FOG Project

    • Register
    • Login
    • Search
    • Recent
    • Unsolved
    • Tags
    • Popular
    • Users
    • Groups
    • Search

    Solved LDAP Plugins on FOG 1.5.0

    FOG Problems
    5
    19
    1604
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Steuve68 last edited by Sebastian Roth

      Hello All,

      In my production environment i use actually FOG 1.4.4 (work fine)
      For test i have installed FOG 1.5.0 on Debian 8.4 Jessie

      I have any question for the LDAP Plugins:

      I have linked my FOG dev server with my Active Directory.
      I test authentication with the samAccountname, that’s ok. Work fine.
      My account is in the AD group “FOG_Admin”.

      But … when i delete my account to the “FOG_Admin” group, i can always logon into FOG …
      I think that’s maybe problematic ?

      I look on the database on the users tables, and my account it’s always on the table

      mysql> select * from users;
      +-----+----------+-----------+---------------------+-----------+-------+----------+-----------+-----------+
      | uId | uName    | uPass     | uCreateDate         | uCreateBy | uType | uDisplay | uAllowAPI | uAPIToken |
      +-----+----------+-----------+---------------------+-----------+-------+----------+-----------+-----------+
      |   1 | fog      | encrypted | 2017-01-04 12:48:48 | fog       |     0 |          | 1         |           |
      |   2 | FLSH     | encrypted | 2016-04-27 10:50:55 | fog       |     0 |          | 1         |           |
      |   7 | p1000261 | encrypted | 2018-02-28 14:44:22 | fog       |   990 |          |           |           |
      +-----+----------+-----------+---------------------+-----------+-------+----------+-----------+-----------+
      3 rows in set (0.00 sec)
      

      uId 7 with uName (p1000261) it’s my AD account.

      The LDAP Plugins can’t read and update automatically (on real time) the “users” table on SQL ?

      I found that to remove AD users from the database you have to uninstall and reinstall the LDAP plugins.

      (or then do it from the command line in the db directly)

      Another question, can i use another Active Directory Attribute (not the samAccountname) but the “mail” attribut ?
      I have test, but not working.

      Thanks for all answers.

      (sorry for my english, i’m french)

      F 1 Reply Last reply Reply Quote 0
      • S
        Steuve68 @george1421 last edited by

        @george1421 Yes, if i change password of one user into FOG_Admin, It change immediatly for connect to FOG WEBUI. 🙂

        1 Reply Last reply Reply Quote 1
        • george1421
          george1421 Moderator @Steuve68 last edited by

          @steuve68 One other test you should check, is if the FOG Admin changes his/her password. Is that password change seen immediatly by the fog server? I’m only suggesting this based on your #2 point of the one shot after the admin has been removed.

          Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

          S 1 Reply Last reply Reply Quote 0
          • S
            Steuve68 @Tom Elliott last edited by

            @tom-elliott Hello,

            So, i have try to working 1-5-1
            FOG 1.5.0.16

            Globally it’s OK, it’s works fine 🙂 !
            When i deleted one user of the FOG_Admin group it cannot acces to WEBUI FOG ! (and not deleted to Users table in SQL)
            When i change password of one AD users (into group FOG_Admin) it cannot acces to WEBUI with old password => Work fine with the new password 🙂

            I have look 2 “problems” (not verify important but … it might be interesting)

            1. The news LDAP Plugins don’t work with group nesting (a group into a group) per example:

            if i add into FOG_Admin just another group (IT_Services per example) with IT services members, no members can acces to WEBUI FOG. If i add individualy user into FOG_Admin, it’s work !

            1. If i delete one user into FOG_Admin, he can still log in just once. The second time he can not anymore. Synchronization is ok

            Not really really bad but it could be points for improvement

            in any case, A BIG THANK YOU 🙂

            george1421 1 Reply Last reply Reply Quote 0
            • Tom Elliott
              Tom Elliott last edited by

              So I took a little time today to try to see what was happening. I’m happy to report, at least based on how I could test, that I believe I found a solution.

              Please, if either of you could be so kind, install the working-1.5.1 branch of FOG? This should contain the fix for ldap users and authentication without having to delete the users from the database every iteration.

              Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

              Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

              Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

              S 1 Reply Last reply Reply Quote 1
              • S
                Steuve68 @Tom Elliott last edited by

                @tom-elliott yes thanks ! i’m not very very good in sql 😉 !

                I can try to put this request to logout WEBUI pending a better solution…
                In which file could I make this change for try ?

                Thank you ! 🙂

                1 Reply Last reply Reply Quote 0
                • Tom Elliott
                  Tom Elliott @Steuve68 last edited by Tom Elliott

                  @steuve68 and a cleaner SQL might be:

                  Delete from users where uType in ('990','991');
                  

                  Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                  Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                  Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                  S 1 Reply Last reply Reply Quote 0
                  • Tom Elliott
                    Tom Elliott @Steuve68 last edited by

                    @steuve68 we used to do that verything. On every login remove all ldap users. We removed that functionality to limit read / write cycles. While I understand this is a very simple method to get the same action you’re expecting, I think we can actually do it without removing the users. I just time to review.

                    Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                    Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                    Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                    1 Reply Last reply Reply Quote 0
                    • S
                      Steuve68 last edited by

                      We could possibly do a .sql script that removes AD users from the Users table, for example:

                      mysql> use fog;
                      mysql> delete from users where uType = '990' or uType = '991';
                      

                      We could put it in a crontab and run it at regular intervals

                      It’s probably a little oldschool but it could work no? 🙂

                      Tom Elliott 2 Replies Last reply Reply Quote 0
                      • Tom Elliott
                        Tom Elliott @nextechinc last edited by

                        @nextechinc If you have any suggestions on how to fix, or where the problems are occurring, please let me know. I don’t have an AD server anymore, (though I could set one up), and am working on other things. While I’m sure I could get to fixing this, if you already noticed it, any help would be greatly appreciated.

                        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                        Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                        Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                        1 Reply Last reply Reply Quote 0
                        • Tom Elliott
                          Tom Elliott @Steuve68 last edited by

                          @steuve68 What I’m saying is, while you’ve made a workaround, this is not a “normal” behaviour.

                          The idea of using email in any username dealing with AD logins just will not work, normally. I’m not saying you didn’t find a way to do it. When windows logs in, if you add the @<domain.com> it changes the domain it will be logging in to.

                          By allowing “email” login, as you’re doing it, could cause unexpected things to occur.

                          Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                          Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                          Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                          1 Reply Last reply Reply Quote 0
                          • N
                            nextechinc @Tom Elliott last edited by

                            @tom-elliott

                            I only dug into the source a little bit, but I’ve noticed a couple problems with the way the LDAP plugin works. Initially I was trying to test removal of my account from the “Admin Group” but since I had logged in successfully while I was still a member of the group, I was still granted access to the dashboard. The error log reported that I should not have been allowed access, but I was still able to log in.

                            Additionally, after changing my password in Active Directory, I was still able to log in with my old password.

                            In either of these cases, removing access for a user who has previously logged in, would require manually removing their account from the database.

                            Tom Elliott 1 Reply Last reply Reply Quote 0
                            • S
                              Steuve68 last edited by

                              @Tom-Elliott Thanks for answers !

                              Effectivly, after more test, the plugins LDAP in FOG 1.5.0 (Official … not in RC) don’t delete users AD in Users table.
                              That’s why if we delete my users of the FOG_Admin group it can always login.

                              I do not really understand how synchronization works, because if I change to test the password in AD of a user who is already in the Users table, the plugin manages to update it in the SQL table and connect with the new password work fine … this proves that a synchronization is done “correctly”.
                              but when deleting the user in the group he can not do it … synchro. is not good.

                              For login with the “mail” AD attribut it’s work only if i change regex into the 2 files:
                              lib/fog/user.class.php
                              lib/plugins/ldap/class/ldap.class.php

                              If i don’t change that, login with the mail Attribut don’t work.

                              I need login with mail AD attribut, because in my institution all application linked with AD or LDAP (with CAS authentication) use the mail for login.
                              The sAMAccountName is just the “registration number” and not very friendly for users.
                              All my computer client linked into my ad domain login with adress mail.

                              Thanks a lot for your help 🙂

                              Tom Elliott 1 Reply Last reply Reply Quote 0
                              • Tom Elliott
                                Tom Elliott @Steuve68 last edited by

                                @steuve68 originally the plugin did delete users on logout. Though that functionality was removed as it added a lot of overhead. I don’t know if this was fixed for 1.5, though.

                                The ldap plugin used to delete 99x users on logout/login attempts for the reasons you’ve pointed out. As it caused a lot more overhead I made it stop doing this. I believe 1,5 works properly even without removing these users though.

                                The reason logging in with email doesn’t work is because usernames usually work in a domain\user or user@domain. For email this works fine, for domain there’s no way to interprete at the domain level. You might try logging in with email ima Windows machine to prove the point. The domain login will change to whatever is after your @ symbol.

                                Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                                Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                                Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                                N 1 Reply Last reply Reply Quote 0
                                • S
                                  Steuve68 @Fernando Gietz last edited by Steuve68

                                  @fernando-gietz

                                  Hello,

                                  Thanks for your answers ! 🙂

                                  @Fernando-Gietz said in LDAP Plugins on FOG 1.5.0:
                                  When you close the session in the WEBUI, the plugin erases the user entry from the users table. Only the entries with uType = 990, 991 are erased, not the local users.

                                  That’s what I thought … but it does not work, the user is not removed from the Users table when disconnecting (properly) and that’s why the account can still connect even after removing the group

                                  For trying, i have uninstall LDAP Plugins and update php5-ldap (root@server:~# apt-get install php5-ldap )
                                  And reinstall et re test plugin:

                                  1. My users is on the FOG_Admin group,
                                  2. Login into FOG with mail AD attribute => OK, it’s work
                                  3. Look into the DB with an “select * from users;” and my AD user is in the table => OK (uType 990)
                                  4. Disconnect properly with “Logout” into FOG WEBUI => OK
                                  5. Re-Look immediately after into the DB with “select * from users;” and my AD users is always in the Users table (not deleted as you say)
                                  6. I suppress my AD account to the FOG_Admin group
                                  7. I retry connection with my AD account and I can always connect to FOG WEBUI.
                                  8. I uninstall LDAP Plugin
                                  9. I look into the DB users tables, my AD user is delete (now just FOG local user is in the User table)
                                  10. I try to login into FOG, and now it’s OK, i can’t connect to FOG with AD account because my plugins is uninstall.

                                  I confirm once again, when i Uninstall plugins, the LDAPServer table is well delete and all users (where uType=990/991) is deleted from the Users table.

                                  But … AD Users is not delete of the Users table when you logout properly

                                  Any idea ?

                                  Thanks all !

                                  Tom Elliott 1 Reply Last reply Reply Quote 0
                                  • F
                                    Fernando Gietz Developer last edited by

                                    More info about the LDAP Plugin and FOG 1.5.0:

                                    How to setup Microsoft AD LDAP for FOG 1.5.0~
                                    https://forums.fogproject.org/topic/11531/how-to-setup-microsoft-ad-ldap-for-fog-1-5-0

                                    1 Reply Last reply Reply Quote 0
                                    • F
                                      Fernando Gietz Developer @Steuve68 last edited by Fernando Gietz

                                      I can try to explain to you how works the plugin 🙂

                                      In FOG exists the users table. This tables saves the information of the local users. You can create as users as you need (username, password, …) but these users are “local”, only exists in fog Database. To these users you can asign one of the two roles: Administrator or mobile. If is administrator, then the uType value is 0 (see the fog user entry in the table). If the user is mobile, then the uType is 1.

                                      Well, when you install the LDAP plugin, the script creates a table in the database, LDAPServers. This table has all info of the Authentication Servers (AD servers or LDAP servers). This plugin doesn’t update the users table.

                                      How works the plugin?
                                      Once you have setup the LDAP servers and you logon on the WEBUI, the plugin checks the username and the password in the authentication servers (AD or LDAP) if the credentials are OK, then the plugin creates an entry in the database with the name, password (encrypted) and uType. If the user belongs to Admin Group, then the uType is 990 (take note that the local admin users are 0) and if the user belongs to mobile group, then the uType is 991 (the mobile local users are 1).

                                      When you close the session in the WEBUI, the plugin erases the user entry from the users table. Only the entries with uType = 990, 991 are erased, not the local users.

                                      @steuve68 said in LDAP Plugins on FOG 1.5.0:

                                      The LDAP Plugins can’t read and update automatically (on real time) the “users” table on SQL ?
                                      I found that to remove AD users from the database you have to uninstall and reinstall the LDAP plugins.

                                      When you uninstall the plugin, you delete only the LDAPServer table (I am not very sure but the unistall script doesn’t delete the 990 and 991 users form the users table). When you reinstall the plugin, you only create the LDAPServes table.
                                      The plugin makes a “pasive” sync with the authentication server. If you add an user to admin group in the AD, when the user logs on, the uType will be 990 (admin). If, now, you delete the user from the admin group in the AD, the user can not access to FOG.
                                      If you dont close the session of FOG correctly(from the logoff button, and not close the windows from the X), then the users is not delete from the database.

                                      S 1 Reply Last reply Reply Quote 0
                                      • S
                                        Steuve68 last edited by Sebastian Roth

                                        So … OK for login with AD “mail” attribut.
                                        I have make 3 change into:

                                        File: lib/fog/user.class.php

                                        Line 134
                                        Modify this regex:

                                        134             '/(?=^.{3,40}$)^[\w][\w0-9]*[._-]?[\w0-9]*[.]?[\w0-9]+$/i',
                                        

                                        by

                                        134             '/(?=^.{3,40}$)^[\w][\w0-9]*[._-]?[\w0-9]*[._-]?[\w0-9]*[._-]?[\w0-9]*[@]?[\w0-9]*[.]?[\w0-9]+$/i',
                                        

                                        Line 218
                                        Modify this regex:

                                        218             '/(?=^.{3,40}$)^[\w][\w0-9]*[._-]?[\w0-9]*[.]?[\w0-9]+$/i',
                                        

                                        by

                                        218             '/(?=^.{3,40}$)^[\w][\w0-9]*[._-]?[\w0-9]*[._-]?[\w0-9]*[._-]?[\w0-9]*[@]?[\w0-9]*[.]?[\w0-9]+$/i',
                                        

                                        and into

                                        File: lib/plugins/ldap/class/ldap.class.php

                                        Line 258
                                        Modify this regex:

                                        258            '/(?=^.{3,40}$)^[\w][\w0-9]*[._-]?[\w0-9]*[.]?[\w0-9]+$/i',
                                        

                                        by

                                        258             '/(?=^.{3,40}$)^[\w][\w0-9]*[._-]?[\w0-9]*[._-]?[\w0-9]*[._-]?[\w0-9]*[@]?[\w0-9]*[.]?[\w0-9]+$/i',
                                        

                                        and for verify, i look into DB:

                                        mysql> select * from users;
                                        +-----+-----------------------+--------------------------------------------------------------+---------------------+-----------+-------+----------+-----------+-----------+
                                        | uId | uName                 | uPass      | uCreateDate         | uCreateBy | uType | uDisplay | uAllowAPI | uAPIToken |
                                        +-----+-----------------------+------------+---------------------+-----------+-------+----------+-----------+-----------+
                                        |   1 | fog                   | encrypted  | 2017-01-04 12:48:48 | fog       |     0 |          | 1         |           |
                                        |   2 | FLSH                  | encrypted  | 2016-04-27 10:50:55 | fog       |     0 |          | 1         |           |
                                        |  21 | fabien.test@test.fr   | encrypted  | 2018-03-07 07:52:52 | fog       |   990 |          |           |           |
                                        |  20 | steve.test@test.fr    | encrypted  | 2018-03-06 08:37:32 | fog       |   990 |          |           |           |
                                        +-----+-----------------------+------------+---------------------+-----------+-------+----------+-----------+-----------+
                                        4 rows in set (0.00 sec)
                                        

                                        But always the same problems when i delete my user of my FOG_Admin (group AD) … the deleted user can always login into FOG … the database can’t update.

                                        Thanks

                                        1 Reply Last reply Reply Quote 0
                                        • S
                                          Steuve68 last edited by

                                          … For my 2nd question (use another AD Attribut) …
                                          I have test with AD attribut “sn” and “givenName” … it’s work’s fine.

                                          I think the “mail” AD attribut won’t work because FOG does not allow @ in login names.
                                          Can I modify that somewhere for test ?

                                          Thanks

                                          1 Reply Last reply Reply Quote 0
                                          • 1 / 1
                                          • First post
                                            Last post

                                          180
                                          Online

                                          10.2k
                                          Users

                                          16.3k
                                          Topics

                                          149.9k
                                          Posts

                                          Copyright © 2012-2020 FOG Project