FOG LDAP plugin

fry_p · Jun 12, 2018, 11:52 PM

FOG 1.5.4
Centos 7

As a security/accountability measure, we would like to incorporate LDAP/AD Authentication to the FOG GUI. I am having a hard time getting it to work. Besides filling out the LDAP setup, is there another step to allow LDAP authentication?

Please see below for a sanitized version of what my LDAP setup looks like.

As always, thanks for the help!

JGallo · Jun 13, 2018, 1:19 PM

Have you tried port 389 for LDAP Server Port?

fry_p · Jun 13, 2018, 1:42 PM

@JGallo Yes, sorry I forgot to mention that. My colleague mentioned the 636 is the one he wants me to use, but I did try both.

Fernando Gietz · Jun 13, 2018, 3:13 PM

I use the LDAP plugin without problems.
The Bind DN filed, is correct? you need setup it with the user which have permissions to read the LDAP server

fry_p · Jun 13, 2018, 3:58 PM

@fernando-gietz Does the built in Domain Admin have such permissions? That’s the account I am using.

Fernando Gietz · Jun 13, 2018, 4:43 PM

@fry_p said in FOG LDAP plugin:

Does the built in Domain Admin have such permissions? That’s the account I am using.

The user that I use in the plugin only has read permissions.
In the Bind DN field I only write the username and not cn=xxx,ou=yyy,dc=zzz

Tom Elliott · Jun 13, 2018, 4:48 PM

@fernando-gietz I believe you need the full DN for the field, but I don’t think you need the OU itself.

So you could do:
cn={username},dc={domain},dc={org,com,net}

Fernando Gietz · Jun 13, 2018, 4:49 PM

@tom-elliott In my case I config the Bind DN as {username}.

Tom Elliott · Jun 13, 2018, 4:49 PM

@fernando-gietz You’re using openldap correct?

Fernando Gietz · Jun 13, 2018, 4:50 PM

Jajaja I think so.

Fernando Gietz · Jun 13, 2018, 4:55 PM

fry_p · Jun 13, 2018, 6:33 PM

@fernando-gietz I believe I have successfully bound. However, when I try to log in as myself, I see the below error in /var/log/php-fpm/www-error.log

I believe the issue is in my search dn.

I am trying to log in as fry_p. I am a member of the security group “fogusers” in AD. It can be found here:
CN=fogusers,OU=Security Groups,OU=Domain Users,DC=domainhere,DC=org

fry_p is a member of this group.

Fernando Gietz · Jun 15, 2018, 5:01 PM

Maybe, the blank space in the OUs?

fry_p · Jun 15, 2018, 5:01 PM

@fernando-gietz Is there a different way in the DN language to designate spaces? I tried single and double quotes but it didn’t stick. In the actual AD structure (much to my chagrin) there are spaces.

fry_p · Jun 15, 2018, 5:44 PM

@fernando-gietz I feel foolish now. This taught me the lesson that I shouldn’t change multiple variables when trying to troubleshoot an issue.

Here is a screen shot of my working config:

I think I had an incorrect group search DN set. When I put the correct DN I also messed around with the Group Member Attribute. I changed it back to sAMAccountName and presto! Thanks for everything boys!

FOG LDAP plugin

197

12.0k

17.3k

155.2k