• Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login
  • Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login

LDAP Plugin with openLDAP

Scheduled Pinned Locked Moved
General Problems
4
24
3.5k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • F
    Fernando Gietz Developer
    last edited by Apr 5, 2019, 2:39 PM

    Hi @antonionardella ,

    Ok the erorr is normal XD. I see two ways to solve your case:

    1. Not use admin groups and all users are administrators, later you can restrict the access to the web UI using the AccessControl plugin.

    2. Do a little change in your code:

            /**
             * Only one entry
             */
            $entries = $this->get_entries($result);
            /**
             * Pull out the user dn
             */
            $userDN = $entries[0]['dn'];
            /**
             * If use group match is used, get access level,
             * otherwise group scanning isn't used. Assume all
             * are admins.
             */
            if ($useGroupMatch) {
                $accessLevel = $this->_getAccessLevel($grpMemAttr, $userDN);
            } else {
                $accessLevel = 2;
            }
    

    Change the 541 line in ldap.class.php file to:

            /**
             * Only one entry
             */
            $entries = $this->get_entries($result);
            /**
             * Pull out the user dn
             */
    //        $userDN = $entries[0]['dn'];
               $userDN = $user;
            /**
             * If use group match is used, get access level,
             * otherwise group scanning isn't used. Assume all
             * are admins.
             */
            if ($useGroupMatch) {
                $accessLevel = $this->_getAccessLevel($grpMemAttr, $userDN);
            } else {
                $accessLevel = 2;
            }
    
    

    I prefer the first one

    1 Reply Last reply Reply Quote 0
    • A
      antonionardella
      last edited by Apr 5, 2019, 3:54 PM

      Hi @Fernando-Gietz, I am terribly sorry, but making everyone an admin does not look like an option.
      It’s less about the web UI access, but more about restricting users (see students) from deploying random images to the systems and breaking things or activating licenses of pre-imaged software.

      What if the group would be called dsp, is it in no way possibile to limit the access only to this group here?
      What is the issue exactly?

      Thank you for your time.

      Ciao,
      Antonio

      F 1 Reply Last reply Apr 5, 2019, 4:11 PM Reply Quote 0
      • F
        Fernando Gietz Developer @antonionardella
        last edited by Fernando Gietz Apr 5, 2019, 10:12 AM Apr 5, 2019, 4:11 PM

        @antonionardella said in LDAP Plugin with openLDAP:

        Hi @Fernando-Gietz, I am terribly sorry, but making everyone an admin does not look like an option.
        It’s less about the web UI access, but more about restricting users (see students) from deploying random images to the systems and breaking things or activating licenses of pre-imaged software.

        OK, you are right if you have student in the same LDAP server. Then the second option XD

        What if the group would be called dsp, is it in no way possibile to limit the access only to this group here?
        What is the issue exactly?

        the problem is the filter that the code construct, in your case this filter is bad and doesn t work.

        Bad filter:

        (&(|(name=dsp))(memberuid=uid=dsptest,ou=Users,dc=****,dc=***))
        

        Good filter:

        (&(|(name=dsp))(memberuid=dsptest))
        

        To do it well, the $userDN variable value should be dsptest and not uid=dsptest,ou=Users,dc=xxx,dc=xxx. If you do the previous suggested change in the code, $userDN = $user;, the filter should be fine and the validation proccess works fine for all users.

        1 Reply Last reply Reply Quote 0
        • A
          antonionardella
          last edited by antonionardella Apr 8, 2019, 2:43 AM Apr 8, 2019, 8:04 AM

          Hello @Fernando-Gietz,

          thanks for the awesome help and support, it works now as needed.

          Is there something I should be aware or edit in our openLDAP implementation to make the plugin work correctly without editing the /var/www/[html/]fog/lib/plugin/ldap/class/ldap.class.php file?

          Ciao,
          Antonio

          1 Reply Last reply Reply Quote 0
          • A AUTH IT Center referenced this topic on Sep 4, 2024, 5:27 AM
          • 1
          • 2
          • 2 / 2
          2 / 2
          • First post
            22/24
            Last post

          230

          Online

          12.0k

          Users

          17.3k

          Topics

          155.2k

          Posts
          Copyright © 2012-2024 FOG Project