Another LDAP topic
I’m trying to make everything in our business work with LDAP. The last thing that not will work is FOG.
At the moment i’m pretty new with LDAP but so far all our other applications works fine.
I have read and tried all the information here on the forums but it won’t work at all.
The next two articels on this forum where one of the guides which i tried. For sure i do something wrong, but i don’t what and in the logging there is nothing that i can relate to solve this.
I have installed php-ldap.
OS: CentOS 7 PHP: 7.4.33 FOG Version: 184.108.40.206
The following settings are no set for LDAP:
Can anyone help me to get this work? Or give me any advice?
Did you make the changes for your admin group setting to be a group rather than an OU as you have it?
Can you go to Fog Configuration then to Fog Settings then Plugin: LDAP and screenshot what is there for LDAP ports and User Filter?
Also For “Admin Group”, that shouldn’t be the name of an OU but rather the name of a security group that your users are a member. That group should be located somewhere within the parameters set by the Group Search DN.
@george1421 sorry for my delay. Weekend between…
TechnischeDienst is a OU.
My AD browser is already in advanced mode. What you mean with the FOG admin group??
@eazis Would you send another screen shot of the ldap config page, please.
From your iniital screen shot it look like you have groups and users in the same OU?
In your original post you made reference to TechnischeDienst, is that an AD group or OU?
If you put the AD browser in advanced mode. Then select the FOG admin group and go to properties, in the properties there should be an advanced menu or properties menu, this tab only exists when the AD browser is in advanced mode. Will you provide me the ldap path (from the DN field on the properties tab) for both the fog admin group and a test user that you want to log into FOG. Lets start with the full dn for both objects and work our way back into the field values.
@george1421 I tried it with both settings but no luck…
@eazis That will work, or you can be more specific with the search base DNs. With your current example it will search all of your domain for the defined user and group.
If you were using a default windows ad structure you might make the search bases as:
Search Base DN: CN=Users,DC=YYYY,DC=XXXX,DC=com Group Search DN: CN=Groups,DC=YYYY,DC=XXXX,DC=com
If you are setting the search base to the root of your ldap structure you will want to change the search method to current directory and below (sorry I don’t remember the exact term), but it means the current search base path and all OUs below.
Now for the admin group,
TechnischeDienstthis needs to be the ad group name that FOG will try to find the user in. If the user is not in that group then access is denied to the fog server.
So the first part of the ldap plugin searches to see if the user account exists in the Search Base DN path. If the user is in that path, then it searches for the group defined in the Group Search DN path. If the group is found then it sees if the user exists in that group. At least that was the original flow.
So to answer your original question will what you have work, yes it should as long as if you change the search method to current OU and all sub ous and
TechnischeDienstis the name of a windows group that contains the user you want to login.
@george1421 So you say:
Search Base DN: DC=YYYY,DC=XXXX,DC=com Group Search DN: DC=YYYY,DC=XXXX,DC=com Admin Group: TechnischeDienst
Is this correct?
@eazis The first thing that jumps out at me is the search based dn and group base dn. This should be the ladp path to find both the users and groups. So if you look for user jondoe it will look if that user exists in the TechnischeDienet OU. Same for the groups you provide the location to look for the group.
Now your admin group, should not be the ldap path but the name of the authorization group found in the group search dn path. So if your group in the Group Search DN is called fogadmins then you enter fogadmins in that admin group field
In the referenced link here is what that field instructions say
Admin Group - MANDATORY - (This is the name of the security/distribution group that admins need to be a part of in AD in order to login with LDAP) Note: Just the group name… not the whole CN as you already provided that information above.
For search group I would pick sub group and below, from personal experience. I wrote the original plugin for 1.5.0 that has been tweaked a few times since, but in general the flow is still the same. Lets try my recommendation and see where we end up.