Extend LDAP plugin to support AD authentication

Wayne Workman

@george1421 I’d go further by limiting the bind DN account to only the OUs where the fog users and fog groups will be.

Tom Elliott

I don’t know how well it will work, but my testing of the most current ldap stuff appears to be working pretty well.

At least when done against the ldap server from forumsys.

Here’s my “configuration” that seems to work.

I don’t know all the other potentials but at least others can see the “POC” in action.

With any luck, others can see the “potential” and perform some more testing within their own environments.

It follows, more or less, in line with what @george1421 has done, but with a few caveat’s to what was required to get it working for the ldap I was testing against.

Hopefully it will work for AD environments just as easily as it will for what I’ve tested already.

Tom Elliott

@Wayne-Workman BindDN can be anything really. This is totally up to the administrator, and it typically requires a password. This is simply so the server can find data and ensure all is fine.

Once the bind is validated and finds the user, the bind is handed over to the user who’s actually trying to login. From there we find the associated elements for that user and validate the area (or not) they are to be a part of.

Wayne Workman

@Tom-Elliott Right. I was talking about restricting the specified user’s privileges - less loose ends. This is not a fog thing, this is something an admin would do in Active Directory.

Fernando Gietz

Hello!! A little feedback about this wonderful plugin
I installed it this morning (this morning here in Spain) and I like the different options to setup it but, for me, is a little confused fill the correct boxes to run it.

Actually we use openLDAP server (we have AD too but we don use it to validate the user under FOG), then I dont know which boxes need to fill to run the plugin well. The old version (RC-10) was easy (although I need to change some things in the code to run it well).

Questions:
Admin groups and Mobile groups, what these parameters are for? ¿purpose?
If I have a LDAP server, Bind DN and Bind password, is necessary fill these parameters?

Bugs:
In line 370 from ldap.class.php file:

$userDN = sprintf(
                 '%s=%s,%s',
                 $userNamAttr,
                 $user,
                 $userSearchDN
);

The $userNamAttr and $userSearchDN are empty, I dont know the reason, I have changed it to:

$userDN = sprintf(
                 '%s=%s,%s',
                 strtolower($this->get('userNamAttr')),
                 $user,
                 strtolower($this->get('searchDN'))
);

When the code tries to do the bind, always return me false.

george1421

@Fernando-Gietz I haven’t tested it as of now since it was pushed to RC11. I was working on a pre release of RC11 and it worked with AD.

I know the wiki page hasn’t been written as of now so there is no information on the new features of the plugin and we have not tested it with all situations.

I’ll have to look at the lines you mentioned to see what is going on.

To answer your question about the logic of the Admin and mobile groups. The reason is security. Just because you are a valid ldap user doesn’t mean you should have access to FOG. So in addition to being a valid ldap user, your account must be found in either an Admin group (as defined by that field) or a Mobile group (as defined by that field). This is consistent with the two user classes in FOG. If your account appears in both groups then the Admin account wins and you have admin access to FOG. There is a graphic below in this thread that I posted with text telling what each field does too.

I’ll refresh my server with RC11 and see if I can track down the bug.

I do have to say if you had the ldap plugin installed before RC11 you must uninstall and reinstall it for the database to be updated correctly. The structure has changed from the older style ldap plugin

george1421

@george1421 I can report (at least for AD LDAP) the plugin works as intended. I’m going to dig a bit deeper to make sure its not just a mistake on my part.

I can say I based it working off a false assumption. I still had the AD user cached based on some of the intermediate code. That is why the login worked every time. There is something wrong in the code. Tom and I worked on it for several hours last night. I see what its doing, but need to focus on why its doing what its doing.

george1421

@george1421 This thread and the ldap plugin is not dead. I have the code working with AD just fine, I need to perform some GUI updates to the web form to get it to work the way I want it to. But I think we are really close with the working solution.

george1421

@george1421 I’ve been working on other projects and haven’t had time to get back to this one. I have this plugin working in my production environment and it is working well. I’m to the point where I would like to test it in a few more AD environment as well as OpenLDAP. If you are willing to help test, please let me know and I’ll send the instructions. I have not yet submitted the code to the Developers for their review to be included in the official 1.3.0RC stream as of now. I wanted to ensure it functioned as we expected it before adding additional workload one the developers.

Here is a current screen clip of the fields and the expected values. We’ve added the ability to only do a name match with users at the search base dn. With this option the user must only appear in a defined OU or below. If a user is in that OU and the uid and password match then the user is considered a FOG admin. I don’t like using this option but there were several use cases (like all my fog admins are already in a defined OU) where I can understand the requirement (but still not like it ). The more secure way is to use group matching. In this case you will need to create an AD/LDAP group and put the admin/mobile users in these groups. This now changes the login requirements to 1) You must be a users in the specified OU, 2) Your uid and password must authenticate 3) Your uid must be in the authorized group for FOG.

Fernando Gietz

Hi George,

I can see that you added the option to use AD groups to define admin/mobile profiles or not. Can I test it anyway? I have update the server version to RC13, and in this version until is not operative these changes.

Tom Elliott

I’ve updated the working RC 15 branch to contain the changes as @george1421 made and tested some more things. Appears to still work with open LDAP though I need more confirmation to know if it is working for ad.

x23piracy

@Tom-Elliott Hi, i would like to test it but what’s the url to checkout working branch with git?
What if RC15 is released can i just change to trunk /bin/installfog.sh again?

Regards X23

Wayne Workman

I helped @x23piracy - also - We don’t want folks knowing how, it will cause more issues than help.

x23piracy

@Wayne-Workman i sell that information for 10 bucks :D… joking

george1421

1.3.0RC15 has been released with the updated ldap plugin support. You must upgrade to RC15, uninstall and then reinstall the LDAP plugin to ensure the ldap configuration database is created correctly. Please understand when the ldap plugin is uninstalled it also erases any settings for the plugin. If you need these settings archive the settings before removing the plugin.

We still have an issue with non-base ascii characters in the ldap search dn, or user path. If you have these international characters the ldap plugin will fail to authenticate. We are working on this issue, but we appear unsuccessful at this time. For a US English characters the ldap plugin does work as far as we tested with AD and OpenLDAP

Wayne Workman

Can this be tested again to make sure it’s still working properly George?

x23piracy

@Wayne-Workman said in Extend LDAP plugin to support AD authentication:

Can this be tested again to make sure it’s still working properly George?

additionally it would be interesting if there was progress with the vowel mutation (äöü) usage?

Regards X23

Tom Elliott

The ldap plugin works as it did before, I don’t know what you need to test.

There is one caveat and that, currently, if the account isn’t already present the first time you login the return will be “invalid login”.

The next login, however, will work fine.

I’ve corrected this particular problem for the next.

The mutations are still an issue as I don’t know how to get them to escape. Everything I’ve read online says that mutations are not allowed to be a part of the dn strings. If I remember correctly, this is where the mutation is currently stored in your case @x23piracy.

x23piracy

@Tom-Elliott said in Extend LDAP plugin to support AD authentication:

The mutations are still an issue as I don’t know how to get them to escape. Everything I’ve read online says that >mutations are not allowed to be a part of the dn strings. If I remember correctly, this is where the mutation is currently >stored in your case @x23piracy.

Sorry, but i cannot change way from the vowel’s and i need to say, i would never use them it was a real expert working in the company before that thougth hey i am a german and best practice is to not use vowels but he gave a shit on it and used them (i really would like to kick his ass).

Regards X23

Wayne Workman

@x23piracy Dude you are hilarious, in a good way.