Users, not machines at the Active Directory.

jacoboren

Hi,

@Sebastian-Roth

I saw that I have php7 and php5 maybe is a mismatch here? Right? Need to remove php7.1*

This is my output of :

 dpkg -l | grep php

ii  libapache2-mod-php7.1                      7.1.6-1~ubuntu16.04.1+deb.sury.org+1                        amd64        server-side, HTML-embedded scripting language (Apache 2 module)
ii  php-common                                 1:52+deb.sury.org~xenial+1                                  all          Common files for PHP packages
ii  php-gettext                                1.0.11-2+deb.sury.org~xenial+1                              all          read gettext MO files directly, without requiring anything other than PHP
ii  php-ldap                                   1:7.1+53~ubuntu16.04.1+deb.sury.org+1                       all          LDAP module for PHP [default]
ii  php-pear                                   1:1.10.4+submodules+notgz-1~ubuntu16.04.1+deb.sury.org+1    all          PEAR Base System
ii  php-xml                                    1:7.1+52+deb.sury.org~xenial+1                              all          DOM, SimpleXML, WDDX, XML, and XSL module for PHP [default]
ii  php5.6-common                              5.6.31-1~ubuntu16.04.1+deb.sury.org+1                       amd64        documentation, examples and common module for PHP
ii  php5.6-ldap                                5.6.31-1~ubuntu16.04.1+deb.sury.org+1                       amd64        LDAP module for PHP
ii  php7.1                                     7.1.6-1~ubuntu16.04.1+deb.sury.org+1                        all          server-side, HTML-embedded scripting language (metapackage)
ii  php7.1-bcmath                              7.1.6-1~ubuntu16.04.1+deb.sury.org+1                        amd64        Bcmath module for PHP
ii  php7.1-cli                                 7.1.6-1~ubuntu16.04.1+deb.sury.org+1                        amd64        command-line interpreter for the PHP scripting language
ii  php7.1-common                              7.1.6-1~ubuntu16.04.1+deb.sury.org+1                        amd64        documentation, examples and common module for PHP
ii  php7.1-curl                                7.1.6-1~ubuntu16.04.1+deb.sury.org+1                        amd64        CURL module for PHP
ii  php7.1-fpm                                 7.1.6-1~ubuntu16.04.1+deb.sury.org+1                        amd64        server-side, HTML-embedded scripting language (FPM-CGI binary)
ii  php7.1-gd                                  7.1.6-1~ubuntu16.04.1+deb.sury.org+1                        amd64        GD module for PHP
ii  php7.1-json                                7.1.6-1~ubuntu16.04.1+deb.sury.org+1                        amd64        JSON module for PHP
ii  php7.1-ldap                                7.1.6-1~ubuntu16.04.1+deb.sury.org+1                        amd64        LDAP module for PHP
ii  php7.1-mbstring                            7.1.6-1~ubuntu16.04.1+deb.sury.org+1                        amd64        MBSTRING module for PHP
ii  php7.1-mcrypt                              7.1.6-1~ubuntu16.04.1+deb.sury.org+1                        amd64        libmcrypt module for PHP
ii  php7.1-mysql                               7.1.6-1~ubuntu16.04.1+deb.sury.org+1                        amd64        MySQL module for PHP
ii  php7.1-opcache                             7.1.6-1~ubuntu16.04.1+deb.sury.org+1                        amd64        Zend OpCache module for PHP
ii  php7.1-readline                            7.1.6-1~ubuntu16.04.1+deb.sury.org+1                        amd64        readline module for PHP
ii  php7.1-xml                                 7.1.6-1~ubuntu16.04.1+deb.sury.org+1                        amd64        DOM, SimpleXML, WDDX, XML, and XSL module for PHP

---

@george1421

Changed from “cn=” to “ou=” without success.

Thanks guys.

Sebastian Roth

@jacoboren said in Users, not machines at the Active Directory.:

php7.1-ldap

So this was installed already I suppose and has been used all the time. I think you can safely remove php5.6-common and php5.6-ldap but make sure it does not remove other packages when you do this!

jacoboren

@Sebastian-Roth this is the output now:

 dpkg -l | grep php
ii  libapache2-mod-php7.1                      7.1.6-1~ubuntu16.04.1+deb.sury.org+1                        amd64        server-side, HTML-embedded scripting language (Apache 2 module)
ii  php-common                                 1:52+deb.sury.org~xenial+1                                  all          Common files for PHP packages
ii  php-gettext                                1.0.11-2+deb.sury.org~xenial+1                              all          read gettext MO files directly, without requiring anything other than PHP
ii  php-ldap                                   1:7.1+53~ubuntu16.04.1+deb.sury.org+1                       all          LDAP module for PHP [default]
ii  php-pear                                   1:1.10.4+submodules+notgz-1~ubuntu16.04.1+deb.sury.org+1    all          PEAR Base System
ii  php-xml                                    1:7.1+52+deb.sury.org~xenial+1                              all          DOM, SimpleXML, WDDX, XML, and XSL module for PHP [default]
ii  php7.1                                     7.1.6-1~ubuntu16.04.1+deb.sury.org+1                        all          server-side, HTML-embedded scripting language (metapackage)
ii  php7.1-bcmath                              7.1.6-1~ubuntu16.04.1+deb.sury.org+1                        amd64        Bcmath module for PHP
ii  php7.1-cli                                 7.1.6-1~ubuntu16.04.1+deb.sury.org+1                        amd64        command-line interpreter for the PHP scripting language
ii  php7.1-common                              7.1.6-1~ubuntu16.04.1+deb.sury.org+1                        amd64        documentation, examples and common module for PHP
ii  php7.1-curl                                7.1.6-1~ubuntu16.04.1+deb.sury.org+1                        amd64        CURL module for PHP
ii  php7.1-fpm                                 7.1.6-1~ubuntu16.04.1+deb.sury.org+1                        amd64        server-side, HTML-embedded scripting language (FPM-CGI binary)
ii  php7.1-gd                                  7.1.6-1~ubuntu16.04.1+deb.sury.org+1                        amd64        GD module for PHP
ii  php7.1-json                                7.1.6-1~ubuntu16.04.1+deb.sury.org+1                        amd64        JSON module for PHP
ii  php7.1-ldap                                7.1.6-1~ubuntu16.04.1+deb.sury.org+1                        amd64        LDAP module for PHP
ii  php7.1-mbstring                            7.1.6-1~ubuntu16.04.1+deb.sury.org+1                        amd64        MBSTRING module for PHP
ii  php7.1-mcrypt                              7.1.6-1~ubuntu16.04.1+deb.sury.org+1                        amd64        libmcrypt module for PHP
ii  php7.1-mysql                               7.1.6-1~ubuntu16.04.1+deb.sury.org+1                        amd64        MySQL module for PHP
ii  php7.1-opcache                             7.1.6-1~ubuntu16.04.1+deb.sury.org+1                        amd64        Zend OpCache module for PHP
ii  php7.1-readline                            7.1.6-1~ubuntu16.04.1+deb.sury.org+1                        amd64        readline module for PHP
ii  php7.1-xml                                 7.1.6-1~ubuntu16.04.1+deb.sury.org+1                        amd64        DOM, SimpleXML, WDDX, XML, and XSL module for PHP

But still now working…

jacoboren

This is my output on FOG right now.

Tom Elliott

@jacoboren Remove the ger\ from yoru Admin Group.

Tom Elliott

@jacoboren Change Search Base DN so you only have the dc= elements (just a guess.)

jacoboren

Hi guys, @Tom-Elliott @Sebastian-Roth @george1421

I still having a thinking that something on the ldap integration with the OS can cause problems…so what I did it?

Rebuild again on the step that doesn’t have any installation to fecth OS to Ldap, I though that some libs are creating conflict on this issue.

So from now I only have the plugin installed, and follow everything that we talked before, I still without working…

My FOG version is 1.4.3. What I am missing here? Any clue?

dpkg -l | grep php

ii libapache2-mod-php7.1 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 server-side, HTML-embedded scripting language (Apache 2 module)
ii php-common 1:52+deb.sury.org~xenial+1 all Common files for PHP packages
ii php-gettext 1.0.11-2+deb.sury.org~xenial+1 all read gettext MO files directly, without requiring anything other than PHP
ii php-pear 1:1.10.4+submodules+notgz-1~ubuntu16.04.1+deb.sury.org+1 all PEAR Base System
ii php-xml 1:7.1+52+deb.sury.org~xenial+1 all DOM, SimpleXML, WDDX, XML, and XSL module for PHP [default]
ii php7.1 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 all server-side, HTML-embedded scripting language (metapackage)
ii php7.1-bcmath 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 Bcmath module for PHP
ii php7.1-cli 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 command-line interpreter for the PHP scripting language
ii php7.1-common 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 documentation, examples and common module for PHP
ii php7.1-curl 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 CURL module for PHP
ii php7.1-fpm 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 server-side, HTML-embedded scripting language (FPM-CGI binary)
ii php7.1-gd 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 GD module for PHP
ii php7.1-json 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 JSON module for PHP
ii php7.1-ldap 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 LDAP module for PHP
ii php7.1-mbstring 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 MBSTRING module for PHP
ii php7.1-mcrypt 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 libmcrypt module for PHP
ii php7.1-mysql 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 MySQL module for PHP
ii php7.1-opcache 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 Zend OpCache module for PHP
ii php7.1-readline 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 readline module for PHP
ii php7.1-xml 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 DOM, SimpleXML, WDDX, XML, and XSL module for PHP

Tom Elliott

@jacoboren Is your domain actually:

ger.corp.inte.com or is it gerglb.inte.com?

Tom Elliott

Do your groups actually reside in a created OU called workers?

Tom Elliott

To my knowledge, searching shouldn’t include spaces (so Domain Admins) might be a problem.

I’ve not tested if this is indeed the case or not, just trying to think outside the box.

george1421

@jacoboren Right as Tom said.

In the OU workers, you must have a group called “Domain Admins”. And only users in that group will be allowed to login to the fog server.

If DNS name resolution is working correctly on your fog server you can use the gergbl.inte.com dns name, if dns client is not setup on fog server then you will need to use the IP address here.

Also when you try to login using ldap and access fails, debug messages should be posted to the Apache error log. If you tail that file we may have a better understanding of what is failing.

Also change your search scope to subtree and below

jacoboren

Thanks for your effort @Tom-Elliott ,

This is a dedicated server for who wants to add to the AD so I changed, but I tried before with both of them.

ou=workers is correct.

“Admin group” means the group that the user: “ad_yoalbuke” belongs right on the AD? If yes is write down with spaces so i need to add backslash “” ?

Thanks!

george1421

@jacoboren said in Users, not machines at the Active Directory.:

“Admin group” means the group that the user: “ad_yoalbuke” belongs right on the AD?

This means that “ad_yoalbuke” must be a member of the “Domain Admins” group that is located in this path: ou=workers,dc=ger,dc=corp,dc=inte,dc=com

I do have to question your ldap path. Based on your ldap server its domain is inte.com. So I would think your ldap root would be dc=inte,dc=com and not dc=ger,dc=corp,dc=inte,dc=com. My brain is telling me that dc=ger,dc=corp are probably OUs off of your dc=inte,dc=com ldap root.

I know that was hard to follow. So let me try again. Me just guessing I think this path is wrong:
ou=workers,dc=ger,dc=corp,dc=inte,dc=com
It should read:
ou=workers,ou=ger,ou=corp,dc=inte,dc=com

But I don’t know how your AD is setup so I can only guess based on your dns name of your domain controller.

Tom Elliott

Do you actually have a Bind user/password pair you must use to search your Active DIrectory?

The “Bind DN/Password” is not “who can login” it’s what credentials are needed to even scan AD for information to begin with. Most people will likely not even have to have this set.

jacoboren

@Tom-Elliott @george1421

Do you know if the version of php7.1 was tested before or need to be php5 ?

Thanks.

george1421

@jacoboren PHP 7 should work no problem. Most of the major disrobutions have moved to php 7 in their current OS releases.

Attempt to login with AD credentials, then access the FOG server linux console. There should be some AD log messages in the Apache error log. Depending on the OS the log file will be in /var/log/httpd/error_log or /var/log/apache2/error.log Tail that file to see any ldap errors. Please post the errors here.

Also I noticed from your original post, are you keying in the domain with the user name domain\user ?? I think the code requires just user because the domain is set in the LDAP connector code.

Wayne Workman

@tom-elliott said in Users, not machines at the Active Directory.:

@jacoboren As @george1421 pointed out, then I think what you’re looking for already exists.

FOG Configuration Page->FOG Settings->Plugin Settings-> Enable Plugins.

Go to the gear icon that becomes present.

Click on “LDAP” plugin (Looks like a key).

Go to install plugin.

Click on “LDAP” plugin.

Click on Install LDAP Plugin.

You will then have a new icon appear that looks like the Key in the main menu item.

Click there.

Create New.

Make the configuration as you need it.

#wiki worthy

jacoboren

Hi guys, @Tom-Elliott @george1421 @Sebastian-Roth

I still fighting to make it work, try almost everything, seems that is fetching there because I have another Linux machine integrate with LDAP on the same network, the ports are OK, I also verified it.

This is my output:

tail -F /var/log/apache2/error.log

[Sun Aug 06 09:49:23.155362 2017] [php7:notice] [pid 5316] [client 10.12.180.213:54409] Plugin LDAP::_result(). Search Method: list; Filter: (member=*); Result: 0, referer: http://10.12.180.16/fog/management/index.php
[Sun Aug 06 09:49:23.155417 2017] [php7:notice] [pid 5316] [client 10.12.180.213:54409] Plugin LDAP::_getAccessLevel() Group Search DN did not return any results. Group Search DN: ou=workers,dc=ger,dc=corp,dc=inte,dc=com, referer: http://10.12.180.16/fog/management/index.php
[Sun Aug 06 09:49:23.155564 2017] [php7:notice] [pid 5316] [client 10.12.180.213:54409] Plugin LDAP::authLDAP() Access level is still 0 or false. No access is allowed!, referer: http://10.12.180.16/fog/management/index.php

Have something wrong on the field “Group Member Attribute”=“member” ? I’m also still with doubt about the field “Admin Group” this is what I think but I don’t understand exactly what should be there. You see it on the print-screen.
What should be there?

Thanks guys!

Sebastian Roth

@jacoboren We don’t know your AD/LDAP structure we can only guess! As Tom and George already suggested the DN ou=workers,dc=ger,dc=corp,dc=inte,dc=com does not sound like a proper container for groups! See this picture for a fairly simple AD structure:

Somewhere further down ther is probably OU=Users as well. To me your OU=workers sounds like it is a user container. Please find the group container in your structure!

george1421

@jacoboren Since you are having no luck with this, lets try to collect a bit more info. Can you please do the following.

1. Open “Active directory Users and Computers”
2. Select View->Advanced Features make sure its checked when done.
3. Navigate to the group and open the group.
4. Select the Object tab (only visible when the advanced features is enabled.
5. Copy the full conical path and post it here.