LDAP Plugins on FOG 1.5.0
I only dug into the source a little bit, but I’ve noticed a couple problems with the way the LDAP plugin works. Initially I was trying to test removal of my account from the “Admin Group” but since I had logged in successfully while I was still a member of the group, I was still granted access to the dashboard. The error log reported that I should not have been allowed access, but I was still able to log in.
Additionally, after changing my password in Active Directory, I was still able to log in with my old password.
In either of these cases, removing access for a user who has previously logged in, would require manually removing their account from the database.
@steuve68 What I’m saying is, while you’ve made a workaround, this is not a “normal” behaviour.
The idea of using email in any username dealing with AD logins just will not work, normally. I’m not saying you didn’t find a way to do it. When windows logs in, if you add the @<domain.com> it changes the domain it will be logging in to.
By allowing “email” login, as you’re doing it, could cause unexpected things to occur.
@nextechinc If you have any suggestions on how to fix, or where the problems are occurring, please let me know. I don’t have an AD server anymore, (though I could set one up), and am working on other things. While I’m sure I could get to fixing this, if you already noticed it, any help would be greatly appreciated.
We could possibly do a .sql script that removes AD users from the Users table, for example:
mysql> use fog; mysql> delete from users where uType = '990' or uType = '991';
We could put it in a crontab and run it at regular intervals
It’s probably a little oldschool but it could work no?
@steuve68 we used to do that verything. On every login remove all ldap users. We removed that functionality to limit read / write cycles. While I understand this is a very simple method to get the same action you’re expecting, I think we can actually do it without removing the users. I just time to review.
@steuve68 and a cleaner SQL might be:
Delete from users where uType in ('990','991');
@tom-elliott yes thanks ! i’m not very very good in sql
I can try to put this request to logout WEBUI pending a better solution…
In which file could I make this change for try ?Thank you !
So I took a little time today to try to see what was happening. I’m happy to report, at least based on how I could test, that I believe I found a solution.
Please, if either of you could be so kind, install the working-1.5.1 branch of FOG? This should contain the fix for ldap users and authentication without having to delete the users from the database every iteration.
@tom-elliott Hello,
So, i have try to working 1-5-1
FOG it’s OK, it’s works fine
When i deleted one user of the FOG_Admin group it cannot acces to WEBUI FOG ! (and not deleted to Users table in SQL)
When i change password of one AD users (into group FOG_Admin) it cannot acces to WEBUI with old password => Work fine with the new passwordI have look 2 “problems” (not verify important but … it might be interesting)
- The news LDAP Plugins don’t work with group nesting (a group into a group) per example:
if i add into FOG_Admin just another group (IT_Services per example) with IT services members, no members can acces to WEBUI FOG. If i add individualy user into FOG_Admin, it’s work !
- If i delete one user into FOG_Admin, he can still log in just once. The second time he can not anymore. Synchronization is ok
Not really really bad but it could be points for improvement
in any case, A BIG THANK YOU
@steuve68 One other test you should check, is if the FOG Admin changes his/her password. Is that password change seen immediatly by the fog server? I’m only suggesting this based on your #2 point of the one shot after the admin has been removed.
@george1421 Yes, if i change password of one user into FOG_Admin, It change immediatly for connect to FOG WEBUI.