LDAP Plugin

TaTa

Server

• FOG Version: 1.3.3 SVN Revision 6061
• OS: Ubuntu 14.04.6 LTS

Client

• Service Version:
• OS: Windows 7

Description

I’ve been pulling my hair trying to get LDAP plug in to work but unable to. I’ve followed suggestions from @iyoung post and this post. ##### Server

• FOG Version:
• OS:

Client

• Service Version:
• OS:

Description

Server

• FOG Version: 1.3.3 SVN Revision 6061
• OS: Ubuntu 14.04.6 LTS

Client

• Service Version:
• OS: Windows 7

Description

I’ve been pulling my hair trying to get LDAP plug in to work but unable to. I’ve followed suggestions from @iyoung post and this post. I’ve tried it on my test and production servers but got no luck. I re-installed LDAP as instructed here but it didn’t help. Attached is the screenshot of my LDAP settings. I’ve confirmed with our AD admin that these settings are correct.

Does DN has to be a full path?
Does Bind Password need to be ecrypted using FOGCrypt?
When I tried to login using AD account from fog website:
domainname\DomainuserID - No error. The login page just refreshes.
DomainUserID - I get a “invalid login” error.

What am I doing wrong? Does anyone have a thorough tutorial on how to get LDAP authentication to work?

Thank you very much in advanced and apologize for the duplicate post.

george1421

The first thing I might do is use the IP address of your DC.

The binddn and bind password needs to point to a valid user that only needs read only access to AD. The password should not be encrypted with fogcrypt. The page does that automatically.

in the group home_it, that contains the names of the users you want to login to FOG?

iyoung

If @george1421’s suggestion doesn’t work, in my setup of the plugin, I left the ‘Bind DN’ and ‘Bind Password’ fields blank, from reading this post. But my AD might be set up wrong.

george1421

@iyoung if you do not supply a bind dn, then the code will use a blind bind. Windows AD doesn’t allow blind binds to ldap.

OK lets take a step back. I believe if you set use group matching to No and save the configuration, as long as the user is a valid ldap user he/she should be able to login. That’s not the final go only a stepping stone.

If that doesn’t work then we need to look at the apache error log. That will tell us what the plugin is having an issue with

george1421

@george1421 Lets confirm that you are attempting to login using the NT style user ID correct? (username) and not (domain\username).

Also one of the developers just IM’d me that the plugin doesn’t use blind binds (userid/password less queries) since that isn’t allowed in AD anyway.

TaTa

@george1421 I set it to no but still can’t login. How do I check Apache error log?

george1421

@TaTa said in LDAP Plugin:

@george1421 I set it to now but still can’t login. How do I check Apache error log?

Fog Configuration (wrench on tool bar)->Log Viewer->Select Apache error log (error_log) from drop down list. New errors at the bottom.

TaTa

I’m getting “Unable to open file for reading”.

george1421

@TaTa can you post that section of the log? It almost sounds like your don’t have the php-ldap module installed.

TaTa

This is what I got

TaTa

FOG Log Viewer can open any other logs except for Apache logs.

george1421

@TaTa Well that sounds like a programmer’s issue.

For this issue you will have to go to the fog server and the linux command line.

For ubuntu I think (sorry I’m a rhel guy) the error.log file is in /etc use this command to find it.
find /etc -name error.log

Once you find the location use this command
tail <the path found using find>.

For rhel the apache error log is in /var/log/httpd/error_log

TaTa

I found it. It’s in /var/apache2 folder:

[Wed Jan 25 12:38:38.997061 2017] [php7:warn] [pid 7657] [client 192.168.1.164:58283] PHP Warning: fopen(/var/log/apache2/error.log): failed to open stream: Permission denied in /var/www/html/fog/status/logtoview.php on line 60, referer: http://192.168.1.110/fog/management/index.php?node=about&sub=logviewer
[Wed Jan 25 12:38:49.027418 2017] [php7:warn] [pid 7654] [client 192.168.1.164:58287] PHP Warning: fopen(/var/log/apache2/error.log): failed to open stream: Permission denied in /var/www/html/fog/status/logtoview.php on line 60, referer: http://192.168.1.110/fog/management/index.php?node=about&sub=logviewer
[Wed Jan 25 12:38:59.058214 2017] [php7:warn] [pid 5012] [client 192.168.1.164:58290] PHP Warning: fopen(/var/log/apache2/error.log): failed to open stream: Permission denied in /var/www/html/fog/status/logtoview.php on line 60, referer: http://192.168.1.110/fog/management/index.php?node=about&sub=logviewer
[Wed Jan 25 12:39:09.090039 2017] [php7:warn] [pid 7655] [client 192.168.1.164:58292] PHP Warning: fopen(/var/log/apache2/error.log): failed to open stream: Permission denied in /var/www/html/fog/status/logtoview.php on line 60, referer: http://192.168.1.110/fog/

TaTa

The time displays on my FOG website is wrong. It reads Wed Jan 25, 2017 18:34 pm but actual time right now is 1:32PM. How do I change it?

TaTa

I just installed php5-ldap and tried to login. This is what I see in apache2 error.log

[Wed Jan 25 13:49:36.733006 2017] [core:notice] [pid 1307] AH00094: Command line: ‘/usr/sbin/apache2’
[Wed Jan 25 13:49:54.996066 2017] [php7:warn] [pid 1324] [client 192.168.1.164:61012] PHP Warning: ldap_unbind() expects parameter 1 to be resource, null given in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 118, referer: http://192.168.1.110/fog/management/index.php
[Wed Jan 25 13:50:53.236481 2017] [php7:warn] [pid 1327] [client 192.168.1.164:61052] PHP Warning: ldap_unbind() expects parameter 1 to be resource, null given in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 118, referer: http://192.168.1.110/fog/management/index.php

george1421

@TaTa I tweaked ldap plugin on my production server to provide more details of where the issue is failing. I’ll provide you with a link in the AM (here, about 8 hours) with instructions on patching your installation so we can figure out exactly what is wrong. The unbind warning, is just that its a warning. That isn’t the issue with your setup.

george1421

@george1421 I just sent a link to you via direct messaging (little talk bubble on the tool tray in the browser)

Save the file /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php to a safe location and then copy the file downloaded file into that location. Then test your ldap login. The only thing added to this file over the standard ldap file is additional logging so we can understand what is going wrong.

Post the messages logged at the tail of the apache error_log. This should tell us where the in code the plugin is not happy. I can say the plugin works fine in my environment so we just need to understand why it is misbehving in your environment.

TaTa

Thank you @george1421. I just tested it with and without user group matching but no luck. I sent you a private message of the error log. I can’t post it here. Bosses might not like it. I’m out of office today but If you need access to my server, I’m happy to do a teamviewer session tomorrow. Thanks again.

TaTa

@george1421 I just changed search scope to subtree and below and magically I was able to login with domain user ID (no domain name is needed). I can’t thank you enough for your support. Thank you!!!