How to setup Microsoft AD LDAP for FOG 1.5.0~
1 - Go to >Fog Configuration> Fog Settings>Plugin System - check the box for “PLUGINSYS ENABLED”
2 - In the menu, you should now see a gear icon called “Plugins”
3 - Once on the Plugins page select “LDAP” then navigate to “Install plugins” then install the LDAP plugin. You should now see the LDAP plugin listed under “Installed Plugins”
4 - SSH to your FOG server and install the latest php-ldap module through your distro package manager
5 - In the menu, you should now see a key icon called “LDAP Servers”
6 - Click “Create New LDAP”
7 - Now for the fun part…
LDAP Connection Name - (This is whatever you want it to be… it’s just a name)
LDAP Server Description - (Again… whatever you want… it’s just a Description)
LDAP Server Address - MANDATORY - (The name of the server to check logins against)
LDAP Server Port - MANDATORY - (Pick 389 or 636 from the drop down… if you are not sure what one will work for you start with 389 or Google it)
Use Group Matching - recommended - (you are most likely going to want to leave this checked)
Search Base DN - MANDATORY - (This is the organizational unit within Active directory that you would like to start your search for users)
Group Search DN - MANDATORY - (This is the organizational unit within Active directory that you would like to start your search for Group Matching)
Admin Group - MANDATORY - (This is the name of the security/distribution group that admins need to be a part of in AD in order to login with LDAP) Note: Just the group name… not the whole CN as you already provided that information above.
Mobile Group - recommended - (You probably just want to make this the same as above unless you use this for things… idk)
Initial Template - (Since this tutorial is for Microsoft AD lets select Microsoft AD)
User Name Attribute - MANDATORY - (Not sure if the case is important for this setting within in FOG, but for others I know it is… thus I changed the “User Name Attribute” from “samAccountName” to “sAMAccountName”)
Group Member Attribute - MANDATORY - (Default setting here is good - “member”)
Search Scope - (Depends on how your organizational units are set up within AD )
Bind DN - MANDATORY - (This is the full path to the location of the user account you will be using to talk with LDAP this should start with “cn=”)(This user should have somewhat elevated permissions in AD the level of which is at your discretion)
Bind Password - MANDATORY - (The password for the user account above)
Once done click “create”
- 8 - Read the “Some things to keep in mind section below - Then test logging into FOG with an AD account”
Some things to keep in mind:
- The LDAP user you want to log in with should not already have a local account within FOG.
- Once you get it working don’t just go and delete all your local FOG accounts… Leave one with a nice long and random password - keep that password somewhere safe, if the plugin stops working for some reason it would be nice to still have access to your FOG server GUI without having to go and add a user into the database manually.
- Please once working use a test AD account or create one and make sure you did not just give every user in your AD the ability to log into your FOG server and image every computer.
- The apache error log is a great tool to use when troubleshooting why your LDAP is not working on FOG
- Below is an example of LDAP settings within FOG
- As always if you are not sure about something feel free to ask the fourms… Thats what they are there for
Disclaimer: All of the above information is a summary of my experience getting this plugin to work within our environment. I am only providing an example/tutorial. Please be careful with LDAP and TEST USER ACCESS as much as you can. only you will be at fault if for some unfortunate reason someone that should not have access to your FOG server gets it and images all your computers
With that said, I hope I have stressed the importance of securing your LDAP setting and this example/tutorial has helped you in some way…
Very nice, thank you for documenting this.
Wow this is awesome! #wiki worthy
I hope to create some more documentation as I have some time. Would love to help with anything I can, just let me know.
@m144 Oh there is lots to do - but a great majority of the documentation tasks that need done are repetitive and are not very creative tasks. Maybe a year ago, a few people set out to rewrite the entire wiki using restructured text and put it under revision control in github. We have some awesome plans created and an outline produced, but it never went further. We need tutorial videos on simple things - like capturing an image, deploying an image, deploying a snapin. Basic snapin building tutorials. Printer management tutorials. Storage node setup tutorials, image sharing across groups… You get the idea? Basically everything lol. Any documentation or tutorials greatly helps.
@wayne-workman Sounds good… I’ll see what I can do when I find some free time.