New plugin: MyLDAP. LDAP Extension Plugin
-
Hi Fogers!
I have developed a new plugin: MyLDAP plugin.
Description: This plugin is an extension of LDAP plugin. MyLDAP plugin does persistent the users who are created by LDAP plugin. Useful when you use AccessControl Plugin or Site Plugin.
The LDAP plugin creates users on the fly, these users are erased from the database when the user logoffs from the webUI. If you use the AccessControl plugin or site plugin, the relation user-accesscontrol or user-site will lose when the user logoffs because the user entry in the DB is erased. MyLDAP plugin does the user persistent in the DB. If the user changes his/her password in the LDAP server or in AD, the password will be updated during the validation process.
Dependencies: LDAP plugin
-
Could this just be built into the existing LDAP plugin? It sounds like it should be.
-
The reason this is not added to the current ldap plugin is because:
- If you persist the user, when your AD Password is reset, how does the GUI know of the change? (Yes I know this is already addressed, but this is more so people understand the thought processes.)
- If you move the user from an admin group to a mobile group (or delete the user entirely), how does FOG know this user is no longer supposed to be an Admin?
I might suggest modifying the Site and Access control plugins to detect LDAP usage and apply site/access control on a checker system similar to how the ldap plugin checks if the user is to be admin or not? I know this isn’t the easiest idea to implement or write for, but I think this method would be much more secure and dynamic than a persisting user, and it enables a “grouping” element too. (Though this is kind of by design I suppose even with individual users, but I think you see where my head is at.)
That all said:
I went ahead and refactored that little bit of code. It appears to work, though I’ll admit I haven’t tested moving the user around other groups. The primary reason this wasn’t coded around before was just unable to think of the processes to handle this, though I added functionality a while ago, rethought of this functionality didn’t happen until now (sorry). -
The MyLDAP plugin only update the typeUser field from 990 to 0. Then the solution is easy in this case, we can change the LDAP plugin and add a checkbox to do the users persistent or not.
@Tom-Elliott said in New plugin: MyLDAP. LDAP Extension Plugin:
The reason this is not added to the current ldap plugin is because:
- If you persist the user, when your AD Password is reset, how does the GUI know of the change? (Yes I know this is already addressed, but this is more so people understand the thought processes.)
The MyLDAP plugin takes it in account and after the validation in the AD o LDAP server, update the password in the FOG DB. Well, I think that save the password in the DB is a little security hole, if you know the encryption mode, you can decrypt the password that is saved in DB. I porpose to not save it in the DB with the users created by LDAP plugin and only save the “local users”, the users that you create from the webUI.
-
@Fernando-Gietz While, theoretically possible, the password in the db is there as nothing more than a show. The password is not encrypted. It’s hashed, and a hash cannot be brought back to the password. You would have to brute force until you found a match and even then we are checking if the type is valid. So it IS possible, but very very unlikely.