LDAP Plugins on FOG 1.5.0

Steuve68

Hello All,

In my production environment i use actually FOG 1.4.4 (work fine)
For test i have installed FOG 1.5.0 on Debian 8.4 Jessie

I have any question for the LDAP Plugins:

I have linked my FOG dev server with my Active Directory.
I test authentication with the samAccountname, that’s ok. Work fine.
My account is in the AD group “FOG_Admin”.

But … when i delete my account to the “FOG_Admin” group, i can always logon into FOG …
I think that’s maybe problematic ?

I look on the database on the users tables, and my account it’s always on the table

mysql> select * from users;
+-----+----------+-----------+---------------------+-----------+-------+----------+-----------+-----------+
| uId | uName    | uPass     | uCreateDate         | uCreateBy | uType | uDisplay | uAllowAPI | uAPIToken |
+-----+----------+-----------+---------------------+-----------+-------+----------+-----------+-----------+
|   1 | fog      | encrypted | 2017-01-04 12:48:48 | fog       |     0 |          | 1         |           |
|   2 | FLSH     | encrypted | 2016-04-27 10:50:55 | fog       |     0 |          | 1         |           |
|   7 | p1000261 | encrypted | 2018-02-28 14:44:22 | fog       |   990 |          |           |           |
+-----+----------+-----------+---------------------+-----------+-------+----------+-----------+-----------+
3 rows in set (0.00 sec)

uId 7 with uName (p1000261) it’s my AD account.

The LDAP Plugins can’t read and update automatically (on real time) the “users” table on SQL ?

I found that to remove AD users from the database you have to uninstall and reinstall the LDAP plugins.

(or then do it from the command line in the db directly)

Another question, can i use another Active Directory Attribute (not the samAccountname) but the “mail” attribut ?
I have test, but not working.

Thanks for all answers.

(sorry for my english, i’m french)

Steuve68

… For my 2nd question (use another AD Attribut) …
I have test with AD attribut “sn” and “givenName” … it’s work’s fine.

I think the “mail” AD attribut won’t work because FOG does not allow @ in login names.
Can I modify that somewhere for test ?

Thanks

Steuve68

So … OK for login with AD “mail” attribut.
I have make 3 change into:

File: lib/fog/user.class.php

Line 134
Modify this regex:

134             '/(?=^.{3,40}$)^[\w][\w0-9]*[._-]?[\w0-9]*[.]?[\w0-9]+$/i',

by

134             '/(?=^.{3,40}$)^[\w][\w0-9]*[._-]?[\w0-9]*[._-]?[\w0-9]*[._-]?[\w0-9]*[@]?[\w0-9]*[.]?[\w0-9]+$/i',

Line 218
Modify this regex:

218             '/(?=^.{3,40}$)^[\w][\w0-9]*[._-]?[\w0-9]*[.]?[\w0-9]+$/i',

by

218             '/(?=^.{3,40}$)^[\w][\w0-9]*[._-]?[\w0-9]*[._-]?[\w0-9]*[._-]?[\w0-9]*[@]?[\w0-9]*[.]?[\w0-9]+$/i',

and into

File: lib/plugins/ldap/class/ldap.class.php

Line 258
Modify this regex:

258            '/(?=^.{3,40}$)^[\w][\w0-9]*[._-]?[\w0-9]*[.]?[\w0-9]+$/i',

by

258             '/(?=^.{3,40}$)^[\w][\w0-9]*[._-]?[\w0-9]*[._-]?[\w0-9]*[._-]?[\w0-9]*[@]?[\w0-9]*[.]?[\w0-9]+$/i',

and for verify, i look into DB:

mysql> select * from users;
+-----+-----------------------+--------------------------------------------------------------+---------------------+-----------+-------+----------+-----------+-----------+
| uId | uName                 | uPass      | uCreateDate         | uCreateBy | uType | uDisplay | uAllowAPI | uAPIToken |
+-----+-----------------------+------------+---------------------+-----------+-------+----------+-----------+-----------+
|   1 | fog                   | encrypted  | 2017-01-04 12:48:48 | fog       |     0 |          | 1         |           |
|   2 | FLSH                  | encrypted  | 2016-04-27 10:50:55 | fog       |     0 |          | 1         |           |
|  21 | fabien.test@test.fr   | encrypted  | 2018-03-07 07:52:52 | fog       |   990 |          |           |           |
|  20 | steve.test@test.fr    | encrypted  | 2018-03-06 08:37:32 | fog       |   990 |          |           |           |
+-----+-----------------------+------------+---------------------+-----------+-------+----------+-----------+-----------+
4 rows in set (0.00 sec)

But always the same problems when i delete my user of my FOG_Admin (group AD) … the deleted user can always login into FOG … the database can’t update.

Thanks

Fernando Gietz

I can try to explain to you how works the plugin

In FOG exists the users table. This tables saves the information of the local users. You can create as users as you need (username, password, …) but these users are “local”, only exists in fog Database. To these users you can asign one of the two roles: Administrator or mobile. If is administrator, then the uType value is 0 (see the fog user entry in the table). If the user is mobile, then the uType is 1.

Well, when you install the LDAP plugin, the script creates a table in the database, LDAPServers. This table has all info of the Authentication Servers (AD servers or LDAP servers). This plugin doesn’t update the users table.

How works the plugin?
Once you have setup the LDAP servers and you logon on the WEBUI, the plugin checks the username and the password in the authentication servers (AD or LDAP) if the credentials are OK, then the plugin creates an entry in the database with the name, password (encrypted) and uType. If the user belongs to Admin Group, then the uType is 990 (take note that the local admin users are 0) and if the user belongs to mobile group, then the uType is 991 (the mobile local users are 1).

When you close the session in the WEBUI, the plugin erases the user entry from the users table. Only the entries with uType = 990, 991 are erased, not the local users.

@steuve68 said in LDAP Plugins on FOG 1.5.0:

The LDAP Plugins can’t read and update automatically (on real time) the “users” table on SQL ?
I found that to remove AD users from the database you have to uninstall and reinstall the LDAP plugins.

When you uninstall the plugin, you delete only the LDAPServer table (I am not very sure but the unistall script doesn’t delete the 990 and 991 users form the users table). When you reinstall the plugin, you only create the LDAPServes table.
The plugin makes a “pasive” sync with the authentication server. If you add an user to admin group in the AD, when the user logs on, the uType will be 990 (admin). If, now, you delete the user from the admin group in the AD, the user can not access to FOG.
If you dont close the session of FOG correctly(from the logoff button, and not close the windows from the X), then the users is not delete from the database.

Fernando Gietz

More info about the LDAP Plugin and FOG 1.5.0:

How to setup Microsoft AD LDAP for FOG 1.5.0~
https://forums.fogproject.org/topic/11531/how-to-setup-microsoft-ad-ldap-for-fog-1-5-0

Steuve68

@fernando-gietz

Hello,

Thanks for your answers !

@Fernando-Gietz said in LDAP Plugins on FOG 1.5.0:
When you close the session in the WEBUI, the plugin erases the user entry from the users table. Only the entries with uType = 990, 991 are erased, not the local users.

That’s what I thought … but it does not work, the user is not removed from the Users table when disconnecting (properly) and that’s why the account can still connect even after removing the group

For trying, i have uninstall LDAP Plugins and update php5-ldap (root@server:~# apt-get install php5-ldap )
And reinstall et re test plugin:

1. My users is on the FOG_Admin group,
2. Login into FOG with mail AD attribute => OK, it’s work
3. Look into the DB with an “select * from users;” and my AD user is in the table => OK (uType 990)
4. Disconnect properly with “Logout” into FOG WEBUI => OK
5. Re-Look immediately after into the DB with “select * from users;” and my AD users is always in the Users table (not deleted as you say)
6. I suppress my AD account to the FOG_Admin group
7. I retry connection with my AD account and I can always connect to FOG WEBUI.
8. I uninstall LDAP Plugin
9. I look into the DB users tables, my AD user is delete (now just FOG local user is in the User table)
10. I try to login into FOG, and now it’s OK, i can’t connect to FOG with AD account because my plugins is uninstall.

I confirm once again, when i Uninstall plugins, the LDAPServer table is well delete and all users (where uType=990/991) is deleted from the Users table.

But … AD Users is not delete of the Users table when you logout properly

Any idea ?

Thanks all !

Tom Elliott

@steuve68 originally the plugin did delete users on logout. Though that functionality was removed as it added a lot of overhead. I don’t know if this was fixed for 1.5, though.

The ldap plugin used to delete 99x users on logout/login attempts for the reasons you’ve pointed out. As it caused a lot more overhead I made it stop doing this. I believe 1,5 works properly even without removing these users though.

The reason logging in with email doesn’t work is because usernames usually work in a domain\user or user@domain. For email this works fine, for domain there’s no way to interprete at the domain level. You might try logging in with email ima Windows machine to prove the point. The domain login will change to whatever is after your @ symbol.

Steuve68

@Tom-Elliott Thanks for answers !

Effectivly, after more test, the plugins LDAP in FOG 1.5.0 (Official … not in RC) don’t delete users AD in Users table.
That’s why if we delete my users of the FOG_Admin group it can always login.

I do not really understand how synchronization works, because if I change to test the password in AD of a user who is already in the Users table, the plugin manages to update it in the SQL table and connect with the new password work fine … this proves that a synchronization is done “correctly”.
but when deleting the user in the group he can not do it … synchro. is not good.

For login with the “mail” AD attribut it’s work only if i change regex into the 2 files:
lib/fog/user.class.php
lib/plugins/ldap/class/ldap.class.php

If i don’t change that, login with the mail Attribut don’t work.

I need login with mail AD attribut, because in my institution all application linked with AD or LDAP (with CAS authentication) use the mail for login.
The sAMAccountName is just the “registration number” and not very friendly for users.
All my computer client linked into my ad domain login with adress mail.

Thanks a lot for your help

nextechinc

@tom-elliott

I only dug into the source a little bit, but I’ve noticed a couple problems with the way the LDAP plugin works. Initially I was trying to test removal of my account from the “Admin Group” but since I had logged in successfully while I was still a member of the group, I was still granted access to the dashboard. The error log reported that I should not have been allowed access, but I was still able to log in.

Additionally, after changing my password in Active Directory, I was still able to log in with my old password.

In either of these cases, removing access for a user who has previously logged in, would require manually removing their account from the database.

Tom Elliott

@steuve68 What I’m saying is, while you’ve made a workaround, this is not a “normal” behaviour.

The idea of using email in any username dealing with AD logins just will not work, normally. I’m not saying you didn’t find a way to do it. When windows logs in, if you add the @<domain.com> it changes the domain it will be logging in to.

By allowing “email” login, as you’re doing it, could cause unexpected things to occur.

Tom Elliott

@nextechinc If you have any suggestions on how to fix, or where the problems are occurring, please let me know. I don’t have an AD server anymore, (though I could set one up), and am working on other things. While I’m sure I could get to fixing this, if you already noticed it, any help would be greatly appreciated.

Steuve68

We could possibly do a .sql script that removes AD users from the Users table, for example:

mysql> use fog;
mysql> delete from users where uType = '990' or uType = '991';

We could put it in a crontab and run it at regular intervals

It’s probably a little oldschool but it could work no?

Tom Elliott

@steuve68 we used to do that verything. On every login remove all ldap users. We removed that functionality to limit read / write cycles. While I understand this is a very simple method to get the same action you’re expecting, I think we can actually do it without removing the users. I just time to review.

Tom Elliott

@steuve68 and a cleaner SQL might be:

Delete from users where uType in ('990','991');

Steuve68

@tom-elliott yes thanks ! i’m not very very good in sql !

I can try to put this request to logout WEBUI pending a better solution…
In which file could I make this change for try ?

Thank you !

Tom Elliott

So I took a little time today to try to see what was happening. I’m happy to report, at least based on how I could test, that I believe I found a solution.

Please, if either of you could be so kind, install the working-1.5.1 branch of FOG? This should contain the fix for ldap users and authentication without having to delete the users from the database every iteration.

Steuve68

@tom-elliott Hello,

So, i have try to working 1-5-1
FOG 1.5.0.16

Globally it’s OK, it’s works fine !
When i deleted one user of the FOG_Admin group it cannot acces to WEBUI FOG ! (and not deleted to Users table in SQL)
When i change password of one AD users (into group FOG_Admin) it cannot acces to WEBUI with old password => Work fine with the new password

I have look 2 “problems” (not verify important but … it might be interesting)

1. The news LDAP Plugins don’t work with group nesting (a group into a group) per example:

if i add into FOG_Admin just another group (IT_Services per example) with IT services members, no members can acces to WEBUI FOG. If i add individualy user into FOG_Admin, it’s work !

2. If i delete one user into FOG_Admin, he can still log in just once. The second time he can not anymore. Synchronization is ok

Not really really bad but it could be points for improvement

in any case, A BIG THANK YOU

george1421

@steuve68 One other test you should check, is if the FOG Admin changes his/her password. Is that password change seen immediatly by the fog server? I’m only suggesting this based on your #2 point of the one shot after the admin has been removed.

Steuve68

@george1421 Yes, if i change password of one user into FOG_Admin, It change immediatly for connect to FOG WEBUI.