• Recent
    • Unsolved
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    Another LDAP topic

    Scheduled Pinned Locked Moved
    General
    4
    14
    1.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • EazisE
      Eazis
      last edited by

      I’m trying to make everything in our business work with LDAP. The last thing that not will work is FOG.
      At the moment i’m pretty new with LDAP but so far all our other applications works fine.
      I have read and tried all the information here on the forums but it won’t work at all.
      The next two articels on this forum where one of the guides which i tried. For sure i do something wrong, but i don’t what and in the logging there is nothing that i can relate to solve this.

      https://forums.fogproject.org/topic/11531/how-to-setup-microsoft-ad-ldap-for-fog-1-5-0
      https://forums.fogproject.org/topic/14178/ldap-plugin-install

      I have installed php-ldap.

      OS: CentOS 7
      PHP: 7.4.33
      FOG Version: 1.5.9.204
      

      The following settings are no set for LDAP:

      870ec679-48ff-4868-a6b4-221d1eeff966-image.png

      4aea8a01-1f7e-4cb9-81cd-b81c341a8b0a-image.png

      Can anyone help me to get this work? Or give me any advice?

      george1421G 1 Reply Last reply Reply Quote 0
      • george1421G
        george1421 Moderator @Eazis
        last edited by

        @eazis The first thing that jumps out at me is the search based dn and group base dn. This should be the ladp path to find both the users and groups. So if you look for user jondoe it will look if that user exists in the TechnischeDienet OU. Same for the groups you provide the location to look for the group.

        Now your admin group, should not be the ldap path but the name of the authorization group found in the group search dn path. So if your group in the Group Search DN is called fogadmins then you enter fogadmins in that admin group field

        In the referenced link here is what that field instructions say

        Admin Group - MANDATORY - (This is the name of the security/distribution group that admins need to be a part of in AD in order to login with LDAP) Note: Just the group name… not the whole CN as you already provided that information above.

        For search group I would pick sub group and below, from personal experience. I wrote the original plugin for 1.5.0 that has been tweaked a few times since, but in general the flow is still the same. Lets try my recommendation and see where we end up.

        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

        EazisE 1 Reply Last reply Reply Quote 0
        • EazisE
          Eazis @george1421
          last edited by

          @george1421 So you say:

          Search Base DN: DC=YYYY,DC=XXXX,DC=com
          Group Search DN: DC=YYYY,DC=XXXX,DC=com
          Admin Group: TechnischeDienst
          

          Is this correct?

          george1421G 1 Reply Last reply Reply Quote 0
          • george1421G
            george1421 Moderator @Eazis
            last edited by

            @eazis That will work, or you can be more specific with the search base DNs. With your current example it will search all of your domain for the defined user and group.

            If you were using a default windows ad structure you might make the search bases as:

            Search Base DN: CN=Users,DC=YYYY,DC=XXXX,DC=com
            Group Search DN: CN=Groups,DC=YYYY,DC=XXXX,DC=com
            

            If you are setting the search base to the root of your ldap structure you will want to change the search method to current directory and below (sorry I don’t remember the exact term), but it means the current search base path and all OUs below.

            Now for the admin group, TechnischeDienst this needs to be the ad group name that FOG will try to find the user in. If the user is not in that group then access is denied to the fog server.
            So the first part of the ldap plugin searches to see if the user account exists in the Search Base DN path. If the user is in that path, then it searches for the group defined in the Group Search DN path. If the group is found then it sees if the user exists in that group. At least that was the original flow.

            So to answer your original question will what you have work, yes it should as long as if you change the search method to current OU and all sub ous and TechnischeDienst is the name of a windows group that contains the user you want to login.

            Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

            EazisE 1 Reply Last reply Reply Quote 0
            • EazisE
              Eazis @george1421
              last edited by

              @george1421 I tried it with both settings but no luck…

              george1421G 1 Reply Last reply Reply Quote 0
              • george1421G
                george1421 Moderator @Eazis
                last edited by

                @eazis Would you send another screen shot of the ldap config page, please.

                From your iniital screen shot it look like you have groups and users in the same OU?

                In your original post you made reference to TechnischeDienst, is that an AD group or OU?

                If you put the AD browser in advanced mode. Then select the FOG admin group and go to properties, in the properties there should be an advanced menu or properties menu, this tab only exists when the AD browser is in advanced mode. Will you provide me the ldap path (from the DN field on the properties tab) for both the fog admin group and a test user that you want to log into FOG. Lets start with the full dn for both objects and work our way back into the field values.

                Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                EazisE 1 Reply Last reply Reply Quote 0
                • EazisE
                  Eazis @george1421
                  last edited by

                  @george1421 sorry for my delay. Weekend between…

                  TechnischeDienst is a OU.
                  My AD browser is already in advanced mode. What you mean with the FOG admin group??

                  948bdfd6-c4d4-4610-8b9c-6b6eae31972d-image.png

                  1 Reply Last reply Reply Quote 0
                  • A
                    astrugatch
                    last edited by astrugatch

                    Can you go to Fog Configuration then to Fog Settings then Plugin: LDAP and screenshot what is there for LDAP ports and User Filter?

                    Also For “Admin Group”, that shouldn’t be the name of an OU but rather the name of a security group that your users are a member. That group should be located somewhere within the parameters set by the Group Search DN.

                    EazisE 1 Reply Last reply Reply Quote 0
                    • EazisE
                      Eazis @astrugatch
                      last edited by

                      @astrugatch

                      41f15ab2-e57b-44ac-b257-261e44c54211-image.png

                      A 1 Reply Last reply Reply Quote 0
                      • A
                        astrugatch @Eazis
                        last edited by

                        @eazis

                        Did you make the changes for your admin group setting to be a group rather than an OU as you have it?

                        EazisE 1 Reply Last reply Reply Quote 0
                        • EazisE
                          Eazis @astrugatch
                          last edited by

                          @astrugatch Yes, i tried this, but no result…

                          1 Reply Last reply Reply Quote 0
                          • EazisE
                            Eazis
                            last edited by

                            Anyone who can help me with this?

                            Tom ElliottT 1 Reply Last reply Reply Quote 0
                            • Tom ElliottT
                              Tom Elliott @Eazis
                              last edited by

                              @eazis Can you please get your error logs and present them as you attempt to login.

                              Unless I’m mistaken, LDAP is logged in the PHP error (php-fpm or apache.error depending on Redhat based vs Debian based respectively).

                              This can give us more information.

                              First, I want to say, the OU isn’t the same as a group. So as @astrugatch has stated, is the correct action.

                              Is your AD configured as SSL only connections? This could be part of the problem but I’m just grabbing at straws with this thought.

                              So I’m assuming YYYY.XXXX.com isn’t the real domain of your environment. That said, is whatever your server address actually accessible from the FOG server?

                              Normally Server address should be the IP address (or fqdn) of your AD/LDAP server.

                              IS port 389 indeed what you would want.

                              Also, I notice that “Use Group Matching (recommended)” is not checked. While I don’t know off the top of my head what this means, I’m pretty sure it is indeed recommended hence the verbiage we’ve added. Please see if checking this box gives you assistance.

                              Next, for troubleshooting reasons, I’d suggest starting simply.

                              Change your Admin Group to something like Users, and see if that works.

                              I also want to give some understanding of the Bind DN.

                              IF you are logging in with a user named Zabbix, that user must be able to read all environments to confirm the users. I’d almost suggest removing this and the Bind Password during initial stand up just to be on the testing side until we figure out what’s not working and why.

                              Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                              Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                              Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                              EazisE 1 Reply Last reply Reply Quote 0
                              • EazisE
                                Eazis @Tom Elliott
                                last edited by Eazis

                                @tom-elliott Many thanks!! I used now the internal ip address of the AD server … This was the whole problem.
                                A vaild domain name here did not work.

                                Normally this AD server is reachable with this fqdn YYYY.XXXX.com (it’s not the real domain). I can’t type public this domain here for security reasons.

                                I can now login with users from my AD into FOG.

                                1 Reply Last reply Reply Quote 0
                                • 1 / 1
                                • First post
                                  Last post

                                209

                                Online

                                12.0k

                                Users

                                17.3k

                                Topics

                                155.2k

                                Posts
                                Copyright © 2012-2024 FOG Project