_path="string",
ca_path="string",
comment="string",
default=False,
filter="string",
group_classes="string",
group_dn="string",
group_filter="string",
group_name_attr="string",
case_sensitive=False,
port=0,
bind_password="string",
bind_dn="string",
server2="string",
ssl_version="string",
sync_attributes="string",
sync_defaults_options="string",
user_attr="string",
user_classes="string",
verify=False)
const ldapResource = new proxmoxve.realm.Ldap("ldapResource", {
baseDn: "string",
server1: "string",
realm: "string",
certPath: "string",
mode: "string",
certKeyPath: "string",
caPath: "string",
comment: "string",
"default": false,
filter: "string",
groupClasses: "string",
groupDn: "string",
groupFilter: "string",
groupNameAttr: "string",
caseSensitive: false,
port: 0,
bindPassword: "string",
bindDn: "string",
server2: "string",
sslVersion: "string",
syncAttributes: "string",
syncDefaultsOptions: "string",
userAttr: "string",
userClasses: "string",
verify: false,
});
type: proxmoxve:realm:Ldap
properties:
baseDn: string
bindDn: string
bindPassword: string
caPath: string
caseSensitive: false
certKeyPath: string
certPath: string
comment: string
default: false
filter: string
groupClasses: string
groupDn: string
groupFilter: string
groupNameAttr: string
mode: string
port: 0
realm: string
server1: string
server2: string
sslVersion: string
syncAttributes: string
syncDefaultsOptions: string
userAttr: string
userClasses: string
verify: false
Ldap Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The Ldap resource accepts the following input properties:
- Base
Dn string - LDAP base DN for user searches (e.g., 'ou=users,dc=example,dc=com').
- Realm string
- Realm identifier (e.g., 'example.com').
- Server1 string
- Primary LDAP server hostname or IP address.
- Bind
Dn string - LDAP bind DN for authentication (e.g., 'cn=admin,dc=example,dc=com').
- Bind
Password string - Password for the bind DN. Note: stored in Proxmox but not returned by API.
- Ca
Path string - Path to CA certificate file for SSL verification.
- Case
Sensitive bool - Enable case-sensitive username matching.
- Cert
Key stringPath - Path to client certificate key.
- Cert
Path string - Path to client certificate for SSL authentication.
- Comment string
- Description of the realm.
- Default bool
- Use this realm as the default for login.
- Filter string
- LDAP filter for user searches.
- Group
Classes string - LDAP objectClasses for groups (comma-separated).
- Group
Dn string - LDAP base DN for group searches.
- Group
Filter string - LDAP filter for group searches.
- Group
Name stringAttr - LDAP attribute representing the group name.
- Mode string
- LDAP connection mode (ldap, ldaps, ldap+starttls).
- Port int
- LDAP server port. Default: 389 (LDAP) or 636 (LDAPS).
- Secure bool
- Use LDAPS (LDAP over SSL/TLS) instead of plain LDAP.
- Server2 string
- Fallback LDAP server hostname or IP address.
- Ssl
Version string - SSL/TLS version (tlsv1, tlsv11, tlsv12, tlsv1_3).
- Sync
Attributes string - Comma-separated list of attributes to sync (e.g., 'email=mail,firstname=givenName').
- Sync
Defaults stringOptions - Default synchronization options. Format: comma-separated 'key=value' pairs. Valid keys: 'scope' (users/groups/both), 'enable-new' (1/0), 'remove-vanished' (semicolon-separated: entry/acl/properties), 'full' (deprecated), 'purge' (deprecated). Example: 'scope=users,enable-new=1,remove-vanished=entry;acl'.
- User
Attr string - LDAP attribute representing the username.
- User
Classes string - LDAP objectClasses for users (comma-separated).
- Verify bool
- Verify LDAP server SSL certificate.
- Base
Dn string - LDAP base DN for user searches (e.g., 'ou=users,dc=example,dc=com').
- Realm string
- Realm identifier (e.g., 'example.com').
- Server1 string
- Primary LDAP server hostname or IP address.
- Bind
Dn string - LDAP bind DN for authentication (e.g., 'cn=admin,dc=example,dc=com').
- Bind
Password string - Password for the bind DN. Note: stored in Proxmox but not returned by API.
- Ca
Path string - Path to CA certificate file for SSL verification.
- Case
Sensitive bool - Enable case-sensitive username matching.
- Cert
Key stringPath - Path to client certificate key.
- Cert
Path string - Path to client certificate for SSL authentication.
- Comment string
- Description of the realm.
- Default bool
- Use this realm as the default for login.
- Filter string
- LDAP filter for user searches.
- Group
Classes string - LDAP objectClasses for groups (comma-separated).
- Group
Dn string - LDAP base DN for group searches.
- Group
Filter string - LDAP filter for group searches.
- Group
Name stringAttr - LDAP attribute representing the group name.
- Mode string
- LDAP connection mode (ldap, ldaps, ldap+starttls).
- Port int
- LDAP server port. Default: 389 (LDAP) or 636 (LDAPS).
- Secure bool
- Use LDAPS (LDAP over SSL/TLS) instead of plain LDAP.
- Server2 string
- Fallback LDAP server hostname or IP address.
- Ssl
Version string - SSL/TLS version (tlsv1, tlsv11, tlsv12, tlsv1_3).
- Sync
Attributes string - Comma-separated list of attributes to sync (e.g., 'email=mail,firstname=givenName').
- Sync
Defaults stringOptions - Default synchronization options. Format: comma-separated 'key=value' pairs. Valid keys: 'scope' (users/groups/both), 'enable-new' (1/0), 'remove-vanished' (semicolon-separated: entry/acl/properties), 'full' (deprecated), 'purge' (deprecated). Example: 'scope=users,enable-new=1,remove-vanished=entry;acl'.
- User
Attr string - LDAP attribute representing the username.
- User
Classes string - LDAP objectClasses for users (comma-separated).
- Verify bool
- Verify LDAP server SSL certificate.
- base
Dn String - LDAP base DN for user searches (e.g., 'ou=users,dc=example,dc=com').
- realm String
- Realm identifier (e.g., 'example.com').
- server1 String
- Primary LDAP server hostname or IP address.
- bind
Dn String - LDAP bind DN for authentication (e.g., 'cn=admin,dc=example,dc=com').
- bind
Password String - Password for the bind DN. Note: stored in Proxmox but not returned by API.
- ca
Path String - Path to CA certificate file for SSL verification.
- case
Sensitive Boolean - Enable case-sensitive username matching.
- cert
Key StringPath - Path to client certificate key.
- cert
Path String - Path to client certificate for SSL authentication.
- comment String
- Description of the realm.
- default_ Boolean
- Use this realm as the default for login.
- filter String
- LDAP filter for user searches.
- group
Classes String - LDAP objectClasses for groups (comma-separated).
- group
Dn String - LDAP base DN for group searches.
- group
Filter String - LDAP filter for group searches.
- group
Name StringAttr - LDAP attribute representing the group name.
- mode String
- LDAP connection mode (ldap, ldaps, ldap+starttls).
- port Integer
- LDAP server port. Default: 389 (LDAP) or 636 (LDAPS).
- secure Boolean
- Use LDAPS (LDAP over SSL/TLS) instead of plain LDAP.
- server2 String
- Fallback LDAP server hostname or IP address.
- ssl
Version String - SSL/TLS version (tlsv1, tlsv11, tlsv12, tlsv1_3).
- sync
Attributes String - Comma-separated list of attributes to sync (e.g., 'email=mail,firstname=givenName').
- sync
Defaults StringOptions - Default synchronization options. Format: comma-separated 'key=value' pairs. Valid keys: 'scope' (users/groups/both), 'enable-new' (1/0), 'remove-vanished' (semicolon-separated: entry/acl/properties), 'full' (deprecated), 'purge' (deprecated). Example: 'scope=users,enable-new=1,remove-vanished=entry;acl'.
- user
Attr String - LDAP attribute representing the username.
- user
Classes String - LDAP objectClasses for users (comma-separated).
- verify Boolean
- Verify LDAP server SSL certificate.
- base
Dn string - LDAP base DN for user searches (e.g., 'ou=users,dc=example,dc=com').
- realm string
- Realm identifier (e.g., 'example.com').
- server1 string
- Primary LDAP server hostname or IP address.
- bind
Dn string - LDAP bind DN for authentication (e.g., 'cn=admin,dc=example,dc=com').
- bind
Password string - Password for the bind DN. Note: stored in Proxmox but not returned by API.
- ca
Path string - Path to CA certificate file for SSL verification.
- case
Sensitive boolean - Enable case-sensitive username matching.
- cert
Key stringPath - Path to client certificate key.
- cert
Path string - Path to client certificate for SSL authentication.
- comment string
- Description of the realm.
- default boolean
- Use this realm as the default for login.
- filter string
- LDAP filter for user searches.
- group
Classes string - LDAP objectClasses for groups (comma-separated).
- group
Dn string - LDAP base DN for group searches.
- group
Filter string - LDAP filter for group searches.
- group
Name stringAttr - LDAP attribute representing the group name.
- mode string
- LDAP connection mode (ldap, ldaps, ldap+starttls).
- port number
- LDAP server port. Default: 389 (LDAP) or 636 (LDAPS).
- secure boolean
- Use LDAPS (LDAP over SSL/TLS) instead of plain LDAP.
- server2 string
- Fallback LDAP server hostname or IP address.
- ssl
Version string - SSL/TLS version (tlsv1, tlsv11, tlsv12, tlsv1_3).
- sync
Attributes string - Comma-separated list of attributes to sync (e.g., 'email=mail,firstname=givenName').
- sync
Defaults stringOptions - Default synchronization options. Format: comma-separated 'key=value' pairs. Valid keys: 'scope' (users/groups/both), 'enable-new' (1/0), 'remove-vanished' (semicolon-separated: entry/acl/properties), 'full' (deprecated), 'purge' (deprecated). Example: 'scope=users,enable-new=1,remove-vanished=entry;acl'.
- user
Attr string - LDAP attribute representing the username.
- user
Classes string - LDAP objectClasses for users (comma-separated).
- verify boolean
- Verify LDAP server SSL certificate.
- base_
dn str - LDAP base DN for user searches (e.g., 'ou=users,dc=example,dc=com').
- realm str
- Realm identifier (e.g., 'example.com').
- server1 str
- Primary LDAP server hostname or IP address.
- bind_
dn str - LDAP bind DN for authentication (e.g., 'cn=admin,dc=example,dc=com').
- bind_
password str - Password for the bind DN. Note: stored in Proxmox but not returned by API.
- ca_
path str - Path to CA certificate file for SSL verification.
- case_
sensitive bool - Enable case-sensitive username matching.
- cert_
key_ strpath - Path to client certificate key.
- cert_
path str - Path to client certificate for SSL authentication.
- comment str
- Description of the realm.
- default bool
- Use this realm as the default for login.
- filter str
- LDAP filter for user searches.
- group_
classes str - LDAP objectClasses for groups (comma-separated).
- group_
dn str - LDAP base DN for group searches.
- group_
filter str - LDAP filter for group searches.
- group_
name_ strattr - LDAP attribute representing the group name.
- mode str
- LDAP connection mode (ldap, ldaps, ldap+starttls).
- port int
- LDAP server port. Default: 389 (LDAP) or 636 (LDAPS).
- secure bool
- Use LDAPS (LDAP over SSL/TLS) instead of plain LDAP.
- server2 str
- Fallback LDAP server hostname or IP address.
- ssl_
version str - SSL/TLS version (tlsv1, tlsv11, tlsv12, tlsv1_3).
- sync_
attributes str - Comma-separated list of attributes to sync (e.g., 'email=mail,firstname=givenName').
- sync_
defaults_ stroptions - Default synchronization options. Format: comma-separated 'key=value' pairs. Valid keys: 'scope' (users/groups/both), 'enable-new' (1/0), 'remove-vanished' (semicolon-separated: entry/acl/properties), 'full' (deprecated), 'purge' (deprecated). Example: 'scope=users,enable-new=1,remove-vanished=entry;acl'.
- user_
attr str - LDAP attribute representing the username.
- user_
classes str - LDAP objectClasses for users (comma-separated).
- verify bool
- Verify LDAP server SSL certificate.
- base
Dn String - LDAP base DN for user searches (e.g., 'ou=users,dc=example,dc=com').
- realm String
- Realm identifier (e.g., 'example.com').
- server1 String
- Primary LDAP server hostname or IP address.
- bind
Dn String - LDAP bind DN for authentication (e.g., 'cn=admin,dc=example,dc=com').
- bind
Password String - Password for the bind DN. Note: stored in Proxmox but not returned by API.
- ca
Path String - Path to CA certificate file for SSL verification.
- case
Sensitive Boolean - Enable case-sensitive username matching.
- cert
Key StringPath - Path to client certificate key.
- cert
Path String - Path to client certificate for SSL authentication.
- comment String
- Description of the realm.
- default Boolean
- Use this realm as the default for login.
- filter String
- LDAP filter for user searches.
- group
Classes String - LDAP objectClasses for groups (comma-separated).
- group
Dn String - LDAP base DN for group searches.
- group
Filter String - LDAP filter for group searches.
- group
Name StringAttr - LDAP attribute representing the group name.
- mode String
- LDAP connection mode (ldap, ldaps, ldap+starttls).
- port Number
- LDAP server port. Default: 389 (LDAP) or 636 (LDAPS).
- secure Boolean
- Use LDAPS (LDAP over SSL/TLS) instead of plain LDAP.
- server2 String
- Fallback LDAP server hostname or IP address.
- ssl
Version String - SSL/TLS version (tlsv1, tlsv11, tlsv12, tlsv1_3).
- sync
Attributes String - Comma-separated list of attributes to sync (e.g., 'email=mail,firstname=givenName').
- sync
Defaults StringOptions - Default synchronization options. Format: comma-separated 'key=value' pairs. Valid keys: 'scope' (users/groups/both), 'enable-new' (1/0), 'remove-vanished' (semicolon-separated: entry/acl/properties), 'full' (deprecated), 'purge' (deprecated). Example: 'scope=users,enable-new=1,remove-vanished=entry;acl'.
- user
Attr String - LDAP attribute representing the username.
- user
Classes String - LDAP objectClasses for users (comma-separated).
- verify Boolean
- Verify LDAP server SSL certificate.
Outputs
All input properties are implicitly available as output properties. Additionally, the Ldap resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing Ldap Resource
Get an existing Ldap resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: LdapState, opts?: CustomResourceOptions): Ldap@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
base_dn: Optional[str] = None,
bind_dn: Optional[str] = None,
bind_password: Optional[str] = None,
ca_path: Optional[str] = None,
case_sensitive: Optional[bool] = None,
cert_key_path: Optional[str] = None,
cert_path: Optional[str] = None,
comment: Optional[str] = None,
default: Optional[bool] = None,
filter: Optional[str] = None,
group_classes: Optional[str] = None,
group_dn: Optional[str] = None,
group_filter: Optional[str] = None,
group_name_attr: Optional[str] = None,
mode: Optional[str] = None,
port: Optional[int] = None,
realm: Optional[str] = None,
secure: Optional[bool] = None,
server1: Optional[str] = None,
server2: Optional[str] = None,
ssl_version: Optional[str] = None,
sync_attributes: Optional[str] = None,
sync_defaults_options: Optional[str] = None,
user_attr: Optional[str] = None,
user_classes: Optional[str] = None,
verify: Optional[bool] = None) -> Ldapfunc GetLdap(ctx *Context, name string, id IDInput, state *LdapState, opts ...ResourceOption) (*Ldap, error)public static Ldap Get(string name, Input<string> id, LdapState? state, CustomResourceOptions? opts = null)public static Ldap get(String name, Output<String> id, LdapState state, CustomResourceOptions options)resources: _: type: proxmoxve:realm:Ldap get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Base
Dn string - LDAP base DN for user searches (e.g., 'ou=users,dc=example,dc=com').
- Bind
Dn string - LDAP bind DN for authentication (e.g., 'cn=admin,dc=example,dc=com').
- Bind
Password string - Password for the bind DN. Note: stored in Proxmox but not returned by API.
- Ca
Path string - Path to CA certificate file for SSL verification.
- Case
Sensitive bool - Enable case-sensitive username matching.
- Cert
Key stringPath - Path to client certificate key.
- Cert
Path string - Path to client certificate for SSL authentication.
- Comment string
- Description of the realm.
- Default bool
- Use this realm as the default for login.
- Filter string
- LDAP filter for user searches.
- Group
Classes string - LDAP objectClasses for groups (comma-separated).
- Group
Dn string - LDAP base DN for group searches.
- Group
Filter string - LDAP filter for group searches.
- Group
Name stringAttr - LDAP attribute representing the group name.
- Mode string
- LDAP connection mode (ldap, ldaps, ldap+starttls).
- Port int
- LDAP server port. Default: 389 (LDAP) or 636 (LDAPS).
- Realm string
- Realm identifier (e.g., 'example.com').
- Secure bool
- Use LDAPS (LDAP over SSL/TLS) instead of plain LDAP.
- Server1 string
- Primary LDAP server hostname or IP address.
- Server2 string
- Fallback LDAP server hostname or IP address.
- Ssl
Version string - SSL/TLS version (tlsv1, tlsv11, tlsv12, tlsv1_3).
- Sync
Attributes string - Comma-separated list of attributes to sync (e.g., 'email=mail,firstname=givenName').
- Sync
Defaults stringOptions - Default synchronization options. Format: comma-separated 'key=value' pairs. Valid keys: 'scope' (users/groups/both), 'enable-new' (1/0), 'remove-vanished' (semicolon-separated: entry/acl/properties), 'full' (deprecated), 'purge' (deprecated). Example: 'scope=users,enable-new=1,remove-vanished=entry;acl'.
- User
Attr string - LDAP attribute representing the username.
- User
Classes string - LDAP objectClasses for users (comma-separated).
- Verify bool
- Verify LDAP server SSL certificate.
- Base
Dn string - LDAP base DN for user searches (e.g., 'ou=users,dc=example,dc=com').
- Bind
Dn string - LDAP bind DN for authentication (e.g., 'cn=admin,dc=example,dc=com').
- Bind
Password string - Password for the bind DN. Note: stored in Proxmox but not returned by API.
- Ca
Path string - Path to CA certificate file for SSL verification.
- Case
Sensitive bool - Enable case-sensitive username matching.
- Cert
Key stringPath - Path to client certificate key.
- Cert
Path string - Path to client certificate for SSL authentication.
- Comment string
- Description of the realm.
- Default bool
- Use this realm as the default for login.
- Filter string
- LDAP filter for user searches.
- Group
Classes string - LDAP objectClasses for groups (comma-separated).
- Group
Dn string - LDAP base DN for group searches.
- Group
Filter string - LDAP filter for group searches.
- Group
Name stringAttr - LDAP attribute representing the group name.
- Mode string
- LDAP connection mode (ldap, ldaps, ldap+starttls).
- Port int
- LDAP server port. Default: 389 (LDAP) or 636 (LDAPS).
- Realm string
- Realm identifier (e.g., 'example.com').
- Secure bool
- Use LDAPS (LDAP over SSL/TLS) instead of plain LDAP.
- Server1 string
- Primary LDAP server hostname or IP address.
- Server2 string
- Fallback LDAP server hostname or IP address.
- Ssl
Version string - SSL/TLS version (tlsv1, tlsv11, tlsv12, tlsv1_3).
- Sync
Attributes string - Comma-separated list of attributes to sync (e.g., 'email=mail,firstname=givenName').
- Sync
Defaults stringOptions - Default synchronization options. Format: comma-separated 'key=value' pairs. Valid keys: 'scope' (users/groups/both), 'enable-new' (1/0), 'remove-vanished' (semicolon-separated: entry/acl/properties), 'full' (deprecated), 'purge' (deprecated). Example: 'scope=users,enable-new=1,remove-vanished=entry;acl'.
- User
Attr string - LDAP attribute representing the username.
- User
Classes string - LDAP objectClasses for users (comma-separated).
- Verify bool
- Verify LDAP server SSL certificate.
- base
Dn String - LDAP base DN for user searches (e.g., 'ou=users,dc=example,dc=com').
- bind
Dn String - LDAP bind DN for authentication (e.g., 'cn=admin,dc=example,dc=com').
- bind
Password String - Password for the bind DN. Note: stored in Proxmox but not returned by API.
- ca
Path String - Path to CA certificate file for SSL verification.
- case
Sensitive Boolean - Enable case-sensitive username matching.
- cert
Key StringPath - Path to client certificate key.
- cert
Path String - Path to client certificate for SSL authentication.
- comment String
- Description of the realm.
- default_ Boolean
- Use this realm as the default for login.
- filter String
- LDAP filter for user searches.
- group
Classes String - LDAP objectClasses for groups (comma-separated).
- group
Dn String - LDAP base DN for group searches.
- group
Filter String - LDAP filter for group searches.
- group
Name StringAttr - LDAP attribute representing the group name.
- mode String
- LDAP connection mode (ldap, ldaps, ldap+starttls).
- port Integer
- LDAP server port. Default: 389 (LDAP) or 636 (LDAPS).
- realm String
- Realm identifier (e.g., 'example.com').
- secure Boolean
- Use LDAPS (LDAP over SSL/TLS) instead of plain LDAP.
- server1 String
- Primary LDAP server hostname or IP address.
- server2 String
- Fallback LDAP server hostname or IP address.
- ssl
Version String - SSL/TLS version (tlsv1, tlsv11, tlsv12, tlsv1_3).
- sync
Attributes String - Comma-separated list of attributes to sync (e.g., 'email=mail,firstname=givenName').
- sync
Defaults StringOptions - Default synchronization options. Format: comma-separated 'key=value' pairs. Valid keys: 'scope' (users/groups/both), 'enable-new' (1/0), 'remove-vanished' (semicolon-separated: entry/acl/properties), 'full' (deprecated), 'purge' (deprecated). Example: 'scope=users,enable-new=1,remove-vanished=entry;acl'.
- user
Attr String - LDAP attribute representing the username.
- user
Classes String - LDAP objectClasses for users (comma-separated).
- verify Boolean
- Verify LDAP server SSL certificate.
- base
Dn string - LDAP base DN for user searches (e.g., 'ou=users,dc=example,dc=com').
- bind
Dn string - LDAP bind DN for authentication (e.g., 'cn=admin,dc=example,dc=com').
- bind
Password string - Password for the bind DN. Note: stored in Proxmox but not returned by API.
- ca
Path string - Path to CA certificate file for SSL verification.
- case
Sensitive boolean - Enable case-sensitive username matching.
- cert
Key stringPath - Path to client certificate key.
- cert
Path string - Path to client certificate for SSL authentication.
- comment string
- Description of the realm.
- default boolean
- Use this realm as the default for login.
- filter string
- LDAP filter for user searches.
- group
Classes string - LDAP objectClasses for groups (comma-separated).
- group
Dn string - LDAP base DN for group searches.
- group
Filter string - LDAP filter for group searches.
- group
Name stringAttr - LDAP attribute representing the group name.
- mode string
- LDAP connection mode (ldap, ldaps, ldap+starttls).
- port number
- LDAP server port. Default: 389 (LDAP) or 636 (LDAPS).
- realm string
- Realm identifier (e.g., 'example.com').
- secure boolean
- Use LDAPS (LDAP over SSL/TLS) instead of plain LDAP.
- server1 string
- Primary LDAP server hostname or IP address.
- server2 string
- Fallback LDAP server hostname or IP address.
- ssl
Version string - SSL/TLS version (tlsv1, tlsv11, tlsv12, tlsv1_3).
- sync
Attributes string - Comma-separated list of attributes to sync (e.g., 'email=mail,firstname=givenName').
- sync
Defaults stringOptions - Default synchronization options. Format: comma-separated 'key=value' pairs. Valid keys: 'scope' (users/groups/both), 'enable-new' (1/0), 'remove-vanished' (semicolon-separated: entry/acl/properties), 'full' (deprecated), 'purge' (deprecated). Example: 'scope=users,enable-new=1,remove-vanished=entry;acl'.
- user
Attr string - LDAP attribute representing the username.
- user
Classes string - LDAP objectClasses for users (comma-separated).
- verify boolean
- Verify LDAP server SSL certificate.
- base_
dn str - LDAP base DN for user searches (e.g., 'ou=users,dc=example,dc=com').
- bind_
dn str - LDAP bind DN for authentication (e.g., 'cn=admin,dc=example,dc=com').
- bind_
password str - Password for the bind DN. Note: stored in Proxmox but not returned by API.
- ca_
path str - Path to CA certificate file for SSL verification.
- case_
sensitive bool - Enable case-sensitive username matching.
- cert_
key_ strpath - Path to client certificate key.
- cert_
path str - Path to client certificate for SSL authentication.
- comment str
- Description of the realm.
- default bool
- Use this realm as the default for login.
- filter str
- LDAP filter for user searches.
- group_
classes str - LDAP objectClasses for groups (comma-separated).
- group_
dn str - LDAP base DN for group searches.
- group_
filter str - LDAP filter for group searches.
- group_
name_ strattr - LDAP attribute representing the group name.
- mode str
- LDAP connection mode (ldap, ldaps, ldap+starttls).
- port int
- LDAP server port. Default: 389 (LDAP) or 636 (LDAPS).
- realm str
- Realm identifier (e.g., 'example.com').
- secure bool
- Use LDAPS (LDAP over SSL/TLS) instead of plain LDAP.
- server1 str
- Primary LDAP server hostname or IP address.
- server2 str
- Fallback LDAP server hostname or IP address.
- ssl_
version str - SSL/TLS version (tlsv1, tlsv11, tlsv12, tlsv1_3).
- sync_
attributes str - Comma-separated list of attributes to sync (e.g., 'email=mail,firstname=givenName').
- sync_
defaults_ stroptions - Default synchronization options. Format: comma-separated 'key=value' pairs. Valid keys: 'scope' (users/groups/both), 'enable-new' (1/0), 'remove-vanished' (semicolon-separated: entry/acl/properties), 'full' (deprecated), 'purge' (deprecated). Example: 'scope=users,enable-new=1,remove-vanished=entry;acl'.
- user_
attr str - LDAP attribute representing the username.
- user_
classes str - LDAP objectClasses for users (comma-separated).
- verify bool
- Verify LDAP server SSL certificate.
- base
Dn String - LDAP base DN for user searches (e.g., 'ou=users,dc=example,dc=com').
- bind
Dn String - LDAP bind DN for authentication (e.g., 'cn=admin,dc=example,dc=com').
- bind
Password String - Password for the bind DN. Note: stored in Proxmox but not returned by API.
- ca
Path String - Path to CA certificate file for SSL verification.
- case
Sensitive Boolean - Enable case-sensitive username matching.
- cert
Key StringPath - Path to client certificate key.
- cert
Path String - Path to client certificate for SSL authentication.
- comment String
- Description of the realm.
- default Boolean
- Use this realm as the default for login.
- filter String
- LDAP filter for user searches.
- group
Classes String - LDAP objectClasses for groups (comma-separated).
- group
Dn String - LDAP base DN for group searches.
- group
Filter String - LDAP filter for group searches.
- group
Name StringAttr - LDAP attribute representing the group name.
- mode String
- LDAP connection mode (ldap, ldaps, ldap+starttls).
- port Number
- LDAP server port. Default: 389 (LDAP) or 636 (LDAPS).
- realm String
- Realm identifier (e.g., 'example.com').
- secure Boolean
- Use LDAPS (LDAP over SSL/TLS) instead of plain LDAP.
- server1 String
- Primary LDAP server hostname or IP address.
- server2 String
- Fallback LDAP server hostname or IP address.
- ssl
Version String - SSL/TLS version (tlsv1, tlsv11, tlsv12, tlsv1_3).
- sync
Attributes String - Comma-separated list of attributes to sync (e.g., 'email=mail,firstname=givenName').
- sync
Defaults StringOptions - Default synchronization options. Format: comma-separated 'key=value' pairs. Valid keys: 'scope' (users/groups/both), 'enable-new' (1/0), 'remove-vanished' (semicolon-separated: entry/acl/properties), 'full' (deprecated), 'purge' (deprecated). Example: 'scope=users,enable-new=1,remove-vanished=entry;acl'.
- user
Attr String - LDAP attribute representing the username.
- user
Classes String - LDAP objectClasses for users (comma-separated).
- verify Boolean
- Verify LDAP server SSL certificate.
Package Details
- Repository
- proxmoxve muhlba91/pulumi-proxmoxve
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
proxmoxTerraform Provider.
Viewing docs for Proxmox Virtual Environment (Proxmox VE) v8.0.0
published on Sunday, Apr 5, 2026 by Daniel Muehlbachler-Pietrzykowski
published on Sunday, Apr 5, 2026 by Daniel Muehlbachler-Pietrzykowski
