LDAP Plugins in FOG 1.3.0 RC 8

Steuve68

Hello all,

I use actually FOG 1.2.0 in production. It’s work fine !

For test, i installed FOG 1.3.0 RC8 on a test server.
I’m very interesting by the LDAP Plugins.
I installed and activated the LDAP Plugins. It’s OK, no error.

But after “Create New LDAP” into the “LDAP Management” in FOG, when I try to use my LDAP account for log on FOG, the Web Page is blank … and nothing.

My LDAP Server configuration into FOG is:

LDAP Server Name: xxx.xxx.xx
LDAP Server Description: Description of LDAP
LDAP Server Address: xxx.xxx.xx (the name not IP … need “ldaps://” ?)
DN: uid=xx,ou=xx,dc=xx,dc=xx
Server Port: 636

What’s the option “Create as admin” ?

Which LDAP attribut should be used for logon FOG ?
mail ?
uid ?
other attribut ? …

Thanks for your answers.

Tom Elliott

@Steuve68 UID I believe is what’s the best practice for now, though thy does make it harder for ad folks to use the LDAP plugin. Create as admin sets if you should enable creating the LDAP user as a normal user account within fog. It currently defaults to creating a ‘mobile/quick image’ user when successfully authenticated

george1421

@Steuve68 I can’t speak to the ldap plugin directly for FOG. For their windows “NT” style account name you would use the ldap field of sAMAccountName. I also would start off with the non-ssl port and IP address or FQDN of your DC.

While I didn’t see it listed above, typically there is a bind DN and an LDAP search path so you can limit the user search to a specific OU. I deleted my FOG dev server on accident so I can’t confirm the plugin works first hand.

Steuve68

@Tom-Elliott That’s the web page after test login with ldap account into FOG

@george1421 In the “DN” fields, what i need put ? Account (type: uid=xx,ou=xx,dc=xx,dc=xx) or OU: (type: ou=xxx,dc=xxx,dc=xx)

Thanks

george1421

@Steuve68 As for the DN it depends if its a bind DN or a base DN. The base DN is the search path where users will be searched (i.e. ou=users,ou=nyc,dc=domain,dc=com) if its a bind dn or bind credentials you can “sometimes” use just the AD structure of “domain\user” or if the ldap format is required then you need something like: “cn=Joebob Thomas,ou=admins,ou=nyc,dc=domain,dc=com” or “uid=joebob,ou=admins,ou=nyc,dc=domain,dc=com”

Basically what is needed here is:
The search base (where to look for users) this is called either search base or base dn
An account to connect to LDAP that the ldap client will use to query LDAP. This is typically called bind user or bind dn with a password. Some ldap agents will allow nt formatted autheniticated others require ldap user format.

In regards to AD you can kind of cheat to convert a AD user into ldap format. If you go into AD and look at a user, then select the object tab. On the object tab there is a conical name field: domain.com/NYC/Users/Jimbob Thomas You can convert it to an ldap name by reversing the order as such cn=Jimbob Thomas,ou=users,ou=nyc,dc=domain,dc=com

In the case of FOG, the apache error log may give you an idea why you are getting the white screen, typically this is when the fog server errors out.

Steuve68

@george1421 so … for blank page into apache2 log -> /var/log/apache2/error.log

PHP Fatal error: Call to undefined function ldap_connect()

For resolve this (blank page): apt-get install php5-ldap
I didn’t know that … it was not written in the wiki (https://wiki.fogproject.org/wiki/index.php?title=Plugins#LDAP_Plugin)

I try to log me into FOG with uid ldap … and now, not blank page but “Invalid login”

But now… after configure LDAP Server into FOG:
I see into apache2 “error.log” this:

PHP Warning: ldap_bind(): Unable to bind to server: Invalid credentials in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 38, referer: http://sm-fog-dev/fog/management/index.php

PHP Warning: ldap_bind(): Unable to bind to server: Invalid DN syntax in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 39, referer: http://sm-fog-dev/fog/management/index.php

PHP Warning: ldap_bind(): Unable to bind to server: Invalid DN syntax in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 40, referer: http://sm-fog-dev/fog/management/index.php

I don’t understand what put into the fields “DN” …

Thanks for help !

george1421

@Steuve68 Again I’m just speaking in general terms here since I haven’t worked with the FOG LDAP, but I would say there are some missing fields that would typically be required.

Based on what is there, I would say the DN is the base or search DN That would be the container where the ldap plugin would search for users. That field should be in ldap format.

The ldap server address should just be an ip address of the ldap server.

Now what I see missing is the bind dn and password (the user account that is used to query ldap). Some ldap systems allow for unauthenticated queries, and others like AD require an authorized user to be able to query AD (this keeps the bad guys from enumerating your internal AD structure). So I would suspect even if you had the visible fields filled out properly that this query would fail because of an authorization issue.

The last bit of information I see missing is that sometimes there will be a field for a goup name. That way the ldap query would see if the user that is logging in would be a memberof group “abc” would be allowed to login. Right now the way its setup if anyone in the search base dn logs in it will be allowed.

That reminds me of one more for your search base. Typically there is a field for how deep to search from the search base. To only search in the search base or to include all OUs below the search base too.

But again this is only speculation, probably Tom will need to comment on the actual function of the ldap plugin. If it would work, I would surely move to that method, that way we have only valid

I release this is WAY more information than you are asking for. I’m documenting it here since I feel the ldap plugin may require some needed bits.

Tom Elliott

@george1421 To be honest I’m not the guy you want for commenting. I made it work through a ton of testing with @x23piracy and an open LDAP layout. I don’t think we ever got it to work with Active Directory and there, currently, isn’t any extra information to pass along. This plugin was created by @Fernando-Gietz and was mainly used for open LDAP I think. Maybe one of them can chime in? Of course anybody with more experience integratingnsuch a system would be greatly appreciated. An AD and LDAP authentication system I think would be great for fog.

Steuve68

@george1421 OK … it is also what I think … is missing fields … user an pass to query LDAP … ! Thanks for your different answers and explanation.

@Tom-Elliott Yes, i think LDAP and/or AD authentication and delegation rights by users would be great for FOG.
If the LDAP Plugins developpers can explain how does it work it would be top !

Thanks for speed answers

Sorry for my bad english … i’m french.

george1421

@Steuve68 said in LDAP Plugins in FOG 1.3.0 RC 8:

Sorry for my bad english … i’m french.

Oh I didn’t know you were French, you loose 50 points for that. (just kidding your engish is great)

Yes lets see if the other developers can chime in. I can take a look at the code but I don’t have a clue on the programming part. I know what has to be in the query based on how other FLOSS applications work.

davido38

maybe it can help

I have Glpi on the same server of fog with ldap auth on a 2008 srv and it works fine.

george1421

@davido38 Thank you this confirms my concept that its possible to make the ldap code work generally with AD. I’ve been looking at the ldap plugin code over my lunch hour, and I see what they are doing. There are several assumptions (i.e. your LDAP should be setup in a certain way) in the code to fill in the missing fields, which may not work in all situations.

But, in concept the code should be able to be updated to support AD.

Tom Elliott

@george1421 totally agree

george1421

I’ve started a feature request here to document the process of reviewing the current LDAP plugin.
https://forums.fogproject.org/topic/8575/extend-ldap-plugin-to-support-ad-authentication

After reviewing the current ldap plugin there are only about 30 lines of code that is used for authentication. I believe that if I can add a few database fields to remove some of the assumptions that the code CAN be converted to support AD authentication.

x23piracy

@Tom-Elliott if this will work with AD it would be cool if a normal user can login into fog (webif or and pxe) to have to possibility to reset his computer (reimage).

Regards X23

george1421

@x23piracy Are you currently using ldap authentication today? I think I found a good example code that I can upgrade the bits in the plugin. I just want to make sure the upgraded bits don’t break what you are using.

x23piracy

@george1421 i discard using it because it didn’t work as intended with Active Directory, Tom and me tried a lot but in the end it was not fully working like i wanted to.

the Main Problem is that we couldn’t get it to work with two LDAP definitions pointing to a deeper laying OU unit in the AD
What i wanted was to have one conneciton for normal users that can logon to fog and another one that allows all admins access with higher rights.

Not easy to explain what exactly went wrong but it seems that the current plugin cannot work with a specific OU.

Regards X23

george1421

@x23piracy Great info, thank you.

The approach I’m looking at is to have user authentication and then if user is in AD group ( X ) then they are an admin, if they are in group ( Y ) then user, if they are not in either AD group then no access. Initially I was only thinking about a single group, but if there is admin and user levels in FOG then the dual group is the answer.

Your explanation also tells me why there was an admin field in the database. I hope to have time over the weekend to do a little coding to see if I can do a proof of concept test.

Wayne Workman

@george1421 said in LDAP Plugins in FOG 1.3.0 RC 8:

Your explanation also tells me why there was an admin field in the database

It was setup to restrict someone to just fog mobile if they weren’t an admin. It’s a checkbox in user management, for a user. When checked, they can only access fog mobile I think. Or vice versa… or something.