LDAP 1.6 plugin password

TaTa

Hello All,

I’m running FOG Version 1.5.7.753 and trying to configure LDAP plugin 1.6. I can’t find FOGCRYPT anymore. Does it still require to encrypt Bind Password? I’ve tried Bind Password w/o encryption but I can’t log using AD account.

george1421

FOGCRYPT is no long supported for many moons. The encryption is done directly in the web ui now.

The bind dn should be in the DN format. The same should be for the search base and group search DN.

TaTa

@george1421 I have bind DN in DN format. Where in the web UI I can go to encrypt the password?

george1421

@TaTa Encryption is not a separate step. You just enter the bind password as you would if you were to use the account to login normally. The webui will take care of encrypting it.

TaTa

@george1421 I went to FOG settings and put in AD password in FOG_AD_DEFAULT_PASSWORD under Active Directory Defaults. The password gets encrypted automatically in the web UI. LDAP doesn’t do that. Should it get encrypted the same way?

george1421

@TaTa I guess I don’t know what to tell you. In the ldap setup screen you just enter the bind password as you would key in it. This bind user account should be the lowest level user account, because it only need to have access to see if a user exists. It doesn’t need any rights other than to see if a user exists.

TaTa

@george1421 I have a working server running FOG 1.5.6.2 on Debian with the same settings using an older version of LDAP plugin with an encrypted password and it’s working fine. I tested my bind user account un-encrypted password and it’s working fine. The only differences are encrypted pw vs none. I’ll do more tests to see why it’s not working. My apologies for being a pest and thank you very much for all the help.

george1421

@TaTa Well this maybe a bug then if you have two different installs with the same settings and they are acting differently. Its possible that something external to the plugin has changed causing the plugin to act poorly. If I remember correctly the ldap plugin logged messages to the FOG log file, but I don’t remember which one at the moment.

TaTa

@george1421 Do you we an older version of LDAP plugin somewhere I can try? Thanks.

Sebastian Roth

@TaTa It’s all on github. Though I am not sure it’s wise to mix up plugin source from an older version with a newer version of FOG. It’s up to you. We won’t support this.

https://github.com/FOGProject/fogproject/tree/1.5.7/packages/web/lib/plugins/ldap
https://github.com/FOGProject/fogproject/tree/1.5.6/packages/web/lib/plugins/ldap
https://github.com/FOGProject/fogproject/tree/1.5.5/packages/web/lib/plugins/ldap
https://github.com/FOGProject/fogproject/tree/working-1.6/packages/web/lib/plugins/ldap
https://github.com/FOGProject/fogproject/tree/dev-branch/packages/web/lib/plugins/ldap

Sebastian Roth

@Fernando-Gietz Can we get you involved here? I don’t know the LDAP plugin much but I am wondering if it ever used crypted password??!

Tom Elliott

@Sebastian-Roth LDAP used to store the bind password in encrypted form, similar to how we stored the ad default password in encrypted form. So there’s some back end work to verify if the password is in an encrypted form and if so, to decrypt it and pass it along. Otherwise just use the base text.

Fernando Gietz

Hi,
sorry for my late answer. I can confirm that Tom said.
The password is saved encrypted in the database, and you can´not see it in plain text anywhere. If you access to web form, either FOG Settings-AD Settings or host->AD Settings, you see the encripted password. Only is decripted in the clients.

TaTa

Thanks all. You are right. LDAP uses plain text password. I had ‘&’ symbol in the password and that breaks it. I set up a test RHEL server and was able to make it work by removing ‘&’ symbol. My “controlled” server however is till not working. No error in /var/log/php-fpm/www-error.log. Apache detected when I tried to login. Re-installing -php-ldap but no go. Does anyone know how to debug it? Thanks!