LDAP Plugin install



  • Hi,
    I’ve tried installing the LDAP plugin on our Fog Server (v1.5.7), but not sure what I’ve done wrong.

    I’ve installed php-ldap, restarted the Fog server, confirmed the php module is loaded. Installed the LDAP plugin.

    Configured a new LDAP server, with what I believe to be the correct settings for our Active Directory domain controller, but I’m not able to login to Fog with any LDAP credentials.

    I’m not really sure where to go looking for logs, I’ve grep’d /var/log/apache2/error.log and I see this error:

    [Wed Feb 05 04:15:40.799757 2020] [proxy_fcgi:error] [pid 3604] [client 172.16.32.102:31678] AH01071: Got error 'PHP message: PHP Warning:  count(): Parameter must be an array or an object that implements Countable in /var/www/fog/lib/fog/fogpage.class.php on line 832\n', referer: http://172.16.17.5/fog/management/index.php?node=ldap&sub=list
    

    Any suggestions on how to troubleshoot further?

    Thanks heaps,



  • @Sebastian-Roth said in LDAP Plugin install:

    Did you see Tom’s post? There seemed to be an issue in the version check script on our webserver which led to it saying you are “up to date” eventhough you are running the years old 1.5.5 version. Tom fixed it. You can always be sure the version number in the bottom right corner is the one you have.

    Hey sorry about the confusion I did see his comment, but clearly did not understand. It’s a huge relief that we aren’t dealing with a failed upgrade.

    Thanks for all your help with this everyone, I have finally got the plugin working. As @Kiweegie suggested early on the password complexity seemed to be the issue. I had made sure there was no special characters in it, but I had made the password obscenely long. Changing it < 24 characters seems to have done the trick.

    Apologies for all the confusion and thanks again for all the help.



  • @stuhad

    We are running on the dev version here 1.5.7.109 and can confirm that LDAP plugin works on this version.

    Re your FOG install showing 1.55 but earlier not I think you’re seeing the issue that @Tom-Elliott referred to below and has fixed.

    As to why the LDAP plugin is not working it will be down to something in the LDAP config I suspect rather than anything linked to the FOG version. I’ve had LDAP plugin working on both 1.55 and 1.57.

    Do you have anything in the following log file at all in reference to LDAP users?

    /var/log/apaches/error.log
    

    Looking through your LDAP config and comments from previous post

    LDAP connection name: dc1
    (fine as long as each connection name is unique)
    LDAP Server Address: IP Address (is an IP ok?)
    IP address OK, thats what I’ve used
    LDAP Server Port: 389
    OK
    Use Group Matching: ticked
    OK
    Search Base DN: ou=fog users,dc=company,dc=com,dc=au
    I’ve set my search base here to the root of the domain so try just dc=company,dc=com,dc=au
    Group Search DN: ou=fog users,dc=company,dc=com,dc=au
    Should be fine - spaces in OU names also OK.
    Admin group: cn=fog admins,ou=fog users,dc=company,dc=com,dc=au
    Try just using the group name here “fog admins” don’t need the cn entry. Also try removing space. Should be ok but something to rule out
    Mobile group: cn=fog admins,ou=fog users,dc=company,dc=com,dc=au
    As above
    User Name Attribute: sAMAccountName
    OK
    Group Member Attribute: member
    OK
    Search Scope: Subtree and below
    OK
    Bind DN: cn=ldapadmin,ou=services,dc=company,dc=com,dc=au
    This user should have delegated rights to add and delete computer objects. If unsure try adding as member of Domain Admins group to test
    Bind password: added in plaintext
    OK

    Ninja Edit: With the password remember to ensure no special characters!!

    Give the above a whirl and let us know how you get on.

    regards Tom


  • Senior Developer

    @stuhad said in LDAP Plugin install:

    OK sorry I’m not sure what changed but it seems like the GUI is now saying we are in fact not running 1.5.7 but actually 1.5.5,

    Did you see Tom’s post? There seemed to be an issue in the version check script on our webserver which led to it saying you are “up to date” eventhough you are running the years old 1.5.5 version. Tom fixed it. You can always be sure the version number in the bottom right corner is the one you have.

    Updating to a newer version might surely help. Though I can’t promise you this particular issue has been fixed between 1.5.5 and 1.5.7 I am sure people use the LDAP plugin with 1.5.7.

    But you might want to wait a few more days because we are preparing the 1.5.8 release to come out soon.



  • OK sorry I’m not sure what changed but it seems like the GUI is now saying we are in fact not running 1.5.7 but actually 1.5.5, which at least makes sense as no one remembers upgrading Fog, and it matches the log output. Just not sure why it was reporting 1.5.7 before… perhaps a DNS issue?

    6b8da88d-60e5-4a0f-bb96-2cbed0665a5a-image.png

    The only change I can think of is I performed an apt install to install ldap-utils so I could troubleshoot if it was perhaps a network issue between our fog server and the domain controllers not sure why this would make any difference to what the GUI was reporting.

    I’ve confirmed I can query the domain controllers using ldapsearch from the fog server without issue so it doesn’t appear to be a network problem. Unfortunately, ldap logins still aren’t working to the fog server.

    Would you recommend I try actually upgrading to 1.5.7?

    Cheers,



  • @Sebastian-Roth

    $ grep FOG_VERSION /var/www/html/fog/lib/fog/system.class.php
            define('FOG_VERSION', '1.5.5');
    $ find /var/www -name "system.class.php"
    /var/www/fog/lib/fog/system.class.php
    

  • Senior Developer

    @stuhad The output looks fine from a technical point of view. Though I am wondering about the file change date of /var/www/fog/ as 1.5.7 came out after March 14th 2019. Please run the two commands

    grep FOG_VERSION /var/www/html/fog/lib/fog/system.class.php
    find /var/www -name "system.class.php"
    

    and post output here.



  • Hey Sebastion,

    I’m not certain if we are on 1.5.5 or 1.5.7, perhaps the upgrade failed? Is there any way I can tell definitively?

    Here is the output you requested.

    $ ls -al /var/www; ls -al /var/www/html; ls -al /var/www/html/fog
    total 16
    drwxr-xr-x  4 root     root     4096 Mar 14  2019 .
    drwxr-xr-x 14 root     root     4096 Mar 14  2019 ..
    drwxr-xr-x 10 www-data www-data 4096 Mar 14  2019 fog
    drwxr-xr-x  2 root     root     4096 Mar 14  2019 html
    total 20
    drwxr-xr-x 2 root root  4096 Mar 14  2019 .
    drwxr-xr-x 4 root root  4096 Mar 14  2019 ..
    lrwxrwxrwx 1 root root    13 Mar 14  2019 fog -> /var/www/fog/
    -rw-r--r-- 1 root root 10918 Mar 14  2019 index.html
    lrwxrwxrwx 1 root root 13 Mar 14  2019 /var/www/html/fog -> /var/www/fog/ 
    

    @Sebastian-Roth said in LDAP Plugin install:

    ls -al /var/www; ls -al /var/www/html; ls -al /var/www/html/fo


  • Senior Developer

    @stuhad So are you on 1.5.5 or 1.5.7 now?


  • Senior Developer

    @Sebastian-Roth I fixed the versioning issue. No update needed to see this.

    There was a slight issue on the remote side code that checks the version information for us.


  • Senior Developer

    @stuhad said in LDAP Plugin install:

    But then it states under Kernel Versions:
    DefaultMember Fog Version: (1.5.5)
    and the bottom right hand corner of the GUI states: 1.5.5

    Seems like something went wrong with your install. Please run the following command and post output here:
    ls -al /var/www; ls -al /var/www/html; ls -al /var/www/html/fog



  • Sorry we are running Ubuntu 18.04.4 LTS

    Under Fog Configuration > Fog Version Information it says we’re running the latest stable version: 1.5.7

    But then it states under Kernel Versions:
    DefaultMember Fog Version: (1.5.5)

    and the bottom right hand corner of the GUI states: 1.5.5

    bdb77a4d-a863-457c-9313-6ec089ec4d69-image.png



  • Thanks for the quick response guys, and sorry about the late reply.

    Glad that I installed the correct php plugin, I’ve restarted the fog server a couple of times after installing as well.

    Based on Kiweegie’s example I’ve changed the Search scope to Subtree and below, but unfortunately this doesn’t seem to have fixed the issue.

    How does the LDAP plugin handle spaces in the DN search list? for example:
    Search Base DN: ou=fog users,dc=company,dc=com,dc=au

    Here’s our (edited for privacy) config for one of our DCs

    LDAP connection name: dc1
    LDAP Server Address: IP Address (is an IP ok?)
    LDAP Server Port: 389
    Use Group Matching: ticked
    Search Base DN: ou=fog users,dc=company,dc=com,dc=au
    Group Search DN: ou=fog users,dc=company,dc=com,dc=au
    Admin group: cn=fog admins,ou=fog users,dc=company,dc=com,dc=au
    Mobile group: cn=fog admins,ou=fog users,dc=company,dc=com,dc=au
    User Name Attribute: sAMAccountName
    Group Member Attribute: member
    Search Scope: Subtree and below
    Bind DN: cn=ldapadmin,ou=services,dc=company,dc=com,dc=au
    Bind password: added in plaintext



  • @Sebastian-Roth @Tom-Elliott thanks both

    We need the current live FOG install to JFDI at the moment so can’t play with the live environment but I’m putting together a virtual box lab to test version 1.6 with location plugin, LDAP etc.

    Update once i get that up and running.

    cheers Tom


  • Senior Developer

    @Kiweegie Just be aware that working-1.6 is still under strong development and there is no easy way back to 1.5.x unless you have snapshots to go back to.


  • Senior Developer

    @Kiweegie We’re aware of that, and 1.5.x GUI was a step toward the right direction. If you want a much nicer GUI, you are more than welcome to test working-1.6.



  • @Tom-Elliott ok cool that makes sense ref the one UI being more responsive. If I check the UI on my phone (Samsung S10+ running Android 10) the UI is not as good as it could be. Not a criticism in any way but pointing it out. Its certainly usable but the display is a little “janky”

    Same using Chrome (80.0.3987.87) or Firefox (68.5.0)

    96fab836-f9e6-4b41-a15e-173c1c87f8b2-image.png

    f8cfc7ae-594e-4532-8f48-cd094b9edc14-image.png

    regards Tom


  • Senior Developer

    @Kiweegie In the past the mobile group was setup for users who you didn’t want access to the main gui, but allowed access to the mobile gui.

    This has kind of fallen down the wayside as we moved to making a responsive gui vs. two seperate gui’s.

    Now there is really not much difference between them, though it’s kept more as a safety as you can code things around based on it if you so needed.

    Now, though, if you need to limit controls, I’d suggest using the AccessControl plugin. This isn’t a catch-all by any means, but is probably light years better at managing user’s and controlling what they can and cannot do in the GUI than anything FOG had prior to 1.5.x.



  • @Tom-Elliott Excellent stuff, added to my notes 🙂

    Edit: actually I had that format under the Admin group but not the Mobile group. Which leads me to a question of my own - what is the Mobile group actually used for?


  • Senior Developer

    @Kiweegie I should add that the Admin group and Mobile Groups should not need to be full DNs.

    So, for example, you have “Admin Group” set as a DN in your example, but you can just do: fogserver_admins

    Similarly, you can also add multiple groups to allow by using a comma such as:

    domain admins,domain manager computer objects,desktop administrators
    

    You can do the same for Mobile Group. You do not need both to be filled out.


Log in to reply
 

222
Online

7.2k
Users

14.4k
Topics

135.6k
Posts