Users, not machines at the Active Directory.
-
@Tom-Elliott , @george1421 Thanks for your assistance, I did it as Tom explain here,and find it this print also from @Tom-Elliott here
But still without work. It is necessary that at the OS is integrate as well with the AD at /etc/krb5.conf for example or the plugin of FOG should be enough?
Many thanks!
Jacob. -
@jacoboren There is no need to join the machine to your domain (/etc/krb5.conf needed!). FOG does directly contact your LDAP/AD to authenticate users. Double check all the settings, e.g. your “Group Memeber Attribute” in AD might be named different to the one in the screenshot you posted. Although I think MS is all case-insensitive you might try
sAMAccountName
instead ofsamAccountName
as well.I just read somewhere that:
For Microsoft Active Directory, specify the base DN in the following format:
dc=domain1,dc=local
. You will need to replace the domain1 and local for your specific configuration. Microsoft Server provides a tool called ldp.exe which is useful for finding out and configuring the the LDAP structure of your server. -
@jacoboren Some comments since I helped the developers with this plugin.
- The ldap server name should be an IP address of an AD domain controller.
- If you enable group matching then for admin users they must be members of the defined group to get access to FOG. If group matching == no then the login user must have a valid AD account only.
- Search base DN is the root or starting point to look for users. If you set to the base of your AD tree it will look for users below that root (i.e dc=domain,dc=local would be your entire AD)
- The group search base is where FOG will look for matching groups
- Admin group. If group matching == yes then only people in the admin group will be allowed to access FOG.
- Same for the mobile group
- Search scope tells how far to look in AD Base and subtree is a good scope.
- Bind DN and Bind Pass is just a read only AD account FOG uses to find users in AD.
If you are still having troubles and can share some info we can help define what should be in those fields. But Sebastian is right the host OS is not used for AD authentication that is done in PHP.
-
Hi, first thank so much for all help of you (@george1421 , @Tom-Elliott , @Sebastian-Roth ) make me more motivation to use FOG on my environment.
I saw that was missing the package: php5.6-ldap (from ubuntu) and was installed, and i still having the same issue even with “ad_account”
This is the print of my conf. Where can I see the .log output when I try to do login, have a dedicated file for it?
What is missing here?
Jacob.
-
@jacoboren First you should have different “user/mobile” groups. You can leave the group blank for one or the other (one must be filled), but it seems confusing, to me, to have both the admin and mobile group showing exactly the same.
Both search and Groups search are in the same element? (Groups are searched at CN Workers) as well as base lookup is performed at the same level?
The Base and Subtree is restricted to the search element. So base would be: workers, and subtree would be anything immediately under the workers CN.
You actually have a bind username/password?
Sorry if you’re not sure of all the answers, just trying to get clarity and hopefully help out a little.
-
@jacoboren said in Users, not machines at the Active Directory.:
php5.6-ldap
Which version of FOG do you use? On ubuntu systems the installer should be adding
php7.1*
packages! Please see which version of the packages you have currently installeddpkg -l | grep php
, post the full list here!As well I am wondering about “Search Base DN” and “Group Search DN” both being the same. Does this make sense?
-
@jacoboren As Tom said, you should have a different group name between admin and mobile groups. We have not tested what will happen if you do it this way.
As for the group search dn and the search base dn. The group search dn is used the fine the group
yakov
if that group is in the OU workers then your search base is correct.One thing I noticed with your search dn path. Microsoft uses special folders and not OUs for their default ldap objects they use the
cn=
reference. If someone created the workers OU then you need to use theou=
reference and not thecn=
reference. I might think your search dn would look like thisou=workers,dc=,dc=corp,dc=inte
-
Hi,
I saw that I have php7 and php5 maybe is a mismatch here? Right? Need to remove php7.1*
This is my output of :
dpkg -l | grep php ii libapache2-mod-php7.1 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 server-side, HTML-embedded scripting language (Apache 2 module) ii php-common 1:52+deb.sury.org~xenial+1 all Common files for PHP packages ii php-gettext 1.0.11-2+deb.sury.org~xenial+1 all read gettext MO files directly, without requiring anything other than PHP ii php-ldap 1:7.1+53~ubuntu16.04.1+deb.sury.org+1 all LDAP module for PHP [default] ii php-pear 1:1.10.4+submodules+notgz-1~ubuntu16.04.1+deb.sury.org+1 all PEAR Base System ii php-xml 1:7.1+52+deb.sury.org~xenial+1 all DOM, SimpleXML, WDDX, XML, and XSL module for PHP [default] ii php5.6-common 5.6.31-1~ubuntu16.04.1+deb.sury.org+1 amd64 documentation, examples and common module for PHP ii php5.6-ldap 5.6.31-1~ubuntu16.04.1+deb.sury.org+1 amd64 LDAP module for PHP ii php7.1 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 all server-side, HTML-embedded scripting language (metapackage) ii php7.1-bcmath 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 Bcmath module for PHP ii php7.1-cli 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 command-line interpreter for the PHP scripting language ii php7.1-common 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 documentation, examples and common module for PHP ii php7.1-curl 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 CURL module for PHP ii php7.1-fpm 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 server-side, HTML-embedded scripting language (FPM-CGI binary) ii php7.1-gd 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 GD module for PHP ii php7.1-json 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 JSON module for PHP ii php7.1-ldap 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 LDAP module for PHP ii php7.1-mbstring 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 MBSTRING module for PHP ii php7.1-mcrypt 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 libmcrypt module for PHP ii php7.1-mysql 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 MySQL module for PHP ii php7.1-opcache 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 Zend OpCache module for PHP ii php7.1-readline 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 readline module for PHP ii php7.1-xml 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 DOM, SimpleXML, WDDX, XML, and XSL module for PHP
Changed from “cn=” to “ou=” without success.
Thanks guys.
-
@jacoboren said in Users, not machines at the Active Directory.:
php7.1-ldap
So this was installed already I suppose and has been used all the time. I think you can safely remove
php5.6-common
andphp5.6-ldap
but make sure it does not remove other packages when you do this! -
@Sebastian-Roth this is the output now:
dpkg -l | grep php ii libapache2-mod-php7.1 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 server-side, HTML-embedded scripting language (Apache 2 module) ii php-common 1:52+deb.sury.org~xenial+1 all Common files for PHP packages ii php-gettext 1.0.11-2+deb.sury.org~xenial+1 all read gettext MO files directly, without requiring anything other than PHP ii php-ldap 1:7.1+53~ubuntu16.04.1+deb.sury.org+1 all LDAP module for PHP [default] ii php-pear 1:1.10.4+submodules+notgz-1~ubuntu16.04.1+deb.sury.org+1 all PEAR Base System ii php-xml 1:7.1+52+deb.sury.org~xenial+1 all DOM, SimpleXML, WDDX, XML, and XSL module for PHP [default] ii php7.1 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 all server-side, HTML-embedded scripting language (metapackage) ii php7.1-bcmath 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 Bcmath module for PHP ii php7.1-cli 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 command-line interpreter for the PHP scripting language ii php7.1-common 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 documentation, examples and common module for PHP ii php7.1-curl 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 CURL module for PHP ii php7.1-fpm 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 server-side, HTML-embedded scripting language (FPM-CGI binary) ii php7.1-gd 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 GD module for PHP ii php7.1-json 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 JSON module for PHP ii php7.1-ldap 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 LDAP module for PHP ii php7.1-mbstring 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 MBSTRING module for PHP ii php7.1-mcrypt 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 libmcrypt module for PHP ii php7.1-mysql 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 MySQL module for PHP ii php7.1-opcache 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 Zend OpCache module for PHP ii php7.1-readline 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 readline module for PHP ii php7.1-xml 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 DOM, SimpleXML, WDDX, XML, and XSL module for PHP
But still now working…
-
This is my output on FOG right now.
-
@jacoboren Remove the
ger\
from yoru Admin Group. -
@jacoboren Change Search Base DN so you only have the
dc=
elements (just a guess.) -
Hi guys, @Tom-Elliott @Sebastian-Roth @george1421
I still having a thinking that something on the ldap integration with the OS can cause problems…so what I did it?
Rebuild again on the step that doesn’t have any installation to fecth OS to Ldap, I though that some libs are creating conflict on this issue.
So from now I only have the plugin installed, and follow everything that we talked before, I still without working…
My FOG version is 1.4.3. What I am missing here? Any clue?
dpkg -l | grep php
ii libapache2-mod-php7.1 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 server-side, HTML-embedded scripting language (Apache 2 module)
ii php-common 1:52+deb.sury.org~xenial+1 all Common files for PHP packages
ii php-gettext 1.0.11-2+deb.sury.org~xenial+1 all read gettext MO files directly, without requiring anything other than PHP
ii php-pear 1:1.10.4+submodules+notgz-1~ubuntu16.04.1+deb.sury.org+1 all PEAR Base System
ii php-xml 1:7.1+52+deb.sury.org~xenial+1 all DOM, SimpleXML, WDDX, XML, and XSL module for PHP [default]
ii php7.1 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 all server-side, HTML-embedded scripting language (metapackage)
ii php7.1-bcmath 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 Bcmath module for PHP
ii php7.1-cli 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 command-line interpreter for the PHP scripting language
ii php7.1-common 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 documentation, examples and common module for PHP
ii php7.1-curl 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 CURL module for PHP
ii php7.1-fpm 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 server-side, HTML-embedded scripting language (FPM-CGI binary)
ii php7.1-gd 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 GD module for PHP
ii php7.1-json 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 JSON module for PHP
ii php7.1-ldap 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 LDAP module for PHP
ii php7.1-mbstring 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 MBSTRING module for PHP
ii php7.1-mcrypt 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 libmcrypt module for PHP
ii php7.1-mysql 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 MySQL module for PHP
ii php7.1-opcache 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 Zend OpCache module for PHP
ii php7.1-readline 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 readline module for PHP
ii php7.1-xml 7.1.6-1~ubuntu16.04.1+deb.sury.org+1 amd64 DOM, SimpleXML, WDDX, XML, and XSL module for PHP -
@jacoboren Is your domain actually:
ger.corp.inte.com
or is itgerglb.inte.com
? -
Do your groups actually reside in a created OU called
workers
? -
To my knowledge, searching shouldn’t include spaces (so
Domain Admins
) might be a problem.I’ve not tested if this is indeed the case or not, just trying to think outside the box.
-
@jacoboren Right as Tom said.
In the OU workers, you must have a group called “Domain Admins”. And only users in that group will be allowed to login to the fog server.
If DNS name resolution is working correctly on your fog server you can use the gergbl.inte.com dns name, if dns client is not setup on fog server then you will need to use the IP address here.
Also when you try to login using ldap and access fails, debug messages should be posted to the Apache error log. If you tail that file we may have a better understanding of what is failing.
Also change your search scope to subtree and below
-
Thanks for your effort @Tom-Elliott ,
This is a dedicated server for who wants to add to the AD so I changed, but I tried before with both of them.
ou=workers is correct.
“Admin group” means the group that the user: “ad_yoalbuke” belongs right on the AD? If yes is write down with spaces so i need to add backslash “” ?
Thanks!
-
@jacoboren said in Users, not machines at the Active Directory.:
“Admin group” means the group that the user: “ad_yoalbuke” belongs right on the AD?
This means that “ad_yoalbuke” must be a member of the “Domain Admins” group that is located in this path:
ou=workers,dc=ger,dc=corp,dc=inte,dc=com
I do have to question your ldap path. Based on your ldap server its domain is
inte.com
. So I would think your ldap root would bedc=inte,dc=com
and notdc=ger,dc=corp,dc=inte,dc=com
. My brain is telling me thatdc=ger,dc=corp
are probably OUs off of yourdc=inte,dc=com
ldap root.I know that was hard to follow. So let me try again. Me just guessing I think this path is wrong:
ou=workers,dc=ger,dc=corp,dc=inte,dc=com
It should read:
ou=workers,ou=ger,ou=corp,dc=inte,dc=com
But I don’t know how your AD is setup so I can only guess based on your dns name of your domain controller.