Interesting that the error here is about missing authentication, are you sure that both address the same AD realm from the same network?

The PDM (and PBS) implementations of our AD realm support try to guess the base-dn parameter from the default naming context that your AD realm uses. If this doesn't match the actual base-dn you want to use this won't work. For now, you should be able to add the realm manually by adding the following to the file /etc/proxmox-datacenter-manager/access/domains.cfg:

ad: SUB.EXAMPLE.ORG
    base-dn DC=sub,DC=examplae,DC=org
    mode ldaps
    server1 FQDN1
    server2 FQDN2
    comment AD authentication

Note that there is no support for case insensitivity for AD/LDAP realms in PDM/PBS yet.

The returned error in the first post use "base_dn".

Yes, due to naming conventions base_dn is used in our Rust code base, but the configuration expects base-dn. I understand this is confusing, though. In the configuration you should use base-dn.

Next, in the "Sync options", when trying to change anything, "Update" button generate the same error with "base_dn":

Yes, every time you try to update something, PDM will try to use the new configuration to query the AD realm. If that doesn't work out, it refuses to update the configuration. This is intended to act as validation for the provided configuration.

Adding AD realm with sub.example.org generate the same error as in the first post, so case insentivity don't matter there now.

Alright, thanks for testing that. Though the capitalization will also matter once we get this to work.

Neither PBS nor PDM allow you to set a base-dn in the UI at all. Instead, they try to ask the AD realm itself for its “default naming context”. If the base-dn isn't the default naming context, you will get the above error. I am currently working on a patch already that should improve the behaviour here. Can you test the following still, though: If you add the realm manually by adding it into the domains.cfg, as outlined above, and try to do a sync (ideally with “Preview only” enabled), what error do you get?

With manual "base-dn" configuration and any change in the "Sync Options"

api error (status = 400: Could not search LDAP realm, base_dn could be incorrect: LDAP operation result: rc=1 (operationsError), dn: "", text: "00002020: Operation unavailable without authentication": rc=1 (operationsError), dn: "", text: "00002020: Operation unavailable without authentication")

Btw, i don't se any "Preview only" element.

Are you triggering that error by editing the realm through the UI? Please don't edit the realm through the UI. Instead, add the realm as intended to the file /etc/proxmox-datacenter-manager/access/domains.cfg. Then use the “Sync” Button in the UI under Configuration > Access Control > Realms. A dialog should open and there you should see a checkbox with the label “Preview Only”.

00002020: Operation unavailable without authentication

This still indicates that you do need to be authenticated to use this AD realm. So are you sure this exact AD realm can be used without a bind domain name and password?

"Sync" via gui Realms failing - unedited error message:

Alright, that means for the settings you are providing your AD realm expects some kind of authentication:

00002020: Operation unavailable without authentication

Can you tell me the differences between your PVE and PDM AD realm exactly?

Plus, when adding user with AD realm via GUI, it requires password in the input fields.

Yes, currently a bind-dn is only supported in combination with a bind password. Are you using a bind-dn in Proxmox VE?

Note that there is no support for case insensitivity for AD/LDAP realms in PDM/PBS yet.

Hi, is there some timeline for that? we have a lot of users from AD with different cases and we starting using PDM now.

Thanks for the notice, I'll see if I can take another look there. Sorry for the inconvenience.