• Recent
    • Unsolved
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    LDAP Plugins in FOG 1.3.0 RC 8

    Scheduled Pinned Locked Moved Unsolved
    FOG Problems
    6
    19
    5.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Steuve68
      last edited by

      Hello all,

      I use actually FOG 1.2.0 in production. It’s work fine !

      For test, i installed FOG 1.3.0 RC8 on a test server.
      I’m very interesting by the LDAP Plugins.
      I installed and activated the LDAP Plugins. It’s OK, no error.

      But after “Create New LDAP” into the “LDAP Management” in FOG, when I try to use my LDAP account for log on FOG, the Web Page is blank … and nothing.

      My LDAP Server configuration into FOG is:

      LDAP Server Name: xxx.xxx.xx
      LDAP Server Description: Description of LDAP
      LDAP Server Address: xxx.xxx.xx (the name not IP … need “ldaps://” ?)
      DN: uid=xx,ou=xx,dc=xx,dc=xx
      Server Port: 636

      What’s the option “Create as admin” ?

      Which LDAP attribut should be used for logon FOG ?
      mail ?
      uid ?
      other attribut ? …

      Thanks for your answers.

      Tom ElliottT george1421G 2 Replies Last reply Reply Quote 0
      • Tom ElliottT
        Tom Elliott @Steuve68
        last edited by

        @Steuve68 UID I believe is what’s the best practice for now, though thy does make it harder for ad folks to use the LDAP plugin. Create as admin sets if you should enable creating the LDAP user as a normal user account within fog. It currently defaults to creating a ‘mobile/quick image’ user when successfully authenticated

        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

        Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

        Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

        1 Reply Last reply Reply Quote 0
        • george1421G
          george1421 Moderator @Steuve68
          last edited by george1421

          @Steuve68 I can’t speak to the ldap plugin directly for FOG. For their windows “NT” style account name you would use the ldap field of sAMAccountName. I also would start off with the non-ssl port and IP address or FQDN of your DC.

          While I didn’t see it listed above, typically there is a bind DN and an LDAP search path so you can limit the user search to a specific OU. I deleted my FOG dev server on accident so I can’t confirm the plugin works first hand.

          Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

          1 Reply Last reply Reply Quote 0
          • S
            Steuve68
            last edited by

            @Tom-Elliott That’s the web page after test login with ldap account into FOG0_1473770218100_fog_blank_webpage.png

            @george1421 In the “DN” fields, what i need put ? Account (type: uid=xx,ou=xx,dc=xx,dc=xx) or OU: (type: ou=xxx,dc=xxx,dc=xx)

            Thanks

            george1421G 1 Reply Last reply Reply Quote 0
            • george1421G
              george1421 Moderator @Steuve68
              last edited by george1421

              @Steuve68 As for the DN it depends if its a bind DN or a base DN. The base DN is the search path where users will be searched (i.e. ou=users,ou=nyc,dc=domain,dc=com) if its a bind dn or bind credentials you can “sometimes” use just the AD structure of “domain\user” or if the ldap format is required then you need something like: “cn=Joebob Thomas,ou=admins,ou=nyc,dc=domain,dc=com” or “uid=joebob,ou=admins,ou=nyc,dc=domain,dc=com”

              Basically what is needed here is:
              The search base (where to look for users) this is called either search base or base dn
              An account to connect to LDAP that the ldap client will use to query LDAP. This is typically called bind user or bind dn with a password. Some ldap agents will allow nt formatted autheniticated others require ldap user format.

              In regards to AD you can kind of cheat to convert a AD user into ldap format. If you go into AD and look at a user, then select the object tab. On the object tab there is a conical name field: domain.com/NYC/Users/Jimbob Thomas You can convert it to an ldap name by reversing the order as such cn=Jimbob Thomas,ou=users,ou=nyc,dc=domain,dc=com

              In the case of FOG, the apache error log may give you an idea why you are getting the white screen, typically this is when the fog server errors out.

              Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

              1 Reply Last reply Reply Quote 1
              • S
                Steuve68
                last edited by

                @george1421 so … for blank page into apache2 log -> /var/log/apache2/error.log

                PHP Fatal error: Call to undefined function ldap_connect()

                For resolve this (blank page): apt-get install php5-ldap
                I didn’t know that … it was not written in the wiki (https://wiki.fogproject.org/wiki/index.php?title=Plugins#LDAP_Plugin)

                I try to log me into FOG with uid ldap … and now, not blank page but “Invalid login”

                But now… after configure LDAP Server into FOG:
                I see into apache2 “error.log” this:

                PHP Warning: ldap_bind(): Unable to bind to server: Invalid credentials in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 38, referer: http://sm-fog-dev/fog/management/index.php

                PHP Warning: ldap_bind(): Unable to bind to server: Invalid DN syntax in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 39, referer: http://sm-fog-dev/fog/management/index.php

                PHP Warning: ldap_bind(): Unable to bind to server: Invalid DN syntax in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 40, referer: http://sm-fog-dev/fog/management/index.php

                I don’t understand what put into the fields “DN” …
                0_1473777158628_ldap.png

                Thanks for help !

                george1421G 1 Reply Last reply Reply Quote 0
                • george1421G
                  george1421 Moderator @Steuve68
                  last edited by

                  @Steuve68 Again I’m just speaking in general terms here since I haven’t worked with the FOG LDAP, but I would say there are some missing fields that would typically be required.

                  Based on what is there, I would say the DN is the base or search DN That would be the container where the ldap plugin would search for users. That field should be in ldap format.

                  The ldap server address should just be an ip address of the ldap server.

                  Now what I see missing is the bind dn and password (the user account that is used to query ldap). Some ldap systems allow for unauthenticated queries, and others like AD require an authorized user to be able to query AD (this keeps the bad guys from enumerating your internal AD structure). So I would suspect even if you had the visible fields filled out properly that this query would fail because of an authorization issue.

                  The last bit of information I see missing is that sometimes there will be a field for a goup name. That way the ldap query would see if the user that is logging in would be a memberof group “abc” would be allowed to login. Right now the way its setup if anyone in the search base dn logs in it will be allowed.

                  That reminds me of one more for your search base. Typically there is a field for how deep to search from the search base. To only search in the search base or to include all OUs below the search base too.

                  But again this is only speculation, probably Tom will need to comment on the actual function of the ldap plugin. If it would work, I would surely move to that method, that way we have only valid

                  I release this is WAY more information than you are asking for. I’m documenting it here since I feel the ldap plugin may require some needed bits.

                  Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                  Tom ElliottT 1 Reply Last reply Reply Quote 0
                  • Tom ElliottT
                    Tom Elliott @george1421
                    last edited by

                    @george1421 To be honest I’m not the guy you want for commenting. I made it work through a ton of testing with @x23piracy and an open LDAP layout. I don’t think we ever got it to work with Active Directory and there, currently, isn’t any extra information to pass along. This plugin was created by @Fernando-Gietz and was mainly used for open LDAP I think. Maybe one of them can chime in? Of course anybody with more experience integratingnsuch a system would be greatly appreciated. An AD and LDAP authentication system I think would be great for fog.

                    Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                    Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                    Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                    1 Reply Last reply Reply Quote 0
                    • S
                      Steuve68
                      last edited by

                      @george1421 OK … it is also what I think … is missing fields … user an pass to query LDAP … ! Thanks for your different answers and explanation.

                      @Tom-Elliott Yes, i think LDAP and/or AD authentication and delegation rights by users would be great for FOG.
                      If the LDAP Plugins developpers can explain how does it work it would be top 😉 😉 !

                      Thanks for speed answers

                      Sorry for my bad english … i’m french.

                      george1421G 1 Reply Last reply Reply Quote 0
                      • george1421G
                        george1421 Moderator @Steuve68
                        last edited by george1421

                        @Steuve68 said in LDAP Plugins in FOG 1.3.0 RC 8:

                        Sorry for my bad english … i’m french.

                        Oh I didn’t know you were French, you loose 50 points for that. 😉 (just kidding your engish is great)

                        Yes lets see if the other developers can chime in. I can take a look at the code but I don’t have a clue on the programming part. I know what has to be in the query based on how other FLOSS applications work.

                        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                        george1421G 1 Reply Last reply Reply Quote 0
                        • davido38D
                          davido38
                          last edited by

                          maybe it can help

                          I have Glpi on the same server of fog with ldap auth on a 2008 srv and it works fine.

                          0_1473868892609_GLPI_-Annuaire_LDAP-_Google_Chrome_2016-09-14_18-01-07.png

                          george1421G 1 Reply Last reply Reply Quote 0
                          • george1421G
                            george1421 Moderator @davido38
                            last edited by

                            @davido38 Thank you this confirms my concept that its possible to make the ldap code work generally with AD. I’ve been looking at the ldap plugin code over my lunch hour, and I see what they are doing. There are several assumptions (i.e. your LDAP should be setup in a certain way) in the code to fill in the missing fields, which may not work in all situations.

                            But, in concept the code should be able to be updated to support AD.

                            Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                            Tom ElliottT 1 Reply Last reply Reply Quote 1
                            • Tom ElliottT
                              Tom Elliott @george1421
                              last edited by

                              @george1421 totally agree

                              Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                              Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                              Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                              george1421G x23piracyX 2 Replies Last reply Reply Quote 0
                              • george1421G
                                george1421 Moderator
                                last edited by

                                I’ve started a feature request here to document the process of reviewing the current LDAP plugin.
                                https://forums.fogproject.org/topic/8575/extend-ldap-plugin-to-support-ad-authentication

                                After reviewing the current ldap plugin there are only about 30 lines of code that is used for authentication. I believe that if I can add a few database fields to remove some of the assumptions that the code CAN be converted to support AD authentication.

                                Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                                1 Reply Last reply Reply Quote 0
                                • x23piracyX
                                  x23piracy @Tom Elliott
                                  last edited by

                                  @Tom-Elliott if this will work with AD it would be cool if a normal user can login into fog (webif or and pxe) to have to possibility to reset his computer (reimage).

                                  Regards X23

                                  ║▌║█║▌│║▌║▌█

                                  george1421G 1 Reply Last reply Reply Quote 0
                                  • george1421G
                                    george1421 Moderator @x23piracy
                                    last edited by

                                    @x23piracy Are you currently using ldap authentication today? I think I found a good example code that I can upgrade the bits in the plugin. I just want to make sure the upgraded bits don’t break what you are using.

                                    Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                                    x23piracyX 1 Reply Last reply Reply Quote 0
                                    • x23piracyX
                                      x23piracy @george1421
                                      last edited by

                                      @george1421 i discard using it because it didn’t work as intended with Active Directory, Tom and me tried a lot but in the end it was not fully working like i wanted to.

                                      the Main Problem is that we couldn’t get it to work with two LDAP definitions pointing to a deeper laying OU unit in the AD
                                      What i wanted was to have one conneciton for normal users that can logon to fog and another one that allows all admins access with higher rights.

                                      Not easy to explain what exactly went wrong but it seems that the current plugin cannot work with a specific OU.

                                      Regards X23

                                      ║▌║█║▌│║▌║▌█

                                      george1421G 1 Reply Last reply Reply Quote 0
                                      • george1421G
                                        george1421 Moderator @x23piracy
                                        last edited by

                                        @x23piracy Great info, thank you.

                                        The approach I’m looking at is to have user authentication and then if user is in AD group ( X ) then they are an admin, if they are in group ( Y ) then user, if they are not in either AD group then no access. Initially I was only thinking about a single group, but if there is admin and user levels in FOG then the dual group is the answer.

                                        Your explanation also tells me why there was an admin field in the database. I hope to have time over the weekend to do a little coding to see if I can do a proof of concept test.

                                        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                                        Wayne WorkmanW 1 Reply Last reply Reply Quote 1
                                        • Wayne WorkmanW
                                          Wayne Workman @george1421
                                          last edited by

                                          @george1421 said in LDAP Plugins in FOG 1.3.0 RC 8:

                                          Your explanation also tells me why there was an admin field in the database

                                          It was setup to restrict someone to just fog mobile if they weren’t an admin. It’s a checkbox in user management, for a user. When checked, they can only access fog mobile I think. Or vice versa… or something.

                                          Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
                                          Daily Clean Installation Results:
                                          https://fogtesting.fogproject.us/
                                          FOG Reporting:
                                          https://fog-external-reporting-results.fogproject.us/

                                          1 Reply Last reply Reply Quote 0
                                          • 1 / 1
                                          • First post
                                            Last post

                                          153

                                          Online

                                          12.0k

                                          Users

                                          17.3k

                                          Topics

                                          155.2k

                                          Posts
                                          Copyright © 2012-2024 FOG Project