LDAP Plugin on FOG 1.3.3
-
Server
- FOG Version: 1.3.3
- OS: Ubuntu 16.04
- PHP Version: 7.1
Client
- Service Version: Not sure
- OS: Windows 7
- Browser: Google Chrome
Description
I’m encountering some confusion when setting up my LDAP connection. I think I have it set up correctly as I am getting an error that’s been discussed before in this post. The resolution was that the moderator PM’d the OP a file that apparently fixed everything - but that doesn’t help me out any! Could we make this fix public? And what are the chances of posting a tutorial on this LDAP feature? Maybe even a “Test Connection” button with some descriptive error messages so that users aren’t left in the dark while configuring their connection?
To reiterate, here’s the exact error that I’m getting:
[Tue May 09 15:34:37.803674 2017] [php7:warn] [pid 20908] [client 10.1.255.255:64736] PHP Warning: ldap_unbind() expects parameter 1 to be resource, null given in /var/www/fog/lib/plugins/ldap/class/ldap.class.php on line 118, referer: http://fog.foobar.qux/management/index.php
Futhermore, I was sure to install the php7.1-ldap package and restart apache.
-
Yeah, install the latest stable or RC series.
-
And the post did not get a file that fixed everything. The OP had search only base, not the subtree. Once they changed the search scope from “Base only” to “Base and Subtree” it started working for them.
-
Can you post a screen shot of your configuration for ldap. The fix from that thread has since been integrated into the main code. And tom was right the OP of that thread selected an option that didn’t search below the defined base ou.
I also might recommend that you update to the latest branch build to fix a few documented issues in 1.3.3 around resizable disks. Its not mandatory for ldap to function correctly, but would solve a few unrelated things.
-
OK just reviewing that thread in a bit more detail. The file/link I sent the OP only contained additional debugging information to help narrow down why/where the error was being thrown. The results of the debugging was the discovery the OP was using the wrong search mode why the results were null.
Ensure your search scope has been set to
subtree and below
-
Quick and dirty I think. Please feel free to modify/suggest changes as you can/see fit.
LDAP
Overview
The FOG LDAP plugin is a simplistic means to authenticate using a Domain and/or LDAP System.
Its uses and configuration may very depending on the organization.Configuration
When creating or editing a current LDAP entry the following items and data expected are:
-
LDAP Connection Name (Required)
This is just a basic name to give for record keeping. -
LDAP Server Description. (Optional)
This is just a basic definition for record keeping. -
LDAP Server Address (Required)
This is the address of your LDAP Server. This, most likely, will be the domain name that it’s
handling. (eg. somedomain.local, somedomain) -
LDAP Server Port (Required - Defaults to 389)
This is the port to connect. Only two are viable currently 389 (Default ldap port)
and 636 (LDAP Secure). Most likely, however, 389 will be what you need. 636 would require
a certificate which FOG’s implementation of LDAP is not currently available. -
Search Base DN (Required) (Distinguished Name)
This is the base dn to search the directory tree within. This could be where you want to
start searching for users. -
Group Search DN (Optional)
This is where the Domain contains group names and where you want to search within for groups. -
Admin Group (Optional) (If blank Mobile must be set.)
This is a list of Groups that will tell which users will be considered “admins”.
This can be comma separated. This is not the DN to the group name, this is just the name
of group. (e.g. fogadmins, not OU=fogadmins,DC=example,DC=com). -
Mobile Group (Optional) (If blank Admin must be set.)
This is a list of Groups that will tell which users will be considered “mobile”.
This can be comma separated. This is not the DN to the group name, this is just the name
of group. (e.g. fogmobile, not OU=fogmobile,DC=example,DC=com). -
Initial Template
The template to apply for the attributes to search for. (e.g. samAccountName and member).
This is not stored to the db, just meant as a means to automatically populate the
attribute fields with the common elements used for the LDAP Type being selected.
The templates are:
- Microsoft AD: (User name attribute = samAccountName, Group member attribute = member)
- OpenLDAP: (User name attribute = cn, Group member attribute = member)
- Generic LDAP: (User name attribute = cn, Group member attribute = uniqueMember)
-
User Name attribute (Required)
The attribute to filter the username with. -
Group member attribute (Required)
The attribute to filter the group member information with. -
Search Scope
The Scope to perform your LDAP lookup.
- Base Only - Only scans within the search base dn, nothing below.
- Base and Subtree - Scans at and below one level search base dn can see.
- Subtree and below - Scans below where search base dn can see.
-
Bind DN (Optional)
The DN needed to search the domain. -
Bind Password (Optional) (If Bind DN is set, this will be required)
The password for the bind dn to authenticate.
-
-
Thanks for the quick response! The reply with the proper field data helped tremendously, at least after I updated to 1.3.5.
I had a few issues, particularly with the Group Search DN and the Search Scope option, but I got it to work by using my Base DN (dc=company,dc=local) and the Subtree and Below option. Not sure why it wouldn’t work when I narrowed the scope and chose Base and Subtree, but long story short it’s working now after upgrading to 1.3.5.
I also had a few binding issues but found that instead of using the full DN for the bind user I just used the username and it worked fine.