LDAP Plugins in FOG 1.3.0 RC 8

Steuve68

@george1421 OK … it is also what I think … is missing fields … user an pass to query LDAP … ! Thanks for your different answers and explanation.

@Tom-Elliott Yes, i think LDAP and/or AD authentication and delegation rights by users would be great for FOG.
If the LDAP Plugins developpers can explain how does it work it would be top !

Thanks for speed answers

Sorry for my bad english … i’m french.

george1421

@Steuve68 said in LDAP Plugins in FOG 1.3.0 RC 8:

Sorry for my bad english … i’m french.

Oh I didn’t know you were French, you loose 50 points for that. (just kidding your engish is great)

Yes lets see if the other developers can chime in. I can take a look at the code but I don’t have a clue on the programming part. I know what has to be in the query based on how other FLOSS applications work.

davido38

maybe it can help

I have Glpi on the same server of fog with ldap auth on a 2008 srv and it works fine.

george1421

@davido38 Thank you this confirms my concept that its possible to make the ldap code work generally with AD. I’ve been looking at the ldap plugin code over my lunch hour, and I see what they are doing. There are several assumptions (i.e. your LDAP should be setup in a certain way) in the code to fill in the missing fields, which may not work in all situations.

But, in concept the code should be able to be updated to support AD.

Tom Elliott

@george1421 totally agree

george1421

I’ve started a feature request here to document the process of reviewing the current LDAP plugin.
https://forums.fogproject.org/topic/8575/extend-ldap-plugin-to-support-ad-authentication

After reviewing the current ldap plugin there are only about 30 lines of code that is used for authentication. I believe that if I can add a few database fields to remove some of the assumptions that the code CAN be converted to support AD authentication.

x23piracy

@Tom-Elliott if this will work with AD it would be cool if a normal user can login into fog (webif or and pxe) to have to possibility to reset his computer (reimage).

Regards X23

george1421

@x23piracy Are you currently using ldap authentication today? I think I found a good example code that I can upgrade the bits in the plugin. I just want to make sure the upgraded bits don’t break what you are using.

x23piracy

@george1421 i discard using it because it didn’t work as intended with Active Directory, Tom and me tried a lot but in the end it was not fully working like i wanted to.

the Main Problem is that we couldn’t get it to work with two LDAP definitions pointing to a deeper laying OU unit in the AD
What i wanted was to have one conneciton for normal users that can logon to fog and another one that allows all admins access with higher rights.

Not easy to explain what exactly went wrong but it seems that the current plugin cannot work with a specific OU.

Regards X23

george1421

@x23piracy Great info, thank you.

The approach I’m looking at is to have user authentication and then if user is in AD group ( X ) then they are an admin, if they are in group ( Y ) then user, if they are not in either AD group then no access. Initially I was only thinking about a single group, but if there is admin and user levels in FOG then the dual group is the answer.

Your explanation also tells me why there was an admin field in the database. I hope to have time over the weekend to do a little coding to see if I can do a proof of concept test.

Wayne Workman

@george1421 said in LDAP Plugins in FOG 1.3.0 RC 8:

Your explanation also tells me why there was an admin field in the database

It was setup to restrict someone to just fog mobile if they weren’t an admin. It’s a checkbox in user management, for a user. When checked, they can only access fog mobile I think. Or vice versa… or something.