LDAP Plugins on FOG 1.5.0
-
Hello,
Thanks for your answers !
@Fernando-Gietz said in LDAP Plugins on FOG 1.5.0:
When you close the session in the WEBUI, the plugin erases the user entry from the users table. Only the entries with uType = 990, 991 are erased, not the local users.That’s what I thought … but it does not work, the user is not removed from the Users table when disconnecting (properly) and that’s why the account can still connect even after removing the group
For trying, i have uninstall LDAP Plugins and update php5-ldap (root@server:~# apt-get install php5-ldap )
And reinstall et re test plugin:- My users is on the FOG_Admin group,
- Login into FOG with mail AD attribute => OK, it’s work
- Look into the DB with an “select * from users;” and my AD user is in the table => OK (uType 990)
- Disconnect properly with “Logout” into FOG WEBUI => OK
- Re-Look immediately after into the DB with “select * from users;” and my AD users is always in the Users table (not deleted as you say)
- I suppress my AD account to the FOG_Admin group
- I retry connection with my AD account and I can always connect to FOG WEBUI.
- I uninstall LDAP Plugin
- I look into the DB users tables, my AD user is delete (now just FOG local user is in the User table)
- I try to login into FOG, and now it’s OK, i can’t connect to FOG with AD account because my plugins is uninstall.
I confirm once again, when i Uninstall plugins, the LDAPServer table is well delete and all users (where uType=990/991) is deleted from the Users table.
But … AD Users is not delete of the Users table when you logout properly
Any idea ?
Thanks all !
-
@steuve68 originally the plugin did delete users on logout. Though that functionality was removed as it added a lot of overhead. I don’t know if this was fixed for 1.5, though.
The ldap plugin used to delete 99x users on logout/login attempts for the reasons you’ve pointed out. As it caused a lot more overhead I made it stop doing this. I believe 1,5 works properly even without removing these users though.
The reason logging in with email doesn’t work is because usernames usually work in a domain\user or user@domain. For email this works fine, for domain there’s no way to interprete at the domain level. You might try logging in with email ima Windows machine to prove the point. The domain login will change to whatever is after your @ symbol.
-
@Tom-Elliott Thanks for answers !
Effectivly, after more test, the plugins LDAP in FOG 1.5.0 (Official … not in RC) don’t delete users AD in Users table.
That’s why if we delete my users of the FOG_Admin group it can always login.I do not really understand how synchronization works, because if I change to test the password in AD of a user who is already in the Users table, the plugin manages to update it in the SQL table and connect with the new password work fine … this proves that a synchronization is done “correctly”.
but when deleting the user in the group he can not do it … synchro. is not good.For login with the “mail” AD attribut it’s work only if i change regex into the 2 files:
lib/fog/user.class.php
lib/plugins/ldap/class/ldap.class.phpIf i don’t change that, login with the mail Attribut don’t work.
I need login with mail AD attribut, because in my institution all application linked with AD or LDAP (with CAS authentication) use the mail for login.
The sAMAccountName is just the “registration number” and not very friendly for users.
All my computer client linked into my ad domain login with adress mail.Thanks a lot for your help
-
I only dug into the source a little bit, but I’ve noticed a couple problems with the way the LDAP plugin works. Initially I was trying to test removal of my account from the “Admin Group” but since I had logged in successfully while I was still a member of the group, I was still granted access to the dashboard. The error log reported that I should not have been allowed access, but I was still able to log in.
Additionally, after changing my password in Active Directory, I was still able to log in with my old password.
In either of these cases, removing access for a user who has previously logged in, would require manually removing their account from the database.
-
@steuve68 What I’m saying is, while you’ve made a workaround, this is not a “normal” behaviour.
The idea of using email in any username dealing with AD logins just will not work, normally. I’m not saying you didn’t find a way to do it. When windows logs in, if you add the @<domain.com> it changes the domain it will be logging in to.
By allowing “email” login, as you’re doing it, could cause unexpected things to occur.
-
@nextechinc If you have any suggestions on how to fix, or where the problems are occurring, please let me know. I don’t have an AD server anymore, (though I could set one up), and am working on other things. While I’m sure I could get to fixing this, if you already noticed it, any help would be greatly appreciated.
-
We could possibly do a .sql script that removes AD users from the Users table, for example:
mysql> use fog; mysql> delete from users where uType = '990' or uType = '991';
We could put it in a crontab and run it at regular intervals
It’s probably a little oldschool but it could work no?
-
@steuve68 we used to do that verything. On every login remove all ldap users. We removed that functionality to limit read / write cycles. While I understand this is a very simple method to get the same action you’re expecting, I think we can actually do it without removing the users. I just time to review.
-
@steuve68 and a cleaner SQL might be:
Delete from users where uType in ('990','991');
-
@tom-elliott yes thanks ! i’m not very very good in sql !
I can try to put this request to logout WEBUI pending a better solution…
In which file could I make this change for try ?Thank you !
-
So I took a little time today to try to see what was happening. I’m happy to report, at least based on how I could test, that I believe I found a solution.
Please, if either of you could be so kind, install the working-1.5.1 branch of FOG? This should contain the fix for ldap users and authentication without having to delete the users from the database every iteration.
-
@tom-elliott Hello,
So, i have try to working 1-5-1
FOG 1.5.0.16Globally it’s OK, it’s works fine !
When i deleted one user of the FOG_Admin group it cannot acces to WEBUI FOG ! (and not deleted to Users table in SQL)
When i change password of one AD users (into group FOG_Admin) it cannot acces to WEBUI with old password => Work fine with the new passwordI have look 2 “problems” (not verify important but … it might be interesting)
- The news LDAP Plugins don’t work with group nesting (a group into a group) per example:
if i add into FOG_Admin just another group (IT_Services per example) with IT services members, no members can acces to WEBUI FOG. If i add individualy user into FOG_Admin, it’s work !
- If i delete one user into FOG_Admin, he can still log in just once. The second time he can not anymore. Synchronization is ok
Not really really bad but it could be points for improvement
in any case, A BIG THANK YOU
-
@steuve68 One other test you should check, is if the FOG Admin changes his/her password. Is that password change seen immediatly by the fog server? I’m only suggesting this based on your #2 point of the one shot after the admin has been removed.
-
@george1421 Yes, if i change password of one user into FOG_Admin, It change immediatly for connect to FOG WEBUI.