Users, not machines at the Active Directory.
-
To my knowledge, searching shouldn’t include spaces (so
Domain Admins) might be a problem.I’ve not tested if this is indeed the case or not, just trying to think outside the box.
-
@jacoboren Right as Tom said.
In the OU workers, you must have a group called “Domain Admins”. And only users in that group will be allowed to login to the fog server.
If DNS name resolution is working correctly on your fog server you can use the gergbl.inte.com dns name, if dns client is not setup on fog server then you will need to use the IP address here.
Also when you try to login using ldap and access fails, debug messages should be posted to the Apache error log. If you tail that file we may have a better understanding of what is failing.
Also change your search scope to subtree and below
-
Thanks for your effort @Tom-Elliott ,
This is a dedicated server for who wants to add to the AD so I changed, but I tried before with both of them.
ou=workers is correct.
“Admin group” means the group that the user: “ad_yoalbuke” belongs right on the AD? If yes is write down with spaces so i need to add backslash “” ?
Thanks!
-
@jacoboren said in Users, not machines at the Active Directory.:
“Admin group” means the group that the user: “ad_yoalbuke” belongs right on the AD?
This means that “ad_yoalbuke” must be a member of the “Domain Admins” group that is located in this path:
ou=workers,dc=ger,dc=corp,dc=inte,dc=comI do have to question your ldap path. Based on your ldap server its domain is
inte.com. So I would think your ldap root would bedc=inte,dc=comand notdc=ger,dc=corp,dc=inte,dc=com. My brain is telling me thatdc=ger,dc=corpare probably OUs off of yourdc=inte,dc=comldap root.I know that was hard to follow. So let me try again. Me just guessing I think this path is wrong:
ou=workers,dc=ger,dc=corp,dc=inte,dc=com
It should read:
ou=workers,ou=ger,ou=corp,dc=inte,dc=comBut I don’t know how your AD is setup so I can only guess based on your dns name of your domain controller.
-
Do you actually have a Bind user/password pair you must use to search your Active DIrectory?
The “Bind DN/Password” is not “who can login” it’s what credentials are needed to even scan AD for information to begin with. Most people will likely not even have to have this set.
-
Do you know if the version of php7.1 was tested before or need to be php5 ?
Thanks.
-
@jacoboren PHP 7 should work no problem. Most of the major disrobutions have moved to php 7 in their current OS releases.
Attempt to login with AD credentials, then access the FOG server linux console. There should be some AD log messages in the Apache error log. Depending on the OS the log file will be in /var/log/httpd/error_log or /var/log/apache2/error.log Tail that file to see any ldap errors. Please post the errors here.
Also I noticed from your original post, are you keying in the domain with the user name domain\user ?? I think the code requires just user because the domain is set in the LDAP connector code.
-
@tom-elliott said in Users, not machines at the Active Directory.:
@jacoboren As @george1421 pointed out, then I think what you’re looking for already exists.
FOG Configuration Page->FOG Settings->Plugin Settings-> Enable Plugins.
Go to the gear icon that becomes present.
Click on “LDAP” plugin (Looks like a key).
Go to install plugin.
Click on “LDAP” plugin.
Click on Install LDAP Plugin.
You will then have a new icon appear that looks like the Key in the main menu item.
Click there.
Create New.
Make the configuration as you need it.
#wiki worthy
-
Hi guys, @Tom-Elliott @george1421 @Sebastian-Roth
I still fighting to make it work, try almost everything, seems that is fetching there because I have another Linux machine integrate with LDAP on the same network, the ports are OK, I also verified it.
This is my output:
tail -F /var/log/apache2/error.log
[Sun Aug 06 09:49:23.155362 2017] [php7:notice] [pid 5316] [client 10.12.180.213:54409] Plugin LDAP::_result(). Search Method: list; Filter: (member=*); Result: 0, referer: http://10.12.180.16/fog/management/index.php
[Sun Aug 06 09:49:23.155417 2017] [php7:notice] [pid 5316] [client 10.12.180.213:54409] Plugin LDAP::_getAccessLevel() Group Search DN did not return any results. Group Search DN: ou=workers,dc=ger,dc=corp,dc=inte,dc=com, referer: http://10.12.180.16/fog/management/index.php
[Sun Aug 06 09:49:23.155564 2017] [php7:notice] [pid 5316] [client 10.12.180.213:54409] Plugin LDAP::authLDAP() Access level is still 0 or false. No access is allowed!, referer: http://10.12.180.16/fog/management/index.phpHave something wrong on the field “Group Member Attribute”=“member” ? I’m also still with doubt about the field “Admin Group” this is what I think but I don’t understand exactly what should be there. You see it on the print-screen.
What should be there?Thanks guys!
-
@jacoboren We don’t know your AD/LDAP structure we can only guess! As Tom and George already suggested the DN
ou=workers,dc=ger,dc=corp,dc=inte,dc=comdoes not sound like a proper container for groups! See this picture for a fairly simple AD structure:
Somewhere further down ther is probablyOU=Usersas well. To me yourOU=workerssounds like it is a user container. Please find the group container in your structure! -
@jacoboren Since you are having no luck with this, lets try to collect a bit more info. Can you please do the following.
- Open “Active directory Users and Computers”
- Select View->Advanced Features make sure its checked when done.
- Navigate to the group and open the group.
- Select the Object tab (only visible when the advanced features is enabled.
- Copy the full conical path and post it here.
-
Hi guys, first I would like to say thanks for all of you that help me here on this amazing tools that is FOG.
Special thanks for @Tom-Elliott @george1421 @Sebastian-Roth
Unnfortunately I can’t share more info about the AD for policy of the company that I work, I check out about the AD tables directory parents and even like that I couldn’t establish integration.
So I use the plugin of Access Control Manager , and create local users.
Looks great, you can make the filter of what the users can see it, but these bunch of users also can see the images of others users when list the images and the hosts as well. It is not a problem for me now.
Thanks a lot guys you are amazing.
Jacob.
