LDAP Plugin with openLDAP

Fernando Gietz · Apr 5, 2019, 2:39 PM

Ok the erorr is normal XD. I see two ways to solve your case:

Not use admin groups and all users are administrators, later you can restrict the access to the web UI using the AccessControl plugin.
Do a little change in your code:

        /**
         * Only one entry
         */
        $entries = $this->get_entries($result);
        /**
         * Pull out the user dn
         */
        $userDN = $entries[0]['dn'];
        /**
         * If use group match is used, get access level,
         * otherwise group scanning isn't used. Assume all
         * are admins.
         */
        if ($useGroupMatch) {
            $accessLevel = $this->_getAccessLevel($grpMemAttr, $userDN);
        } else {
            $accessLevel = 2;
        }

Change the 541 line in ldap.class.php file to:

        /**
         * Only one entry
         */
        $entries = $this->get_entries($result);
        /**
         * Pull out the user dn
         */
//        $userDN = $entries[0]['dn'];
           $userDN = $user;
        /**
         * If use group match is used, get access level,
         * otherwise group scanning isn't used. Assume all
         * are admins.
         */
        if ($useGroupMatch) {
            $accessLevel = $this->_getAccessLevel($grpMemAttr, $userDN);
        } else {
            $accessLevel = 2;
        }

I prefer the first one

antonionardella · Apr 5, 2019, 3:54 PM

Hi @Fernando-Gietz, I am terribly sorry, but making everyone an admin does not look like an option.
It’s less about the web UI access, but more about restricting users (see students) from deploying random images to the systems and breaking things or activating licenses of pre-imaged software.

What if the group would be called dsp, is it in no way possibile to limit the access only to this group here?
What is the issue exactly?

Thank you for your time.

Ciao,
Antonio

Fernando Gietz · Apr 5, 2019, 4:11 PM

@antonionardella said in LDAP Plugin with openLDAP:

Hi @Fernando-Gietz, I am terribly sorry, but making everyone an admin does not look like an option.
It’s less about the web UI access, but more about restricting users (see students) from deploying random images to the systems and breaking things or activating licenses of pre-imaged software.

OK, you are right if you have student in the same LDAP server. Then the second option XD

What if the group would be called dsp, is it in no way possibile to limit the access only to this group here?
What is the issue exactly?

the problem is the filter that the code construct, in your case this filter is bad and doesn t work.

Bad filter:

(&(|(name=dsp))(memberuid=uid=dsptest,ou=Users,dc=****,dc=***))

Good filter:

(&(|(name=dsp))(memberuid=dsptest))

To do it well, the $userDN variable value should be dsptest and not uid=dsptest,ou=Users,dc=xxx,dc=xxx. If you do the previous suggested change in the code, $userDN = $user;, the filter should be fine and the validation proccess works fine for all users.

antonionardella · Apr 8, 2019, 2:43 AM

Hello @Fernando-Gietz,

thanks for the awesome help and support, it works now as needed.

Is there something I should be aware or edit in our openLDAP implementation to make the plugin work correctly without editing the /var/www/[html/]fog/lib/plugin/ldap/class/ldap.class.php file?

Ciao,
Antonio

LDAP Plugin with openLDAP

181

12.0k

17.3k

155.2k