• Recent
    • Unsolved
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    LDAP in http.conf?

    Scheduled Pinned Locked Moved Linux Problems
    9 Posts 3 Posters 3.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • TreyBentleyT
      TreyBentley
      last edited by TreyBentley

      I attempted to utilize the LDAP plug-in and got no where real fast. I saw someone else’s suggestion about using Apache to perform LDAP authentication. However no instructions on how to do so was provided. After too many hours of research and troubleshooting, I believe I’m on the home stretch. After getting passed some mod_ldap.so issues, I’m now having a hard time finding httpd.conf settings that apply to our set up; specifically the section with the AuthType, AuthBasicProvider, etc, etc, configurations.

      If anyone was ever successful in getting this to work well, it’d be great if you could paste a redacted snip of your httpd.conf file with that section of settings. Or… provide a good alternative. ^_^

      And, this sounds rude-ish but I honestly don’t mean for it to be, but before you go referring me to any website that attempts to show me what to do, please be aware that I more then likely have already been there and have already tried whatever they have on the page.

      Thanks.

      Fog version: trunk
      Revision: 7609
      bzImage Version: 4.5.3
      bzImage32 Version: 4.5.3
      OS version: CentOS 7
      Apache version: 2.4.6

      1 Reply Last reply Reply Quote 0
      • S
        Sebastian Roth Moderator
        last edited by

        @TreyBentley Unfortunately we won’t be able to help you with that unless we know the structure of your LDAP directory. As well LDAP configuration is playing a major role (object access, binding, …). Possibly start by posting your full (anonymized base dn, …) slapd config here.

        Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

        Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

        1 Reply Last reply Reply Quote 0
        • TreyBentleyT
          TreyBentley
          last edited by

          I think I got it after more debugging and more research.

          It turns out that I seem to have had my settings correct all along; I just needed to run yum install apr-util-ldap -y

          None of the tutorials or stackoverflows ever said a thing about that. ^_^

          1 Reply Last reply Reply Quote 0
          • S
            Sebastian Roth Moderator
            last edited by

            @TreyBentley Great to hear that you worked it out. Would you mind sharing your config and commands for other people?!

            Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

            Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

            1 Reply Last reply Reply Quote 0
            • TreyBentleyT
              TreyBentley
              last edited by

              I was planning to. I am still doing a little OU authorization tweaking, and wanted to try and implement passing the username straight to Fog with a generic password, like that top(?) response mentioned in the other thread. Once that’s done, I’ll try to orderly post the procedure I took.

              1 Reply Last reply Reply Quote 0
              • TreyBentleyT
                TreyBentley
                last edited by Sebastian Roth

                Okay, I’ll try and make this as clear as I can, but please feel free to ask for any clarification, and I’ll try and see what I can do.


                My Server Info

                • OS version: CentOS 7 (minimal install iso)
                • Apache version: 2.4.6 (installed by Fog’s bin/installfog.sh ?)
                • Fog version: trunk via Wiki (https://wiki.fogproject.org/wiki/index.php/Upgrade_to_trunk)
                • Revision: 7609
                • Hardware: VMware / vSphere

                Prerequisites

                The material in this documentation assumes:

                • Fog has already been installed and the web interface is fully accessible.
                • The Fog server has sshd access and sftpd is working.
                • You know how to extract files.
                • You know how to transfer files.
                • Maybe a few other things I’ve missed listing.

                The Procedure

                So, the ultimate goal was to authenticate only IT Techs, and via AD, so we could have yet another system with single sign-on. Research indicated that LDAP authentication should be fairly quick and easy with Apache.

                Truth be told, I had to hunt down and find the exact version of some required files. I finally found them at rpmfind.net (ftp://rpmfind.net/linux/RPM/centos/7.2.1511/x86_64/Packages/mod_ldap-2.4.6-40.el7.centos.x86_64.html) and attempted to install the RPM with yum localinstall mod_ldap-2.*.rpm. However, whenever I tried this, the OS told me what version the file is, and what version the file needs to actually be.

                They looked the same to my eyes, so, I downloaded the rpm on my Windows unit and opened it with 7-zip. I extracted the files and then transferred them to the Fog server, to /etc/httpd/modules/. Now, I don’t know if the next part was required, but it’s a habit. I updated permissions and access to the files once they were extracted and moved to their proper location:

                chmod 755 /etc/httpd/modules/mod_ldap.so /etc/httpd/modules/mod_authnz_ldap.so
                chown root:root /etc/httpd/modules/mod_ldap.so /etc/httpd/modules/mod_authnz_ldap.so
                chcon -t httpd_modules_t etc/httpd/modules/mod_ldap.so /etc/httpd/modules/mod_authnz_ldap.so
                chcon -t httpd_modules_t /etc/httpd/modules/mod_ldap.so /etc/httpd/modules/mod_authnz_ldap.so
                

                In the end, my httpd.conf file looks as follows, using Christoph’s brain dump (http://www.held-im-ruhestand.de/software/apache-ldap-active-directory-authentication.html) as a guide. Loading the modules takes place first, in the LoadModules section.

                nano /etc/httpd/conf/httpd.conf

                ..
                ...
                
                LoadModule ldap_module /etc/httpd/modules/mod_ldap.so
                LoadModule authnz_ldap_module /etc/httpd/modules/mod_authnz_ldap.so
                
                ...
                ..
                

                The following takes place after DocumentRoot “/var/www/html”. Potentially sensitive material has been redacted and/or modified.

                ..
                ...
                
                <Directory "/var/www/html/fog/management">
                
                    # These options were here; I'm not messing with them.
                    Options FollowSymLinks
                    AllowOverride None
                    Allow from all
                
                    # Engage the initial connection with an account that can read the domain trees.
                    AuthLDAPBindDN "ldapuser"
                    AuthLDAPBindPassword yoursecretpasswordhere
                
                    # Path to the AD/LDAP server. Includes the path as to where the above user can
                    # search for usernames
                    AuthLDAPURL "ldap://192.168.1.250/OU=People,DC=gtcc,DC=ad?sAMAccountName?sub?(objectClass=*)"
                
                    # Standard authentication configurations.
                    AuthType Basic
                    AuthName "ITS FOG Server"
                    AuthBasicProvider ldap
                    AuthLDAPBindAuthoritative off
                    AuthUserFile /dev/null
                
                    # Users in the following groups are the *only* users allowed into the site.
                    Require ldap-group CN=ITS Department,OU=ITS,OU=Groups,DC=gtcc,DC=ad
                
                </Directory>
                
                ...
                ..
                

                I found that next, I needed to run the following command to install some ldap tools that doesn’t come with a minimal installation of CentOS 7.

                yum install apr-util-ldap -y
                

                Then, restarted the httpd service:

                systemctl restart httpd
                

                With LDAP sign-in working, I was still getting the Login page (and rightly so). Editing the processlogin.class.php file will fix that right up. The code that follows attempts to perform the following:

                • Rename what I came to believe to be the logout form.
                • Make a connection to the Fog database and check for the username of the user that just successfully authenticated via Apache’s LDAP authentication process. The process I took here might should be updated to best practices standards. I’m not that great of a programmer, so I don’t know those standards.
                • If no user is found in Fog’s user table, then add them; they’re authenticated via LDAP anyway.
                • Adds username and generic password to the form input fields values.
                • Hides the form input fields.
                • Hides the Login button, placing a Please Wait… notice in its place.
                • Javascript immediately submits the form.

                nano /var/www/html/fog/lib/fog/processlogin.class.php
                Line ~145:

                ..
                ...
                
                # This was being double printed in the source code, and forcing a loop of redirection in the code below.
                # Renaming the id to avoid that. It's probably for logout, anyways.
                echo '<form method="post" action="" id="login-form0">';
                
                ...
                ..
                

                Line ~153: after $this->getLanguages();, and replacing printf for mainLoginForm

                
                ..
                ...
                
                # Make the username from Apache quicker to type.
                $ap_user = $_SERVER['PHP_AUTH_USER'];
                
                # Adding this password variable in, from the MariaDB result I got from manually querying
                # the 'users' table. It should be the equivilent to "FogREMOTEUSER" and will be everyone's
                # password with Fog, because they've already signed in with their AD credentials.
                # However, I just realized this.... what if they need 'Quick Image'? Hmm... I guess I'll
                # just tell them "FogREMOTEUSER", huh?
                $ap_pass = '$2y$11$PIB.FzVsBSccSnoOVvyPcuPwJsHBYZRQO/RUFx.WinrCk0tQvb3IC';
                
                # Connecting to the database the only way I know how. Maybe even re-inventing the wheel. Anyways,
                # one does not simply walk into a database.
                $DBServer = 'localhost';
                $DBUser   = 'root';
                $DBPass   = '';
                $DBName   = 'fog';
                
                $conn = new mysqli($DBServer, $DBUser, $DBPass, $DBName);
                
                # Create the sql statement that will check for the user's existence in the database realm.
                $sqlChkExist = "SELECT * FROM users WHERE uName = '" . $ap_user  . "'";
                
                # Execute the query
                $rs=$conn->query($sqlChkExist);
                
                # How many rows where returned?
                $rowCount = $rs->num_rows;
                
                # If there were 0 rows, then we need to add this user to the database, then.
                if ($rowCount == 0) {
                	# Hey! Listen! ^_^
                	# Looks like this user doesn't exist in this database. Let's add them.
                	# Build the statement that will add the user.
                	$sqlInsUsr = "INSERT INTO users (uName, uPass, uCreateBy, uType) VALUES ('" . $ap_user  . "', '" . $ap_pass  . "', 'autoGen', 0)";
                
                	# Join me, and together we can rule the images, as SA and Tech.
                	$rs=$conn->query($sqlInsUsr);
                }
                
                printf('</form><form method="post" action="" id="login-form"><input type="hidden" class="input" name="uname" id="username" value="' . $ap_user . '"/><input type="hidden" class="input" name="upass" id="password" value="FogREMOTEUSER"/><label for="login-form-submit"> </label><input type="submit" value="%s" id="login-form-submit" style="display:none;"/>Please wait....</form><div id="login-form-info"><p>%s: <b><i class="icon fa fa-circle-o-notch fa-spin fa-fw"></i></b></p><p>%s: <b><i class="icon fa fa-circle-o-notch fa-spin fa-fw"></i></b></p></div><script>document.getElementById("login-form").submit();</script>',self::$foglang['Login'],self::$foglang['FOGSites'],self::$foglang['LatestVer']);
                # Troll the respawn, Jeremy.
                
                ...
                ..
                

                I then realized that clicking the Logout button sends the user to the Login page, which then signs them back in. Since our Techs use their own computers, and the credentials go away upon closing the browser, I decide to remove the option to login. Simply comment out line ~52 of page.class.php

                nano /var/www/html/fog/lib/fog/page.class.php

                ..
                ...
                
                'about'=>array(self::$foglang['FOG Configuration'],'fa fa-wrench fa-2x'),
                #  'logout'=>array(self::$foglang['Logout'],'fa fa-sign-out fa-2x'),
                );
                
                ...
                ..
                

                And according to my notes, that took me about… Eeyup, ~15 hours to figure out. Shows how bad I am at researching and debugging, I guess. But it works for us and what we’re trying to do! Again, please feel free to contact me about anything here; also, don’t be afraid to point out any typos. ^_^

                Thanks!

                1 Reply Last reply Reply Quote 4
                • S
                  Sebastian Roth Moderator
                  last edited by

                  Haven’t tried it yet but looks pretty solid from my point of view! @TreyBentley Thanks heaps for this great post!

                  Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                  Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                  1 Reply Last reply Reply Quote 0
                  • TreyBentleyT
                    TreyBentley
                    last edited by

                    –WARNING–

                    This method breaks the Fog Client(s).

                    Tom and his amazingly amazing self helped me get the LDAP Plugin working.

                    Tom ElliottT 1 Reply Last reply Reply Quote 0
                    • Tom ElliottT
                      Tom Elliott @TreyBentley
                      last edited by

                      @TreyBentley Ultimately, it will break MUCH more than just ldap. It will break pretty much ALL of fog.

                      Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                      Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                      Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                      1 Reply Last reply Reply Quote 0
                      • 1 / 1
                      • First post
                        Last post

                      143

                      Online

                      12.3k

                      Users

                      17.4k

                      Topics

                      155.8k

                      Posts
                      Copyright © 2012-2025 FOG Project