• Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login
  • Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login

LDAP Plugin with openLDAP

Scheduled Pinned Locked Moved
General Problems
4
24
3.5k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A
    antonionardella
    last edited by antonionardella Mar 25, 2019, 7:48 AM Mar 25, 2019, 1:47 PM

    Hello,

    first post here.

    I am testing the FOG and openLDAP integration on one of my systems and have an issue with the filters.

    Server

    FOG Version: 1.5.5
    OS: Debian 9
    

    Client

    Service Version:
    OS: N/A
    

    Description
    I’ve added and setup the LDAP plugin, following different posts on the forums. So far I have found only M$ Active Directory configurations and I am not sure what is different with openLDAP.

    • The openLDAP user is named: dsptest
    • The openLDAP group is names: dsp

    Here the sanitized ldapsearch result to have more information about the user dsptest with this query ldapsearch -x -D “uid=admin,ou=users,dc=example,dc=com” -W -H ldap://<IPADDRESS> -b “dc=example,dc=com” -s sub

    # dsptest, Users, example.com
    dn: uid=dsptest,ou=Users,dc=example,dc=com
    sambaPwdCanChange: 0
    uid: dsptest
    sambaLogoffTime: 2147483647
    givenName: dsptest
    loginShell: /bin/bash
    sambaAcctFlags: [UX]
    uidNumber: 10001
    sambaKickoffTime: 2147483647
    objectClass: posixAccount
    objectClass: top
    objectClass: organizationalPerson
    objectClass: inetOrgPerson
    objectClass: shadowAccount
    objectClass: sambaSamAccount
    objectClass: person
    gecos: I am a DSP Test
    sambaLogonTime: 0
    sambaPwdMustChange: 2147483647
    sn: dsptest
    sambaHomeDrive: H:
    sambaSID: S-1-5-21-2258386664-3013221354-3332613826-21002
    homeDirectory: /home/dsptest
    displayName: dsptest
    cn: dsptest
    shadowLastChange: 17980
    sambaPwdLastSet: 1553502597
    sambaPrimaryGroupSID: S-1-5-21-2258386664-3013221354-3332613826-2026
    gidNumber: 516
    ou: teachers
    shadowMax: 99999
    

    and the dsp group:

    # dsp, Groups, example.com
    dn: cn=dsp,ou=Groups,dc=example,dc=com
    objectClass: top
    objectClass: posixGroup
    objectClass: sambaGroupMapping
    displayName: dsp
    cn: dsp
    sambaGroupType: 2
    sambaSID: S-1-5-21-2258386664-3013221354-3332613826-2032
    gidNumber: 516
    memberUid: dsptest
    

    Here the sanitized LDAP Server configuration:
    ldapserver.png

    The interesting parts is:
    User Name Attribute: uid
    Group Member Attribute: memberuid

    When I go to login to the web portal the apache2 log shows:

    [Mon Mar 25 14:12:41.159898 2019] [proxy_fcgi:error] [pid 11845] [client ::1:48370] AH01071: Got error 'PHP message: Plugin LDAP::_result(). Search Method: search; Filter: (&(|(name=dsp))(memberuid=uid=dsptest,ou=Users,dc=example,dc=com)); Result: 0\nPHP message: Plugin LDAP::_result(). Search Method: search; Filter: (&(|(name=))(memberuid=uid=dsptest,ou=Users,dc=example,dc=com)); Result: 0\nPHP message: Plugin LDAP::authLDAP() Access level is still 0 or false. No access is allowed!\n', referer: http://localhost/fog/management/index.php
    

    The interesting parts is:
    memberuid=uid=dsptest

    I tried to use the proposed filter for a ldapsearch query and I am getting errors.

    Could anyone please be of assistance?

    Thank you,
    Antonio

    1 Reply Last reply Reply Quote 0
    • S
      Sebastian Roth Moderator
      last edited by Mar 25, 2019, 8:26 PM

      @Fernando-Gietz knows the LDAP plugin best! 🙂

      Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

      Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

      1 Reply Last reply Reply Quote 0
      • F
        Fernando Gietz Developer
        last edited by Mar 26, 2019, 3:17 PM

        I knew the plugin XD but @Tom-Elliott and @george1421 made a lot of changes to give support to active directory.

        The connection to the openLDAP server works fine but the problem is when the script try to know if the user belong to the admin group.

        Well, I am seeing the code and the problem is that the value of $accessLevel variable is 0. The possible values of this variable is:

             * Sets our default accessLevel to 0.
             * 0 = fail
             * 1 = mobile
             * 2 = admin
        

        If dsp user is in the admin group then the script returns 2.

        This variable changes his value when the code calls to _getAccessLevel($grpMemAttr, $userDN) function, I can suppose that the values of $grpMemAttr and $userDN are:
        $grpMemAttr = memberuid
        $userDN = uid=dsptest,ou=Users,dc=example,dc=com

        With this, the code returns 0 result because the user is not in the admin group or not find nothing with the filter:

        (&(|(name=dsp))(memberuid=uid=dsptest,ou=Users,dc=example,dc=com)); Result: 0

        As you don’t have setup the mobile group the next filter:
        (&(|(name=))(memberuid=uid=dsptest,ou=Users,dc=example,dc=com)); Result: 0
        Then the code returns $accessLevel = 0. if the user is not in the admin group or in the mobile group then the user don’t have access.

        G A 2 Replies Last reply Mar 26, 2019, 3:54 PM Reply Quote 0
        • F
          Fernando Gietz Developer
          last edited by Mar 26, 2019, 3:21 PM

          You can see the code in /var/www/[html/]fog/lib/plugin/ldap/class/ldap.class.php
          functions: authLDAP() and _getAccessLevel()

          1 Reply Last reply Reply Quote 0
          • G
            george1421 Moderator @Fernando Gietz
            last edited by Mar 26, 2019, 3:54 PM

            @Fernando-Gietz said in LDAP Plugin with openLDAP:

            |(name=dsp))(memberuid=uid=dsptest

            The issue is with this bit of the query syntax.

            We are doing an or between ‘(name=dsp)’ ad ‘)’ There is a missing parameter the other part of the or test or there is an extra ‘)’ in that syntax. I really need to count opening and closing parentheses here, but my gut feeling is its wrong. As well as the ‘memberuid=uid=dsptest’ test. I haven’t had time to see what changed in the ldap auth module but I’m a bit surprised that it authenticates AD since AD is really picky on the query syntax.

            I’m pretty sure when Tom was debugging my code he was testing against an OpenLDAP server in his dev environment.

            Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

            F 1 Reply Last reply Mar 26, 2019, 4:31 PM Reply Quote 0
            • A
              antonionardella @Fernando Gietz
              last edited by antonionardella Mar 26, 2019, 10:30 AM Mar 26, 2019, 4:28 PM

              @Fernando-Gietz and @george1421

              Hello and thank you for your answers, thing is that the filter is putting

              (&(|(name=dsp))(memberuid=uid=dsptest,ou=Users,dc=example,dc=com));
              

              while it should be without =uid and ,ou=Users,dc=example,dc=com like so:

              (&(|(name=dsp))(memberuid=dsptest));
              

              Then I get an output with ldapsearch (see image)
              openldap_filter.png

              I tried to look at the two functions authLDAP() and _getAccessLevel() but I miss enough understanding of PHP to find the extra =uid and ,ou=Users,dc=example,dc=com

              Cheers,
              Antonio

              1 Reply Last reply Reply Quote 0
              • F
                Fernando Gietz Developer @george1421
                last edited by Mar 26, 2019, 4:31 PM

                @george1421 said in LDAP Plugin with openLDAP:

                @Fernando-Gietz said in LDAP Plugin with openLDAP:

                |(name=dsp))(memberuid=uid=dsptest

                The issue is with this bit of the query syntax.

                We are doing an or between ‘(name=dsp)’ ad ‘)’ There is a missing parameter the other part of the or test or there is an extra ‘)’ in that syntax. I really need to count opening and closing parentheses here, but my gut feeling is its wrong. As well as the ‘memberuid=uid=dsptest’ test. I haven’t had time to see what changed in the ldap auth module but I’m a bit surprised that it authenticates AD since AD is really picky on the query syntax.

                The second parentesis is necessary because the the sintax has a logical operator “|” (|(name=dsp).

                I don’t have openLDAP, I use AD but my filter is:
                (&(|(name=aux.caunivel21))(member=CN=bczxxxx,OU=people,DC=xxxx,DC=xxx,DC=xx))

                And works fine

                1 Reply Last reply Reply Quote 0
                • A
                  antonionardella
                  last edited by Mar 26, 2019, 4:34 PM

                  As soon as I add anything to the filter I get no answer:

                  filter_fog.png

                  1 Reply Last reply Reply Quote 0
                  • F
                    Fernando Gietz Developer
                    last edited by Mar 26, 2019, 5:01 PM

                    And if you change the filter with:

                    (&(|(name=dsp))(memberuid=dsptest,ou=Groups,dc=XXXXXX,dc=XXXXX));

                    G 1 Reply Last reply Mar 26, 2019, 5:45 PM Reply Quote 0
                    • G
                      george1421 Moderator @Fernando Gietz
                      last edited by Mar 26, 2019, 5:45 PM

                      @Fernando-Gietz I’m still a bit baffled on how this query is constructed.

                      For example here is a query syntax I borrowed off the internet.
                      (&(employmentType=*)(!(employmentType=Hired))(!(employmentType=NEW))(!(employmentType=POS))(!(employmentType=REH)))
                      I can understand and read this just fine.

                      This one is still giving me pains.

                      (&(|(name=dsp))(memberuid=dsptest,ou=Groups,dc=XXXXXX,dc=XXXXX));

                      If I’m reading this right you are anding these two search results.

                      (& (|(name=dsp)) <and> (memberuid=dsptest,ou=Groups,dc=XXXXXX,dc=XXXXX) );

                      What is bugging me is this part
                      (|(name=dsp))

                      That floating or in there with nothing to or to. I might expect it to look like this
                      (|(name=dsp)(name=bob)) then <and> it with (memberuid=dsptest,ou=Groups,dc=XXXXXX,dc=XXXXX)

                      Or drop the or so you were just anding (name=dsp) <and> (memberuid=dsptest)

                      I may be totally confused here but that is how I’m reading the search criteria. BUT also it may not be the problem the OP’s having.

                      Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                      G 1 Reply Last reply Mar 26, 2019, 5:56 PM Reply Quote 0
                      • G
                        george1421 Moderator @george1421
                        last edited by Mar 26, 2019, 5:56 PM

                        @george1421 Ok after a little googling I’ve found a few things.

                        1. It appears openldap may need to have overlays turned on to enable the memberof function. I’m still not sure about this one. But what I found says that if overlays were turned on before the groups were created then you are ok, if it is turned on after the groups are created you will need to recreate the groups.

                        2. Here is the syntax of an example query ‘(&(objectClass=user)(sAMAccountName=yourUserName) (memberof=CN=YourGroup,OU=Users,DC=YourDomain,DC=com))’ Now this is for AD but the query can be changed to this: (&(objectClass=user)(uid=yourUserName) (memberof=CN=YourGroup,OU=Users,DC=YourDomain,DC=com)) I don’t have an openldap environment

                        ref: https://stackoverflow.com/questions/1032351/how-to-write-ldap-query-to-test-if-user-is-member-of-a-group for both points

                        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                        1 Reply Last reply Reply Quote 0
                        • F
                          Fernando Gietz Developer
                          last edited by Fernando Gietz Mar 26, 2019, 12:14 PM Mar 26, 2019, 6:10 PM

                          We can try to debug the @antonionardella 's code.

                          Make a copy of the file /var/www/[html/]fog/lib/plugin/ldap/class/ldap.class.php

                          #cp ldap.class.php ldap.class.php.ori

                          Let’s go to edit the ldap.class.php file, line 628 and insert the next code:

                                  $result = $this->_result($grpSearchDN, $filter, $attr);
                          //********* DEBUG ********************
                                  var_dump($grpSearchDN,$filter,$attr);
                                  exit;
                          //************************************
                                  if (false !== $result) {
                                      return 2;
                                  }
                                  /**
                                   * If no record is returned then user is not in the
                                   * admin group. Change the filter and check the mobile
                                   * group for membership.
                                   */
                          
                          

                          The var_dump function will write the value of the variables $grpSearchDN, $filter and $attr in the page of the browser. After do the changes, go to the validation page and enter the credentials and send us a screenshot.

                          In my case returns:

                          string(29) "ou=groups,dc=xxxx,dc=xxxx,dc=xxxx" string(77) "(&(|(name=aux.caunivel21))(member=CN=bcxxxx,OU=people,DC=xxxx,DC=xxxx,DC=xxxx))" array(1) { [0]=> string(6) "member" }
                          
                          1 Reply Last reply Reply Quote 0
                          • A
                            antonionardella
                            last edited by Mar 27, 2019, 7:20 AM

                            Hello @Fernando-Gietz, on Friday I’ll be working on that system again and let you know.

                            Thanks,
                            Antonio

                            A 1 Reply Last reply Mar 29, 2019, 4:14 PM Reply Quote 0
                            • A
                              antonionardella @antonionardella
                              last edited by Mar 29, 2019, 4:14 PM

                              @Fernando-Gietz here the result:
                              debug.png

                              1 Reply Last reply Reply Quote 0
                              • F
                                Fernando Gietz Developer
                                last edited by Fernando Gietz Mar 29, 2019, 10:27 AM Mar 29, 2019, 4:26 PM

                                Hi @antonionardella ,

                                With this output we can see that the filter is NULL and this is the problem 🙂
                                But the big question is why?

                                Please change the var_dump line with:

                                var_dump($grpSearchDN,$filter,$attr,$adminGroups,$userDN);
                                

                                And paste the output.

                                1 Reply Last reply Reply Quote 0
                                • A
                                  antonionardella
                                  last edited by Mar 29, 2019, 4:42 PM

                                  Hi @Fernando-Gietz,

                                  here the output:
                                  debug.png

                                  It’s not working because the filter only works with this query:

                                  (&(|(name=dsp))(memberuid=dsptest));

                                  without ,ou=Users,dc=example,dc=com

                                  as shown here:

                                  @antonionardella said in LDAP Plugin with openLDAP:

                                  @Fernando-Gietz and @george1421

                                  Hello and thank you for your answers, thing is that the filter is putting

                                  (&(|(name=dsp))(memberuid=uid=dsptest,ou=Users,dc=example,dc=com));
                                  

                                  while it should be without =uid and ,ou=Users,dc=example,dc=com like so:

                                  (&(|(name=dsp))(memberuid=dsptest));
                                  

                                  Then I get an output with ldapsearch (see image)
                                  openldap_filter.png

                                  I tried to look at the two functions authLDAP() and _getAccessLevel() but I miss enough understanding of PHP to find the extra =uid and ,ou=Users,dc=example,dc=com

                                  Cheers,
                                  Antonio

                                  1 Reply Last reply Reply Quote 0
                                  • F
                                    Fernando Gietz Developer
                                    last edited by Fernando Gietz Mar 29, 2019, 11:08 AM Mar 29, 2019, 5:06 PM

                                    I know but now the problem is why is the $filter variable NULL? is strange.

                                            $filter = sprintf(
                                                '(&(|(name=%s))(%s=%s))',
                                                implode(')(name=', (array)$adminGroups),
                                                $grpMemAttr,
                                                $this->escape($userDN, null, LDAP_ESCAPE_FILTER)
                                            );
                                            /**
                                             * The attribute to get.
                                             */
                                            $attr = array($grpMemAttr);
                                            /**
                                             * Read in the attributes
                                             */
                                            $result = $this->_result($grpSearchDN, $filter, $attr);
                                    

                                    Are you sure that the $filter variable is well write in the var_dump() function? XD
                                    The output of this variable must be:

                                    (&(|(name=dsp))(memberuid=uid=dsptest,ou=Users,dc=****,dc=***))'
                                    

                                    If you change the code to:

                                            $filter = sprintf(
                                                '(&(|(name=%s))(%s=%s))',
                                                implode(')(name=', (array)$adminGroups),
                                                $grpMemAttr,
                                    //            $this->escape($userDN, null, LDAP_ESCAPE_FILTER)
                                                'dsptest'
                                            );
                                            /**
                                             * The attribute to get.
                                             */
                                            $attr = array($grpMemAttr);
                                            /**
                                             * Read in the attributes
                                             */
                                            $result = $this->_result($grpSearchDN, $filter, $attr);
                                            if (false !== $result) {
                                                return 2;
                                            }
                                    

                                    UPDATED

                                    1 Reply Last reply Reply Quote 0
                                    • A
                                      antonionardella
                                      last edited by Apr 2, 2019, 11:21 AM

                                      Hello @Fernando-Gietz it works using that code!

                                      1 Reply Last reply Reply Quote 0
                                      • F
                                        Fernando Gietz Developer
                                        last edited by Apr 2, 2019, 4:42 PM

                                        I’m glad but we’re cheating 😉

                                        If we erase the last change

                                        $filter = sprintf(
                                                       '(&(|(name=%s))(%s=%s))',
                                                       implode(')(name=', (array)$adminGroups),
                                                       $grpMemAttr,
                                                       $this->escape($userDN, null, LDAP_ESCAPE_FILTER)
                                        );
                                        

                                        Ans setup the Search Base DN parameter only to dsptest, does work?

                                        1 Reply Last reply Reply Quote 0
                                        • A
                                          antonionardella
                                          last edited by Apr 5, 2019, 8:52 AM

                                          Hello,

                                          I tried with Search Base DN set to:

                                          • dsptest
                                          • ou=dsptest
                                          • ou=dsptest,dc=example,dc=com
                                          • ou=dsp
                                          • ou=dsp,dc=example,dc=com

                                          with no luck:

                                          [Fri Apr 05 10:10:09.017746 2019] [proxy_fcgi:error] [pid 9652] [client ::1:51122] AH01071: Got error 'PHP message: PHP Warning:  ldap_search(): Search: Invalid DN syntax in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: PHP Warning:  ldap_count_entries() expects parameter 2 to be resource, boolean given in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: Plugin LDAP::_result(). Search Method: search; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest)); Result: \nPHP message: Plugin LDAP::authLDAP() Search results returned false. Search DN: dsptest; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest))\n', referer: http://localhost/fog/management/index.php
                                          [Fri Apr 05 10:45:05.644639 2019] [proxy_fcgi:error] [pid 9707] [client ::1:59212] AH01071: Got error 'PHP message: PHP Warning:  ldap_search(): Search: No such object in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: PHP Warning:  ldap_count_entries() expects parameter 2 to be resource, boolean given in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: Plugin LDAP::_result(). Search Method: search; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest)); Result: \nPHP message: Plugin LDAP::authLDAP() Search results returned false. Search DN: ou=dsptest,dc=example,dc=com; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest))\n', referer: http://localhost/fog/management/index.php
                                          [Fri Apr 05 10:45:10.428643 2019] [proxy_fcgi:error] [pid 9681] [client ::1:59270] AH01071: Got error 'PHP message: PHP Warning:  ldap_search(): Search: No such object in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: PHP Warning:  ldap_count_entries() expects parameter 2 to be resource, boolean given in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: Plugin LDAP::_result(). Search Method: search; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest)); Result: \nPHP message: Plugin LDAP::authLDAP() Search results returned false. Search DN: ou=dsptest,dc=example,dc=com; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest))\n', referer: http://localhost/fog/management/index.php?node=home
                                          [Fri Apr 05 10:46:43.542053 2019] [proxy_fcgi:error] [pid 9652] [client ::1:59972] AH01071: Got error 'PHP message: PHP Warning:  ldap_search(): Search: No such object in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: PHP Warning:  ldap_count_entries() expects parameter 2 to be resource, boolean given in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: Plugin LDAP::_result(). Search Method: search; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest)); Result: \nPHP message: Plugin LDAP::authLDAP() Search results returned false. Search DN: ou=dsptest; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest))\n', referer: http://localhost/fog/management/index.php
                                          [Fri Apr 05 10:47:32.359197 2019] [proxy_fcgi:error] [pid 9650] [client ::1:60348] AH01071: Got error 'PHP message: PHP Warning:  ldap_search(): Search: No such object in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: PHP Warning:  ldap_count_entries() expects parameter 2 to be resource, boolean given in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: Plugin LDAP::_result(). Search Method: search; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest)); Result: \nPHP message: Plugin LDAP::authLDAP() Search results returned false. Search DN: ou=dsp; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest))\n', referer: http://localhost/fog/management/index.php
                                          [Fri Apr 05 10:48:28.842830 2019] [proxy_fcgi:error] [pid 9648] [client ::1:60670] AH01071: Got error 'PHP message: PHP Warning:  ldap_search(): Search: No such object in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: PHP Warning:  ldap_count_entries() expects parameter 2 to be resource, boolean given in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: Plugin LDAP::_result(). Search Method: search; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest)); Result: \nPHP message: Plugin LDAP::authLDAP() Search results returned false. Search DN: ou=dsp,dc=example,dc=com; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest))\n', referer: http://localhost/fog/management/index.php
                                          

                                          Cheers,
                                          Antonio

                                          1 Reply Last reply Reply Quote 0
                                          • 1
                                          • 2
                                          • 1 / 2
                                          1 / 2
                                          • First post
                                            3/24
                                            Last post

                                          217

                                          Online

                                          12.0k

                                          Users

                                          17.3k

                                          Topics

                                          155.2k

                                          Posts
                                          Copyright © 2012-2024 FOG Project