• Recent
    • Unsolved
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    LDAP Plugin with openLDAP

    Scheduled Pinned Locked Moved
    General Problems
    4
    24
    3.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      Fernando Gietz Developer
      last edited by Fernando Gietz

      Hi @antonionardella ,

      With this output we can see that the filter is NULL and this is the problem 🙂
      But the big question is why?

      Please change the var_dump line with:

      var_dump($grpSearchDN,$filter,$attr,$adminGroups,$userDN);
      

      And paste the output.

      1 Reply Last reply Reply Quote 0
      • A
        antonionardella
        last edited by

        Hi @Fernando-Gietz,

        here the output:
        debug.png

        It’s not working because the filter only works with this query:

        (&(|(name=dsp))(memberuid=dsptest));

        without ,ou=Users,dc=example,dc=com

        as shown here:

        @antonionardella said in LDAP Plugin with openLDAP:

        @Fernando-Gietz and @george1421

        Hello and thank you for your answers, thing is that the filter is putting

        (&(|(name=dsp))(memberuid=uid=dsptest,ou=Users,dc=example,dc=com));
        

        while it should be without =uid and ,ou=Users,dc=example,dc=com like so:

        (&(|(name=dsp))(memberuid=dsptest));
        

        Then I get an output with ldapsearch (see image)
        openldap_filter.png

        I tried to look at the two functions authLDAP() and _getAccessLevel() but I miss enough understanding of PHP to find the extra =uid and ,ou=Users,dc=example,dc=com

        Cheers,
        Antonio

        1 Reply Last reply Reply Quote 0
        • F
          Fernando Gietz Developer
          last edited by Fernando Gietz

          I know but now the problem is why is the $filter variable NULL? is strange.

                  $filter = sprintf(
                      '(&(|(name=%s))(%s=%s))',
                      implode(')(name=', (array)$adminGroups),
                      $grpMemAttr,
                      $this->escape($userDN, null, LDAP_ESCAPE_FILTER)
                  );
                  /**
                   * The attribute to get.
                   */
                  $attr = array($grpMemAttr);
                  /**
                   * Read in the attributes
                   */
                  $result = $this->_result($grpSearchDN, $filter, $attr);
          

          Are you sure that the $filter variable is well write in the var_dump() function? XD
          The output of this variable must be:

          (&(|(name=dsp))(memberuid=uid=dsptest,ou=Users,dc=****,dc=***))'
          

          If you change the code to:

                  $filter = sprintf(
                      '(&(|(name=%s))(%s=%s))',
                      implode(')(name=', (array)$adminGroups),
                      $grpMemAttr,
          //            $this->escape($userDN, null, LDAP_ESCAPE_FILTER)
                      'dsptest'
                  );
                  /**
                   * The attribute to get.
                   */
                  $attr = array($grpMemAttr);
                  /**
                   * Read in the attributes
                   */
                  $result = $this->_result($grpSearchDN, $filter, $attr);
                  if (false !== $result) {
                      return 2;
                  }
          

          UPDATED

          1 Reply Last reply Reply Quote 0
          • A
            antonionardella
            last edited by

            Hello @Fernando-Gietz it works using that code!

            1 Reply Last reply Reply Quote 0
            • F
              Fernando Gietz Developer
              last edited by

              I’m glad but we’re cheating 😉

              If we erase the last change

              $filter = sprintf(
                             '(&(|(name=%s))(%s=%s))',
                             implode(')(name=', (array)$adminGroups),
                             $grpMemAttr,
                             $this->escape($userDN, null, LDAP_ESCAPE_FILTER)
              );
              

              Ans setup the Search Base DN parameter only to dsptest, does work?

              1 Reply Last reply Reply Quote 0
              • A
                antonionardella
                last edited by

                Hello,

                I tried with Search Base DN set to:

                • dsptest
                • ou=dsptest
                • ou=dsptest,dc=example,dc=com
                • ou=dsp
                • ou=dsp,dc=example,dc=com

                with no luck:

                [Fri Apr 05 10:10:09.017746 2019] [proxy_fcgi:error] [pid 9652] [client ::1:51122] AH01071: Got error 'PHP message: PHP Warning:  ldap_search(): Search: Invalid DN syntax in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: PHP Warning:  ldap_count_entries() expects parameter 2 to be resource, boolean given in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: Plugin LDAP::_result(). Search Method: search; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest)); Result: \nPHP message: Plugin LDAP::authLDAP() Search results returned false. Search DN: dsptest; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest))\n', referer: http://localhost/fog/management/index.php
                [Fri Apr 05 10:45:05.644639 2019] [proxy_fcgi:error] [pid 9707] [client ::1:59212] AH01071: Got error 'PHP message: PHP Warning:  ldap_search(): Search: No such object in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: PHP Warning:  ldap_count_entries() expects parameter 2 to be resource, boolean given in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: Plugin LDAP::_result(). Search Method: search; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest)); Result: \nPHP message: Plugin LDAP::authLDAP() Search results returned false. Search DN: ou=dsptest,dc=example,dc=com; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest))\n', referer: http://localhost/fog/management/index.php
                [Fri Apr 05 10:45:10.428643 2019] [proxy_fcgi:error] [pid 9681] [client ::1:59270] AH01071: Got error 'PHP message: PHP Warning:  ldap_search(): Search: No such object in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: PHP Warning:  ldap_count_entries() expects parameter 2 to be resource, boolean given in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: Plugin LDAP::_result(). Search Method: search; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest)); Result: \nPHP message: Plugin LDAP::authLDAP() Search results returned false. Search DN: ou=dsptest,dc=example,dc=com; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest))\n', referer: http://localhost/fog/management/index.php?node=home
                [Fri Apr 05 10:46:43.542053 2019] [proxy_fcgi:error] [pid 9652] [client ::1:59972] AH01071: Got error 'PHP message: PHP Warning:  ldap_search(): Search: No such object in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: PHP Warning:  ldap_count_entries() expects parameter 2 to be resource, boolean given in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: Plugin LDAP::_result(). Search Method: search; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest)); Result: \nPHP message: Plugin LDAP::authLDAP() Search results returned false. Search DN: ou=dsptest; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest))\n', referer: http://localhost/fog/management/index.php
                [Fri Apr 05 10:47:32.359197 2019] [proxy_fcgi:error] [pid 9650] [client ::1:60348] AH01071: Got error 'PHP message: PHP Warning:  ldap_search(): Search: No such object in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: PHP Warning:  ldap_count_entries() expects parameter 2 to be resource, boolean given in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: Plugin LDAP::_result(). Search Method: search; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest)); Result: \nPHP message: Plugin LDAP::authLDAP() Search results returned false. Search DN: ou=dsp; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest))\n', referer: http://localhost/fog/management/index.php
                [Fri Apr 05 10:48:28.842830 2019] [proxy_fcgi:error] [pid 9648] [client ::1:60670] AH01071: Got error 'PHP message: PHP Warning:  ldap_search(): Search: No such object in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: PHP Warning:  ldap_count_entries() expects parameter 2 to be resource, boolean given in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: Plugin LDAP::_result(). Search Method: search; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest)); Result: \nPHP message: Plugin LDAP::authLDAP() Search results returned false. Search DN: ou=dsp,dc=example,dc=com; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest))\n', referer: http://localhost/fog/management/index.php
                

                Cheers,
                Antonio

                1 Reply Last reply Reply Quote 0
                • F
                  Fernando Gietz Developer
                  last edited by

                  Hi @antonionardella ,

                  Ok the erorr is normal XD. I see two ways to solve your case:

                  1. Not use admin groups and all users are administrators, later you can restrict the access to the web UI using the AccessControl plugin.

                  2. Do a little change in your code:

                          /**
                           * Only one entry
                           */
                          $entries = $this->get_entries($result);
                          /**
                           * Pull out the user dn
                           */
                          $userDN = $entries[0]['dn'];
                          /**
                           * If use group match is used, get access level,
                           * otherwise group scanning isn't used. Assume all
                           * are admins.
                           */
                          if ($useGroupMatch) {
                              $accessLevel = $this->_getAccessLevel($grpMemAttr, $userDN);
                          } else {
                              $accessLevel = 2;
                          }
                  

                  Change the 541 line in ldap.class.php file to:

                          /**
                           * Only one entry
                           */
                          $entries = $this->get_entries($result);
                          /**
                           * Pull out the user dn
                           */
                  //        $userDN = $entries[0]['dn'];
                             $userDN = $user;
                          /**
                           * If use group match is used, get access level,
                           * otherwise group scanning isn't used. Assume all
                           * are admins.
                           */
                          if ($useGroupMatch) {
                              $accessLevel = $this->_getAccessLevel($grpMemAttr, $userDN);
                          } else {
                              $accessLevel = 2;
                          }
                  
                  

                  I prefer the first one

                  1 Reply Last reply Reply Quote 0
                  • A
                    antonionardella
                    last edited by

                    Hi @Fernando-Gietz, I am terribly sorry, but making everyone an admin does not look like an option.
                    It’s less about the web UI access, but more about restricting users (see students) from deploying random images to the systems and breaking things or activating licenses of pre-imaged software.

                    What if the group would be called dsp, is it in no way possibile to limit the access only to this group here?
                    What is the issue exactly?

                    Thank you for your time.

                    Ciao,
                    Antonio

                    F 1 Reply Last reply Reply Quote 0
                    • F
                      Fernando Gietz Developer @antonionardella
                      last edited by Fernando Gietz

                      @antonionardella said in LDAP Plugin with openLDAP:

                      Hi @Fernando-Gietz, I am terribly sorry, but making everyone an admin does not look like an option.
                      It’s less about the web UI access, but more about restricting users (see students) from deploying random images to the systems and breaking things or activating licenses of pre-imaged software.

                      OK, you are right if you have student in the same LDAP server. Then the second option XD

                      What if the group would be called dsp, is it in no way possibile to limit the access only to this group here?
                      What is the issue exactly?

                      the problem is the filter that the code construct, in your case this filter is bad and doesn t work.

                      Bad filter:

                      (&(|(name=dsp))(memberuid=uid=dsptest,ou=Users,dc=****,dc=***))
                      

                      Good filter:

                      (&(|(name=dsp))(memberuid=dsptest))
                      

                      To do it well, the $userDN variable value should be dsptest and not uid=dsptest,ou=Users,dc=xxx,dc=xxx. If you do the previous suggested change in the code, $userDN = $user;, the filter should be fine and the validation proccess works fine for all users.

                      1 Reply Last reply Reply Quote 0
                      • A
                        antonionardella
                        last edited by antonionardella

                        Hello @Fernando-Gietz,

                        thanks for the awesome help and support, it works now as needed.

                        Is there something I should be aware or edit in our openLDAP implementation to make the plugin work correctly without editing the /var/www/[html/]fog/lib/plugin/ldap/class/ldap.class.php file?

                        Ciao,
                        Antonio

                        1 Reply Last reply Reply Quote 0
                        • AUTH IT CenterA AUTH IT Center referenced this topic on
                        • 1
                        • 2
                        • 2 / 2
                        • First post
                          Last post

                        149

                        Online

                        12.0k

                        Users

                        17.3k

                        Topics

                        155.2k

                        Posts
                        Copyright © 2012-2024 FOG Project