FOG LDAP plugin
-
FOG 1.5.4
Centos 7As a security/accountability measure, we would like to incorporate LDAP/AD Authentication to the FOG GUI. I am having a hard time getting it to work. Besides filling out the LDAP setup, is there another step to allow LDAP authentication?
Please see below for a sanitized version of what my LDAP setup looks like.
As always, thanks for the help!
-
Have you tried port 389 for LDAP Server Port?
-
@JGallo Yes, sorry I forgot to mention that. My colleague mentioned the 636 is the one he wants me to use, but I did try both.
-
I use the LDAP plugin without problems.
The Bind DN filed, is correct? you need setup it with the user which have permissions to read the LDAP server -
@fernando-gietz Does the built in Domain Admin have such permissions? That’s the account I am using.
-
@fry_p said in FOG LDAP plugin:
Does the built in Domain Admin have such permissions? That’s the account I am using.
The user that I use in the plugin only has read permissions.
In the Bind DN field I only write the username and not cn=xxx,ou=yyy,dc=zzz -
@fernando-gietz I believe you need the full DN for the field, but I don’t think you need the OU itself.
So you could do:
cn={username},dc={domain},dc={org,com,net} -
@tom-elliott In my case I config the Bind DN as {username}.
-
@fernando-gietz You’re using openldap correct?
-
Jajaja I think so.
-
-
@fernando-gietz I believe I have successfully bound. However, when I try to log in as myself, I see the below error in /var/log/php-fpm/www-error.log
I believe the issue is in my search dn.
I am trying to log in as fry_p. I am a member of the security group “fogusers” in AD. It can be found here:
CN=fogusers,OU=Security Groups,OU=Domain Users,DC=domainhere,DC=orgfry_p is a member of this group.
-
Maybe, the blank space in the OUs?
-
@fernando-gietz Is there a different way in the DN language to designate spaces? I tried single and double quotes but it didn’t stick. In the actual AD structure (much to my chagrin) there are spaces.
-
@fernando-gietz I feel foolish now. This taught me the lesson that I shouldn’t change multiple variables when trying to troubleshoot an issue.
Here is a screen shot of my working config:
I think I had an incorrect group search DN set. When I put the correct DN I also messed around with the Group Member Attribute. I changed it back to sAMAccountName and presto! Thanks for everything boys!
