LDAP Plugin with openLDAP

antonionardella

Hello,

first post here.

I am testing the FOG and openLDAP integration on one of my systems and have an issue with the filters.

Server

FOG Version: 1.5.5
OS: Debian 9

Client

Service Version:
OS: N/A

Description
I’ve added and setup the LDAP plugin, following different posts on the forums. So far I have found only M$ Active Directory configurations and I am not sure what is different with openLDAP.

• The openLDAP user is named: dsptest
• The openLDAP group is names: dsp

Here the sanitized ldapsearch result to have more information about the user dsptest with this query ldapsearch -x -D “uid=admin,ou=users,dc=example,dc=com” -W -H ldap://<IPADDRESS> -b “dc=example,dc=com” -s sub

# dsptest, Users, example.com
dn: uid=dsptest,ou=Users,dc=example,dc=com
sambaPwdCanChange: 0
uid: dsptest
sambaLogoffTime: 2147483647
givenName: dsptest
loginShell: /bin/bash
sambaAcctFlags: [UX]
uidNumber: 10001
sambaKickoffTime: 2147483647
objectClass: posixAccount
objectClass: top
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: shadowAccount
objectClass: sambaSamAccount
objectClass: person
gecos: I am a DSP Test
sambaLogonTime: 0
sambaPwdMustChange: 2147483647
sn: dsptest
sambaHomeDrive: H:
sambaSID: S-1-5-21-2258386664-3013221354-3332613826-21002
homeDirectory: /home/dsptest
displayName: dsptest
cn: dsptest
shadowLastChange: 17980
sambaPwdLastSet: 1553502597
sambaPrimaryGroupSID: S-1-5-21-2258386664-3013221354-3332613826-2026
gidNumber: 516
ou: teachers
shadowMax: 99999

and the dsp group:

# dsp, Groups, example.com
dn: cn=dsp,ou=Groups,dc=example,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
displayName: dsp
cn: dsp
sambaGroupType: 2
sambaSID: S-1-5-21-2258386664-3013221354-3332613826-2032
gidNumber: 516
memberUid: dsptest

Here the sanitized LDAP Server configuration:

The interesting parts is:
User Name Attribute: uid
Group Member Attribute: memberuid

When I go to login to the web portal the apache2 log shows:

[Mon Mar 25 14:12:41.159898 2019] [proxy_fcgi:error] [pid 11845] [client ::1:48370] AH01071: Got error 'PHP message: Plugin LDAP::_result(). Search Method: search; Filter: (&(|(name=dsp))(memberuid=uid=dsptest,ou=Users,dc=example,dc=com)); Result: 0\nPHP message: Plugin LDAP::_result(). Search Method: search; Filter: (&(|(name=))(memberuid=uid=dsptest,ou=Users,dc=example,dc=com)); Result: 0\nPHP message: Plugin LDAP::authLDAP() Access level is still 0 or false. No access is allowed!\n', referer: http://localhost/fog/management/index.php

The interesting parts is:
memberuid=uid=dsptest

I tried to use the proposed filter for a ldapsearch query and I am getting errors.

Could anyone please be of assistance?

Thank you,
Antonio

antonionardella

Hello @Fernando-Gietz,

thanks for the awesome help and support, it works now as needed.

Is there something I should be aware or edit in our openLDAP implementation to make the plugin work correctly without editing the /var/www/[html/]fog/lib/plugin/ldap/class/ldap.class.php file?

Ciao,
Antonio

Fernando Gietz

@antonionardella said in LDAP Plugin with openLDAP:

Hi @Fernando-Gietz, I am terribly sorry, but making everyone an admin does not look like an option.
It’s less about the web UI access, but more about restricting users (see students) from deploying random images to the systems and breaking things or activating licenses of pre-imaged software.

OK, you are right if you have student in the same LDAP server. Then the second option XD

What if the group would be called dsp, is it in no way possibile to limit the access only to this group here?
What is the issue exactly?

the problem is the filter that the code construct, in your case this filter is bad and doesn t work.

Bad filter:

(&(|(name=dsp))(memberuid=uid=dsptest,ou=Users,dc=****,dc=***))

Good filter:

(&(|(name=dsp))(memberuid=dsptest))

To do it well, the $userDN variable value should be dsptest and not uid=dsptest,ou=Users,dc=xxx,dc=xxx. If you do the previous suggested change in the code, $userDN = $user;, the filter should be fine and the validation proccess works fine for all users.

antonionardella

Hi @Fernando-Gietz, I am terribly sorry, but making everyone an admin does not look like an option.
It’s less about the web UI access, but more about restricting users (see students) from deploying random images to the systems and breaking things or activating licenses of pre-imaged software.

What if the group would be called dsp, is it in no way possibile to limit the access only to this group here?
What is the issue exactly?

Thank you for your time.

Ciao,
Antonio

Fernando Gietz

Hi @antonionardella ,

Ok the erorr is normal XD. I see two ways to solve your case:

1. Not use admin groups and all users are administrators, later you can restrict the access to the web UI using the AccessControl plugin.

2. Do a little change in your code:

        /**
         * Only one entry
         */
        $entries = $this->get_entries($result);
        /**
         * Pull out the user dn
         */
        $userDN = $entries[0]['dn'];
        /**
         * If use group match is used, get access level,
         * otherwise group scanning isn't used. Assume all
         * are admins.
         */
        if ($useGroupMatch) {
            $accessLevel = $this->_getAccessLevel($grpMemAttr, $userDN);
        } else {
            $accessLevel = 2;
        }

Change the 541 line in ldap.class.php file to:

        /**
         * Only one entry
         */
        $entries = $this->get_entries($result);
        /**
         * Pull out the user dn
         */
//        $userDN = $entries[0]['dn'];
           $userDN = $user;
        /**
         * If use group match is used, get access level,
         * otherwise group scanning isn't used. Assume all
         * are admins.
         */
        if ($useGroupMatch) {
            $accessLevel = $this->_getAccessLevel($grpMemAttr, $userDN);
        } else {
            $accessLevel = 2;
        }

I prefer the first one

antonionardella

Hello,

I tried with Search Base DN set to:

• dsptest
• ou=dsptest
• ou=dsptest,dc=example,dc=com
• ou=dsp
• ou=dsp,dc=example,dc=com

with no luck:

[Fri Apr 05 10:10:09.017746 2019] [proxy_fcgi:error] [pid 9652] [client ::1:51122] AH01071: Got error 'PHP message: PHP Warning:  ldap_search(): Search: Invalid DN syntax in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: PHP Warning:  ldap_count_entries() expects parameter 2 to be resource, boolean given in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: Plugin LDAP::_result(). Search Method: search; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest)); Result: \nPHP message: Plugin LDAP::authLDAP() Search results returned false. Search DN: dsptest; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest))\n', referer: http://localhost/fog/management/index.php
[Fri Apr 05 10:45:05.644639 2019] [proxy_fcgi:error] [pid 9707] [client ::1:59212] AH01071: Got error 'PHP message: PHP Warning:  ldap_search(): Search: No such object in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: PHP Warning:  ldap_count_entries() expects parameter 2 to be resource, boolean given in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: Plugin LDAP::_result(). Search Method: search; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest)); Result: \nPHP message: Plugin LDAP::authLDAP() Search results returned false. Search DN: ou=dsptest,dc=example,dc=com; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest))\n', referer: http://localhost/fog/management/index.php
[Fri Apr 05 10:45:10.428643 2019] [proxy_fcgi:error] [pid 9681] [client ::1:59270] AH01071: Got error 'PHP message: PHP Warning:  ldap_search(): Search: No such object in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: PHP Warning:  ldap_count_entries() expects parameter 2 to be resource, boolean given in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: Plugin LDAP::_result(). Search Method: search; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest)); Result: \nPHP message: Plugin LDAP::authLDAP() Search results returned false. Search DN: ou=dsptest,dc=example,dc=com; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest))\n', referer: http://localhost/fog/management/index.php?node=home
[Fri Apr 05 10:46:43.542053 2019] [proxy_fcgi:error] [pid 9652] [client ::1:59972] AH01071: Got error 'PHP message: PHP Warning:  ldap_search(): Search: No such object in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: PHP Warning:  ldap_count_entries() expects parameter 2 to be resource, boolean given in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: Plugin LDAP::_result(). Search Method: search; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest)); Result: \nPHP message: Plugin LDAP::authLDAP() Search results returned false. Search DN: ou=dsptest; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest))\n', referer: http://localhost/fog/management/index.php
[Fri Apr 05 10:47:32.359197 2019] [proxy_fcgi:error] [pid 9650] [client ::1:60348] AH01071: Got error 'PHP message: PHP Warning:  ldap_search(): Search: No such object in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: PHP Warning:  ldap_count_entries() expects parameter 2 to be resource, boolean given in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: Plugin LDAP::_result(). Search Method: search; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest)); Result: \nPHP message: Plugin LDAP::authLDAP() Search results returned false. Search DN: ou=dsp; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest))\n', referer: http://localhost/fog/management/index.php
[Fri Apr 05 10:48:28.842830 2019] [proxy_fcgi:error] [pid 9648] [client ::1:60670] AH01071: Got error 'PHP message: PHP Warning:  ldap_search(): Search: No such object in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: PHP Warning:  ldap_count_entries() expects parameter 2 to be resource, boolean given in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: Plugin LDAP::_result(). Search Method: search; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest)); Result: \nPHP message: Plugin LDAP::authLDAP() Search results returned false. Search DN: ou=dsp,dc=example,dc=com; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest))\n', referer: http://localhost/fog/management/index.php

Cheers,
Antonio

Fernando Gietz

I’m glad but we’re cheating ;)

If we erase the last change

$filter = sprintf(
               '(&(|(name=%s))(%s=%s))',
               implode(')(name=', (array)$adminGroups),
               $grpMemAttr,
               $this->escape($userDN, null, LDAP_ESCAPE_FILTER)
);

Ans setup the Search Base DN parameter only to dsptest, does work?

antonionardella

Hello @Fernando-Gietz it works using that code!

Fernando Gietz

I know but now the problem is why is the $filter variable NULL? is strange.

        $filter = sprintf(
            '(&(|(name=%s))(%s=%s))',
            implode(')(name=', (array)$adminGroups),
            $grpMemAttr,
            $this->escape($userDN, null, LDAP_ESCAPE_FILTER)
        );
        /**
         * The attribute to get.
         */
        $attr = array($grpMemAttr);
        /**
         * Read in the attributes
         */
        $result = $this->_result($grpSearchDN, $filter, $attr);

Are you sure that the $filter variable is well write in the var_dump() function? XD
The output of this variable must be:

(&(|(name=dsp))(memberuid=uid=dsptest,ou=Users,dc=****,dc=***))'

If you change the code to:

        $filter = sprintf(
            '(&(|(name=%s))(%s=%s))',
            implode(')(name=', (array)$adminGroups),
            $grpMemAttr,
//            $this->escape($userDN, null, LDAP_ESCAPE_FILTER)
            'dsptest'
        );
        /**
         * The attribute to get.
         */
        $attr = array($grpMemAttr);
        /**
         * Read in the attributes
         */
        $result = $this->_result($grpSearchDN, $filter, $attr);
        if (false !== $result) {
            return 2;
        }

UPDATED

antonionardella

Hi @Fernando-Gietz,

here the output:

It’s not working because the filter only works with this query:

(&(|(name=dsp))(memberuid=dsptest));

without ,ou=Users,dc=example,dc=com

as shown here:

@antonionardella said in LDAP Plugin with openLDAP:

@Fernando-Gietz and @george1421

Hello and thank you for your answers, thing is that the filter is putting

(&(|(name=dsp))(memberuid=uid=dsptest,ou=Users,dc=example,dc=com));

while it should be without =uid and ,ou=Users,dc=example,dc=com like so:

(&(|(name=dsp))(memberuid=dsptest));

Then I get an output with ldapsearch (see image)

I tried to look at the two functions authLDAP() and _getAccessLevel() but I miss enough understanding of PHP to find the extra =uid and ,ou=Users,dc=example,dc=com

Cheers,
Antonio

Fernando Gietz

Hi @antonionardella ,

With this output we can see that the filter is NULL and this is the problem :)
But the big question is why?

Please change the var_dump line with:

var_dump($grpSearchDN,$filter,$attr,$adminGroups,$userDN);

And paste the output.

antonionardella

@Fernando-Gietz here the result:

antonionardella

Hello @Fernando-Gietz, on Friday I’ll be working on that system again and let you know.

Thanks,
Antonio

Fernando Gietz

We can try to debug the @antonionardella 's code.

Make a copy of the file /var/www/[html/]fog/lib/plugin/ldap/class/ldap.class.php

#cp ldap.class.php ldap.class.php.ori

Let’s go to edit the ldap.class.php file, line 628 and insert the next code:

        $result = $this->_result($grpSearchDN, $filter, $attr);
//********* DEBUG ********************
        var_dump($grpSearchDN,$filter,$attr);
        exit;
//************************************
        if (false !== $result) {
            return 2;
        }
        /**
         * If no record is returned then user is not in the
         * admin group. Change the filter and check the mobile
         * group for membership.
         */

The var_dump function will write the value of the variables $grpSearchDN, $filter and $attr in the page of the browser. After do the changes, go to the validation page and enter the credentials and send us a screenshot.

In my case returns:

string(29) "ou=groups,dc=xxxx,dc=xxxx,dc=xxxx" string(77) "(&(|(name=aux.caunivel21))(member=CN=bcxxxx,OU=people,DC=xxxx,DC=xxxx,DC=xxxx))" array(1) { [0]=> string(6) "member" }

george1421

@george1421 Ok after a little googling I’ve found a few things.

1. It appears openldap may need to have overlays turned on to enable the memberof function. I’m still not sure about this one. But what I found says that if overlays were turned on before the groups were created then you are ok, if it is turned on after the groups are created you will need to recreate the groups.

2. Here is the syntax of an example query ‘(&(objectClass=user)(sAMAccountName=yourUserName) (memberof=CN=YourGroup,OU=Users,DC=YourDomain,DC=com))’ Now this is for AD but the query can be changed to this: (&(objectClass=user)(uid=yourUserName) (memberof=CN=YourGroup,OU=Users,DC=YourDomain,DC=com)) I don’t have an openldap environment

ref: https://stackoverflow.com/questions/1032351/how-to-write-ldap-query-to-test-if-user-is-member-of-a-group for both points

george1421

@Fernando-Gietz I’m still a bit baffled on how this query is constructed.

For example here is a query syntax I borrowed off the internet.
(&(employmentType=*)(!(employmentType=Hired))(!(employmentType=NEW))(!(employmentType=POS))(!(employmentType=REH)))
I can understand and read this just fine.

This one is still giving me pains.

(&(|(name=dsp))(memberuid=dsptest,ou=Groups,dc=XXXXXX,dc=XXXXX));

If I’m reading this right you are anding these two search results.

(& (|(name=dsp)) <and> (memberuid=dsptest,ou=Groups,dc=XXXXXX,dc=XXXXX) );

What is bugging me is this part
(|(name=dsp))

That floating or in there with nothing to or to. I might expect it to look like this
(|(name=dsp)(name=bob)) then <and> it with (memberuid=dsptest,ou=Groups,dc=XXXXXX,dc=XXXXX)

Or drop the or so you were just anding (name=dsp) <and> (memberuid=dsptest)

I may be totally confused here but that is how I’m reading the search criteria. BUT also it may not be the problem the OP’s having.

Fernando Gietz

And if you change the filter with:

(&(|(name=dsp))(memberuid=dsptest,ou=Groups,dc=XXXXXX,dc=XXXXX));

antonionardella

As soon as I add anything to the filter I get no answer:

Fernando Gietz

@george1421 said in LDAP Plugin with openLDAP:

@Fernando-Gietz said in LDAP Plugin with openLDAP:

|(name=dsp))(memberuid=uid=dsptest

The issue is with this bit of the query syntax.

We are doing an or between ‘(name=dsp)’ ad ‘)’ There is a missing parameter the other part of the or test or there is an extra ‘)’ in that syntax. I really need to count opening and closing parentheses here, but my gut feeling is its wrong. As well as the ‘memberuid=uid=dsptest’ test. I haven’t had time to see what changed in the ldap auth module but I’m a bit surprised that it authenticates AD since AD is really picky on the query syntax.

The second parentesis is necessary because the the sintax has a logical operator “|” (|(name=dsp).

I don’t have openLDAP, I use AD but my filter is:
(&(|(name=aux.caunivel21))(member=CN=bczxxxx,OU=people,DC=xxxx,DC=xxx,DC=xx))

And works fine

antonionardella

@Fernando-Gietz and @george1421

Hello and thank you for your answers, thing is that the filter is putting

(&(|(name=dsp))(memberuid=uid=dsptest,ou=Users,dc=example,dc=com));

while it should be without =uid and ,ou=Users,dc=example,dc=com like so:

(&(|(name=dsp))(memberuid=dsptest));

Then I get an output with ldapsearch (see image)

I tried to look at the two functions authLDAP() and _getAccessLevel() but I miss enough understanding of PHP to find the extra =uid and ,ou=Users,dc=example,dc=com

Cheers,
Antonio