Access Control Plugin working with AD
-
Re: Access Control
I’m currently setting up FoG and I got the LDAP plugin working with two security groups Admin and Mobile and I found this thread form earlier this year that mobile no longer exists.Is there plans to tie the Access Control plugin with the LDAP plugin where I can assign roles to LDAP users of FoG?
If not is the only way to use the Access Control plugin to use users created from the FoG GUI user menu?
-
@Fernando-Gietz Is the one to ask here.
-
Thank you Sebastian I’ll get in touch with @Fernando-Gietz.
-
@Fernando-Gietz
I see my usernames that I’m testing with and the ones from the Admin group have a UType of 990 and the the username from the Mobile group has 991. There is also the UDisplay field that is Admin for the default FoG account but an empty string for the users I’ve added.My plan would be to keep Admin and Technician users separated in AD with the Mobile and Admin LDAP search options and then once verified use the Access Control Plugin to assign rights to the users based on their UType.
Is this something that could work?
-
@Miodog said in Access Control Plugin working with AD:
Re: Access Control
I’m currently setting up FoG and I got the LDAP plugin working with two security groups Admin and Mobile and I found this thread form earlier this year that mobile no longer exists.Is there plans to tie the Access Control plugin with the LDAP plugin where I can assign roles to LDAP users of FoG?
If not is the only way to use the Access Control plugin to use users created from the FoG GUI user menu?
When you install and config the LDAP plugin, you can setup two user profiles: Admin and mobile. The users of admin group can see all options of the interface (dashboard, hosts, images, groups, configuration, …) and the mobile users load a small and limit interface. As you read in the post Access Control the mobile interface is obsolete and will be deprecated in the future.
We can distinct two users in FOG: Local users and LDAP users.
-
Local users
These users are create in the web interface and you can create it on demand and you can have as many users as you need. In the table users of the database these users have the uType = 0 or 1 (0 for admins and 1 for mobile) -
LDAP users
These users are create in the database automatically when one user log on successfully. In the database have uType values equal 900 and 901 (900 for users of admin group and 901 for users of mobile group). By default the user of admin group can see all options in the web interface.
With the AccessControl plugin you can limit the access of the users to the some menus of the interface web, you can define some rules (access to one menu or submenu), you can define some roles (groups of users) and tie rules to roles. With this you can define different access levels. But you must config it manually.
You can assign local users and LDAP users to one role. By default you can only see the local users list, to see all users of the database you must to config the user filter in FOG Configuration -> FOG Settings -> Plugin LDAP -> User Filter.
-
-
@Fernando-Gietz
Hi Fernando, Thank you for the quick reply. I don’t see the Plugin LDAP User Filter in my configuration page. I’m on version 1.5.5. The only Plugin menu item that I have is Plugin System.
image url) -
@Miodog This is for 1.5.5 version.
But you can do a workaround:- go to FOG_DIRECTORY/lib/plugin/ldap/hooks
- Do a copy of ldappluginhook.hook.php
#cp ldappluginhook.hook.php ldappluginhook.hook.php.ori- Lets go to edit one line of the code:
# vim ldappluginhook.hook.php /** * Sets our user type to filter from user list * * @param mixed $arguments the item to adjust * * @return void */ public function setTypeFilter($arguments) { $arguments['types'] = array(990,991); }- Change the line:
$arguments['types'] = array(990,991);To:
$arguments['types'] = array(991);With this change you can see the local users and LDAP admin users