Integrate Windows Authentication in FOG

  • Developer


    has anyone been able or successfully implemented windows authentication for FOG instead of manually creating users? it’s just my security manager is on my back about the “security” of FOG and it’s something that’s been flagged in an audit.

    I have took a stab at it but it looks like it’s an overhaul of changes required and my skills using AD authentication with linux is limit. don’t really want to lose FOG over something so trivial

    Anyone else interested in this feature or got any info?

  • Developer

    I glad 🙂
    We use a fog 0.30 customized version :oops: But the LDAP validation, I think that is easy to migrate to a new version of FOG.
    The “site” layer and technician rol, is much more difficult. Sorry.
    I just started the migration of code from the old version to the new FOG version.

  • Fernando, I think there are a lot of people out there using FOG that would really appreciate this sort of functionality.

  • Developer

    We use a LDAP validation to access to FOG webui, but firstly the username have been created in the FOG database.
    Each user have his rol. We use one fog server to deploy images, and we have 60 diferent users. Also, we have created a new rol in fog webui and a new “administration” layer. This layer is “site”, one "site " is a building or a high school or a faculty.
    FOG have two rol: site manager and fast deploy. We have a new one: technician. We can link one user with one rol, and one user is linked to one or more sites.

    The site manager rol can see the fog server setup and all computers/clients. The technician only can see the computers and the images from his linked site, he can’t see the server setup.

  • The code for it isn’t all that bad and I have a small working version of AD integration. It does require the apache ldap module to be installed but otherwise it just does a quick anonymous bind to the AD to look up the name and, if found, tries another bind with the name and password. Of course the first check can be taken out since not everyone will allow anonymous binding to their AD.

    I think BryceZ has the right of it, too, that after doing the check, certain information will need to be passed on to FOG to allow for the local access features. Moodle does a really nice job of this, so that may be somewhere to look.

    I’m guessing that with the .33 framework that this all could be achieved via a plugin instead of putting it into the core of the program.

  • Windows Authentication for FOG has been brought up before, but it will take somebody who is willing to get their hands dirty coding figuring out the best way to implement it, so it hasn’t really gone anywhere.

    One alternative that I’ve managed to get implemented where I work is using Shibboleth to process the authentication and then having matching usernames in the FOG database to insure access. Luckily we already had the Shibboleth infrastructure in place, and other people had tied multiple web systems into it already, so adding FOG was a fairly trivial copy and paste of existing code.

    I would guess that the easiest way to add Windows authentication to FOG would be to have Apache handle the authentication for accessing the site directory and use LDAP to tie Apache authentication to your Windows AD. But I haven’t tried this myself so I can’t provide any example code.