• Recent
    • Unsolved
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    Extend LDAP plugin to support AD authentication

    Scheduled Pinned Locked Moved Solved
    Feature Request
    8
    64
    28.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • george1421G
      george1421 Moderator
      last edited by

      I’m going to start a debugging session in a few minutes with this new ldap code. I would consider the current state as alpha code.

      Todo items:

      1. Review the code to ensure it still flows like I intended.
      2. Load the modified code into my production environment and confirm it works as the proof of concept code does.
      3. Work with changing case of groups, dn paths to make sure all case sensitivity is gone.
      4. Clean up the web gui configuration page. Currently there are fields that don’t have any impact on the code (binddn, bindpass, searchscope). The elements were built in place in case we needed to create a more complex ldap auth.

      This code does make a few assumptions about the target environment. I did use less complex logic to keep the lines of code down. It should work well for the different ldap backends. Only testing will tell.

      Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

      1 Reply Last reply Reply Quote 1
      • george1421G
        george1421 Moderator
        last edited by

        Its been a few days since I posted an update to this. I’ve been debugging and have the ldap authentication working with AD. So the actual ldap authentication is working fine. I’ve run into a snag passing the authorized flag back to fog. I’m sure that can be worked out soon. Beyond that I’ve been testing with RC8 code. Once that is working I’ll stand up a new RC11 instance of FOG and confirm. In the end we are making progress with an end in sight.

        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

        adukes40A 1 Reply Last reply Reply Quote 1
        • adukes40A
          adukes40 @george1421
          last edited by

          @george1421 Is this stricly to allow signing into the FOG Gui with AD credentials or will we be able to interact with AD via fog. Like assigning snapins to certain AD groups.

          george1421G 1 Reply Last reply Reply Quote 0
          • george1421G
            george1421 Moderator @adukes40
            last edited by george1421

            @adukes40 This is only for user login. So far I’ve only tested via the web gui.

            Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

            adukes40A 1 Reply Last reply Reply Quote 1
            • adukes40A
              adukes40 @george1421
              last edited by

              @george1421 would it be able to spawn from there? I have no idea how in depth it is. Im just generally curious.

              george1421G 1 Reply Last reply Reply Quote 0
              • george1421G
                george1421 Moderator @adukes40
                last edited by

                @adukes40 While anything is possible it would be a lot of work, and it would then tie FOG to requiring an AD infrastructure.

                I can say from a programming standpoint the code that FOG is built on can communicate with ldap pretty easily. So its possible to do. The issue is having enough motivation to pull it off. I looked at the ldap plugin that was in fog and have experience with programming queries to LDAP so there wasn’t a huge learning curve to update the plugin, plus what was there was sound already, they were just missing a few things.

                Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                1 Reply Last reply Reply Quote 1
                • JJ FullmerJ
                  JJ Fullmer Testers
                  last edited by

                  I did a little testing on this and wasn’t able to add a ldap server. Put in all the information and I just get “LDAP ID # is not valid” I got ID 1 and 2 as invalid with 2 attempts at adding a server. @Tom-Elliott said that you might want to know.

                  Have you tried the FogApi powershell module? It's pretty cool IMHO
                  https://github.com/darksidemilk/FogApi
                  https://fogapi.readthedocs.io/en/latest/
                  https://www.powershellgallery.com/packages/FogApi
                  https://forums.fogproject.org/topic/12026/powershell-api-module

                  george1421G 2 Replies Last reply Reply Quote 0
                  • george1421G
                    george1421 Moderator @JJ Fullmer
                    last edited by

                    @JJ-Fullmer Wow interesting. I’ll surely take a look at that tonight. I installed RC11 B58 (I think) this AM after Tom updated the master code. The one thing that you must do if the LDAP plugin was installed before (now) is that you must uninstall and reinstall the plugin because the internal structure has changed. This AM after the refresh I had to recreate the ldap server and it installed correctly. Just to be sure uninstall the ldap plugin and then readd it back in.

                    As far as the status of the LDAP plugin, its (should be) almost complete. The only outstanding issue is adding the code for reauth. So as it stands right now once you are authorized via LDAP, you are authorized forever even if you kill the AD account (which is not to cool). I have a way to fix this tonight.

                    I’ll add a simple how to to this thread on what the plugin is expecting, but its pretty straight forward.

                    Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                    1 Reply Last reply Reply Quote 1
                    • george1421G
                      george1421 Moderator @JJ Fullmer
                      last edited by

                      @JJ-Fullmer OK I couldn’t resist checking. I have B54 installed and I was able to add a second ldap server without issue. Let me refresh my install and see if something changed from B54

                      Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                      1 Reply Last reply Reply Quote 1
                      • george1421G
                        george1421 Moderator
                        last edited by

                        Progress is going very well with the ldap plugin. But we found that when we start bringing in other ldap serves to test, some of the shortcuts that worked for M$ did not work so well with other ldap servers. To that end, I wrote another proof of concept code using the long way to get a user’s ldap attributes. In this method I have to use an authorized read only user to query the ldap server to locate the user’s ldap account, then I use that ldap account to relogin to the ldap server to pick up the user’s group associations.

                        <?php
                        
                            // the user we are going to authenticate
                            $user = 'user1234';
                            $pass = 'Password';
                        
                            // IP address or fqdn of ldap server
                            $server = '192.168.1.5';
                        
                            // credentials that have read access to the LDAP server
                            $bindDN = 'cn=Bob Jones,ou=Users,ou=nyc,dc=domain,dc=com';
                            $bindPass = 'Password.2';
                        
                            // How deep in ldap from search base are we going to look for the user
                            $searchScope = 2;
                        
                                // clean up user name we only want the user's short name without any domain component
                                // note I did not try to understand the regex expression but I expect there to be
                                // issues with non-us english characters, just saying.
                                $user = trim(preg_replace('/[^a-zA-Z0-9\-\_@\.]/', '', $user));
                        
                                // open connection to the server
                                $ldapconn = ldap_connect($server,389);
                                ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
                                ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
                        
                                $accessLevel = 0;
                                $userSearchDN = 'ou=nyc,dc=domain,dc=com';
                                $adminGroup = 'FoG_Admins';
                                $userGroup = 'FOG_Users';
                                $grpMemberAttr = strtolower('memberOf');
                        
                                if ( ldap_bind($ldapconn, $bindDN, $bindPass) ) {
                                    // for the filter we are searching for a person with an NT style account like the contents of $user
                                    $filter = sprintf('(&(objectCategory=inetOrgPerson)(%s=%s))', 'sAMAccountName', $user);
                        
                                    // we want to return the user's DN so that we can bind as the user
                                    // we will get his DN based on his samaccountname for AD
                                    $attr = array( 'dn' );
                        
                                    switch ($searchScope) {
                                        case 1:
                                            // LDAP_SCOPE_ONELEVEL search one level down but not base
                                            $result = ldap_list($ldapconn, $userSearchDN, $filter, $attr);
                                            break;
                                        case 2:
                                            // LDAP_SCOPE_SUBTREE search base + all subtree (OUs) below
                                            $result = ldap_search($ldapconn, $userSearchDN, $filter, $attr);
                                            break;
                                        default:
                                            // LDAP_SCOPE_BASE search base only and don't look any deeper
                                            $result = ldap_read($ldapconn, $userSearchDN, $filter, $attr);
                                    }
                        
                                    // count the number of entries returned
                                    $retcount = ldap_count_entries($ldapconn, $result);
                        
                                    if ($retcount == 1) {
                                        // great we only returned one entry
                                        $entries = ldap_get_entries($ldapconn, $result);
                                        // pull out the user dn from the entries
                                        $userDN = $entries[0]['dn'];
                                    } else {
                                        $userDN = '';
                                    }
                        
                                }
                        
                                // if user dn is populated then attempt to connect (bind) to ldap as user
                                if (!$userDN =='') {
                                    // Now rebind as the user we just found
                                    if ( ldap_bind($ldapconn, $userDN, $pass) ) {
                                        // If we get to here the user is authorized, now lets get the group membership
                        
                                        // This time since we know the user DN (fully qualified ldap path) we can look up the user based on that
                                        // this filter just matches all objects (cheat)
                                        $filter = '(objectclass=*)';
                        
                                        // get what groups this user is a member of
                                        $attr = array( $grpMemberAttr );
                                        
                                        // read in the attributes of this user
                                        $result = ldap_read($ldapconn, $userDN, $filter, $attr);
                        
                        
                                        // count the number of entries returned
                                        $retcount = ldap_count_entries($ldapconn, $result);
                        
                                        if ($retcount > 0) {
                                            $entries = ldap_get_entries($ldapconn, $result);
                        
                                            // check groups for membership
                                            foreach($entries[0][$grpMemberAttr] as $grps) {
                                                // is admin user, set level and break loop
                                                if(strpos( $grps, $adminGroup )) { $accessLevel = 2; break; }
                        
                                               // is user, set level and keep looking just incase user is in both groups
                                               if(strpos( $grps, $userGroup )) $accessLevel = 1;
                                           }
                                        }
                        
                                        // close our connection as bindDN
                                        ldap_unbind( $ldapconn );
                        
                                        echo $accessLevel;
                        
                                    } else {
                                        print 'unable to bind using user info, user is not authorized in ldap';
                        
                                    }
                             } else {
                                  echo 'User not found in LDAP';
                             }
                         ?>
                        

                        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                        JJ FullmerJ 2 Replies Last reply Reply Quote 1
                        • JJ FullmerJ
                          JJ Fullmer Testers @george1421
                          last edited by

                          @george1421 Updated to latest rc11 and reinstalled the ldap plugin, great success.
                          I was able to add a server no problem.

                          Just a recommendation though, or maybe it’s a question. I figure the bindDN is the user you use to sign in to the domain and the same with the password. Perhaps it’s possible to utilize the same method or maybe even link to the existing one that fog uses for joining to the domain?
                          Just cause it’s gonna be prone to error and confusion if to set up a binding user you have to put in that full ldap style query with the cn’s and the ou’s, and the dc’s and what have you. Or maybe I’m misunderstanding that field.

                          Have you tried the FogApi powershell module? It's pretty cool IMHO
                          https://github.com/darksidemilk/FogApi
                          https://fogapi.readthedocs.io/en/latest/
                          https://www.powershellgallery.com/packages/FogApi
                          https://forums.fogproject.org/topic/12026/powershell-api-module

                          george1421G 1 Reply Last reply Reply Quote 0
                          • JJ FullmerJ
                            JJ Fullmer Testers @george1421
                            last edited by

                            @george1421 Also, maybe I’m just looking in the wrong place for the documentation, so feel free to direct me to where this may already be written. But what do I do after I set up a server? Are users going to just populate automatically or is there another step? I feel like I’m missing something.

                            Have you tried the FogApi powershell module? It's pretty cool IMHO
                            https://github.com/darksidemilk/FogApi
                            https://fogapi.readthedocs.io/en/latest/
                            https://www.powershellgallery.com/packages/FogApi
                            https://forums.fogproject.org/topic/12026/powershell-api-module

                            george1421G 1 Reply Last reply Reply Quote 0
                            • george1421G
                              george1421 Moderator @JJ Fullmer
                              last edited by

                              @JJ-Fullmer I’m not sure I fully understand your question.

                              In rc11 it may or may not show the bind dn just yet. That code is in a state of flux a bit.

                              But in general we will switch over to using a bind DN (which needs to be in full ldap format) to initially connect to the ldap server to look up the user’s cn (in full ldap format). We were using just the short form of the user’s credentials (user@domain.com) to bind to ldap, but that only appears to work reliably with AD.

                              Tom and (or at least I) will have another coding session tonight to see if we can get this wrapped up. All of the parts work independently now we just need to get them to work together.

                              Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                              1 Reply Last reply Reply Quote 1
                              • george1421G
                                george1421 Moderator @JJ Fullmer
                                last edited by

                                @JJ-Fullmer The documentation hasn’t been written just yet because our approach changed overnight. Let me refresh my server and I’ll post something here to get you started. I can’t guarantee it works until I update my server and test it.

                                Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                                1 Reply Last reply Reply Quote 1
                                • george1421G
                                  george1421 Moderator
                                  last edited by

                                  Here is a screen shot of what is expected.

                                  0_1474644364724_ldap_plugin_settings.png

                                  Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                                  Wayne WorkmanW 1 Reply Last reply Reply Quote 1
                                  • Wayne WorkmanW
                                    Wayne Workman @george1421
                                    last edited by

                                    @george1421 I’d go further by limiting the bind DN account to only the OUs where the fog users and fog groups will be.

                                    Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
                                    Daily Clean Installation Results:
                                    https://fogtesting.fogproject.us/
                                    FOG Reporting:
                                    https://fog-external-reporting-results.fogproject.us/

                                    Tom ElliottT 1 Reply Last reply Reply Quote 1
                                    • Tom ElliottT
                                      Tom Elliott
                                      last edited by

                                      I don’t know how well it will work, but my testing of the most current ldap stuff appears to be working pretty well.

                                      At least when done against the ldap server from forumsys.

                                      Here’s my “configuration” that seems to work.

                                      I don’t know all the other potentials but at least others can see the “POC” in action.

                                      0_1474746815583_upload-2e4dc264-091f-4b62-9e5e-d3c44ad383cc

                                      With any luck, others can see the “potential” and perform some more testing within their own environments.

                                      It follows, more or less, in line with what @george1421 has done, but with a few caveat’s to what was required to get it working for the ldap I was testing against.

                                      Hopefully it will work for AD environments just as easily as it will for what I’ve tested already.

                                      Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                                      Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                                      Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                                      1 Reply Last reply Reply Quote 0
                                      • Tom ElliottT
                                        Tom Elliott @Wayne Workman
                                        last edited by

                                        @Wayne-Workman BindDN can be anything really. This is totally up to the administrator, and it typically requires a password. This is simply so the server can find data and ensure all is fine.

                                        Once the bind is validated and finds the user, the bind is handed over to the user who’s actually trying to login. From there we find the associated elements for that user and validate the area (or not) they are to be a part of.

                                        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                                        Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                                        Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                                        Wayne WorkmanW 1 Reply Last reply Reply Quote 0
                                        • Wayne WorkmanW
                                          Wayne Workman @Tom Elliott
                                          last edited by

                                          @Tom-Elliott Right. I was talking about restricting the specified user’s privileges - less loose ends. This is not a fog thing, this is something an admin would do in Active Directory.

                                          Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
                                          Daily Clean Installation Results:
                                          https://fogtesting.fogproject.us/
                                          FOG Reporting:
                                          https://fog-external-reporting-results.fogproject.us/

                                          1 Reply Last reply Reply Quote 0
                                          • F
                                            Fernando Gietz Developer
                                            last edited by

                                            Hello!! A little feedback about this wonderful plugin 🙂
                                            I installed it this morning (this morning here in Spain) and I like the different options to setup it but, for me, is a little confused fill the correct boxes to run it.

                                            Actually we use openLDAP server (we have AD too but we don use it to validate the user under FOG), then I dont know which boxes need to fill to run the plugin well. The old version (RC-10) was easy (although I need to change some things in the code to run it well).

                                            Questions:
                                            Admin groups and Mobile groups, what these parameters are for? ¿purpose?
                                            If I have a LDAP server, Bind DN and Bind password, is necessary fill these parameters?

                                            Bugs:
                                            In line 370 from ldap.class.php file:

                                            $userDN = sprintf(
                                                             '%s=%s,%s',
                                                             $userNamAttr,
                                                             $user,
                                                             $userSearchDN
                                            );
                                            

                                            The $userNamAttr and $userSearchDN are empty, I dont know the reason, I have changed it to:

                                            $userDN = sprintf(
                                                             '%s=%s,%s',
                                                             strtolower($this->get('userNamAttr')),
                                                             $user,
                                                             strtolower($this->get('searchDN'))
                                            );
                                            

                                            When the code tries to do the bind, always return me false.

                                            george1421G 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 4 / 4
                                            • First post
                                              Last post

                                            287

                                            Online

                                            12.0k

                                            Users

                                            17.3k

                                            Topics

                                            155.2k

                                            Posts
                                            Copyright © 2012-2024 FOG Project