• Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login
  • Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login

Extend LDAP plugin to support AD authentication

Scheduled Pinned Locked Moved Solved
Feature Request
8
64
28.3k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • W
    Wayne Workman @x23piracy
    last edited by Oct 18, 2016, 6:31 PM

    I helped @x23piracy - also - We don’t want folks knowing how, it will cause more issues than help.

    Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
    Daily Clean Installation Results:
    https://fogtesting.fogproject.us/
    FOG Reporting:
    https://fog-external-reporting-results.fogproject.us/

    X 1 Reply Last reply Oct 18, 2016, 6:32 PM Reply Quote 0
    • X
      x23piracy @Wayne Workman
      last edited by Oct 18, 2016, 6:32 PM

      @Wayne-Workman i sell that information for 10 bucks :D… joking

      ║▌║█║▌│║▌║▌█

      1 Reply Last reply Reply Quote 0
      • G
        george1421 Moderator
        last edited by george1421 Oct 23, 2016, 4:31 PM Oct 23, 2016, 10:28 PM

        1.3.0RC15 has been released with the updated ldap plugin support. You must upgrade to RC15, uninstall and then reinstall the LDAP plugin to ensure the ldap configuration database is created correctly. Please understand when the ldap plugin is uninstalled it also erases any settings for the plugin. If you need these settings archive the settings before removing the plugin.

        We still have an issue with non-base ascii characters in the ldap search dn, or user path. If you have these international characters the ldap plugin will fail to authenticate. We are working on this issue, but we appear unsuccessful at this time. For a US English characters the ldap plugin does work as far as we tested with AD and OpenLDAP

        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

        1 Reply Last reply Reply Quote 1
        • W
          Wayne Workman
          last edited by Dec 14, 2016, 4:17 AM

          Can this be tested again to make sure it’s still working properly George?

          Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
          Daily Clean Installation Results:
          https://fogtesting.fogproject.us/
          FOG Reporting:
          https://fog-external-reporting-results.fogproject.us/

          X 1 Reply Last reply Dec 14, 2016, 7:31 AM Reply Quote 0
          • X
            x23piracy @Wayne Workman
            last edited by x23piracy Dec 14, 2016, 1:32 AM Dec 14, 2016, 7:31 AM

            @Wayne-Workman said in Extend LDAP plugin to support AD authentication:

            Can this be tested again to make sure it’s still working properly George?

            additionally it would be interesting if there was progress with the vowel mutation (äöü) usage?

            Regards X23

            ║▌║█║▌│║▌║▌█

            1 Reply Last reply Reply Quote 0
            • T
              Tom Elliott
              last edited by Dec 14, 2016, 11:29 AM

              The ldap plugin works as it did before, I don’t know what you need to test.

              There is one caveat and that, currently, if the account isn’t already present the first time you login the return will be “invalid login”.

              The next login, however, will work fine.

              I’ve corrected this particular problem for the next.

              The mutations are still an issue as I don’t know how to get them to escape. Everything I’ve read online says that mutations are not allowed to be a part of the dn strings. If I remember correctly, this is where the mutation is currently stored in your case @x23piracy.

              Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

              Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

              Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

              X 1 Reply Last reply Dec 14, 2016, 11:32 AM Reply Quote 1
              • X
                x23piracy @Tom Elliott
                last edited by x23piracy Dec 14, 2016, 5:32 AM Dec 14, 2016, 11:32 AM

                @Tom-Elliott said in Extend LDAP plugin to support AD authentication:

                The mutations are still an issue as I don’t know how to get them to escape. Everything I’ve read online says that >mutations are not allowed to be a part of the dn strings. If I remember correctly, this is where the mutation is currently >stored in your case @x23piracy.

                Sorry, but i cannot change way from the vowel’s and i need to say, i would never use them it was a real expert working in the company before that thougth hey i am a german and best practice is to not use vowels but he gave a shit on it and used them (i really would like to kick his ass).

                Regards X23

                ║▌║█║▌│║▌║▌█

                W 1 Reply Last reply Dec 14, 2016, 1:22 PM Reply Quote 0
                • W
                  Wayne Workman @x23piracy
                  last edited by Dec 14, 2016, 1:22 PM

                  @x23piracy Dude you are hilarious, in a good way.

                  Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
                  Daily Clean Installation Results:
                  https://fogtesting.fogproject.us/
                  FOG Reporting:
                  https://fog-external-reporting-results.fogproject.us/

                  X 1 Reply Last reply Dec 14, 2016, 1:40 PM Reply Quote 1
                  • X
                    x23piracy @Wayne Workman
                    last edited by Dec 14, 2016, 1:40 PM

                    @Wayne-Workman hehe sorry for the bad words but i really have to deal with some stupid people calling themselves it experts 😄

                    ║▌║█║▌│║▌║▌█

                    T 1 Reply Last reply Dec 14, 2016, 1:41 PM Reply Quote 0
                    • T
                      Tom Elliott @x23piracy
                      last edited by Dec 14, 2016, 1:41 PM

                      @x23piracy To figure this out more properly, I think I need a means to replicate the issue very specifically.

                      Anybody know of any good guides to create my own internal AD Server?

                      Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                      Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                      Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                      X G 2 Replies Last reply Dec 14, 2016, 1:46 PM Reply Quote 0
                      • X
                        x23piracy @Tom Elliott
                        last edited by x23piracy Dec 14, 2016, 7:47 AM Dec 14, 2016, 1:46 PM

                        @Tom-Elliott i would simply install a windows server with ad roll enabled, afaik simply building an ad should be no rocket science, i don’t know a simplier way, it would be cool if there is a binary out there who could simulate an ad.

                        ║▌║█║▌│║▌║▌█

                        1 Reply Last reply Reply Quote 0
                        • G
                          george1421 Moderator @Tom Elliott
                          last edited by Dec 14, 2016, 1:57 PM

                          @Tom-Elliott said in Extend LDAP plugin to support AD authentication:

                          @x23piracy To figure this out more properly, I think I need a means to replicate the issue very specifically.

                          Anybody know of any good guides to create my own internal AD Server?

                          To find the error its even easier than that. I have a standalone php script that will throw the error, all you need is an ad/ldap server to connect to.

                          Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                          G 1 Reply Last reply Dec 14, 2016, 2:04 PM Reply Quote 0
                          • G
                            george1421 Moderator @george1421
                            last edited by Dec 14, 2016, 2:04 PM

                            @george1421

                            <?php
                            
                                $user = 'meUser';
                                $pass = 'mePassword.1';
                                $server = '192.168.1.20';
                                $bindDN = 'cn=BindUserisMe,ou=Domain Users,dc=domain,dc=com';
                                $bindPass = 'BindPassword.1';
                                $searchScope = 2;
                            
                                    // clean up user name we only want the user's short name without any domain component
                                    // note I did not try to understand the regex expression but I expect there to be
                                    // issues with non-us english characters, just saying.
                                    $user = trim(preg_replace('/[^a-zA-Z0-9\-\_@\.]/', '', $user));
                            
                                    // open connection to the server
                                    $ldapconn = ldap_connect($server,389);
                                    ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
                                    ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
                            
                                    $userDN = '';
                                    $accessLevel = 0;
                            		
                            		## this line will throw the error. 
                                    $userSearchDN = 'ou=äDomain Users,DC=domain,dc=com';
                             		
                                    $adminGroup = 'FoG_Admins';
                                    $userGroup = 'FOG_Users';
                                    $grpMemberAttr = strtolower('memberOf');
                            
                                    if ( ldap_bind($ldapconn, $bindDN, $bindPass) ) {
                                        $filter = sprintf('(&(objectCategory=inetOrgPerson)(%s=%s))', 'sAMAccountName', $user);
                                        // we want to return the user's DN so that we can bind as the user
                                        // we will get his DN based on his samaccountname for AD
                                        $attr = array( 'dn' );
                            
                                        switch ($searchScope) {
                                            case 1:
                                                // LDAP_SCOPE_ONELEVEL search one level down but not base
                                                $result = ldap_list($ldapconn, $userSearchDN, $filter, $attr);
                                                break;
                                            case 2:
                                                // LDAP_SCOPE_SUBTREE search base + all subtree (OUs) below
                                                $result = ldap_search($ldapconn, $userSearchDN, $filter, $attr);
                                                break;
                                            default:
                                                // LDAP_SCOPE_BASE search base only and don't look any deeper
                                                $result = ldap_read($ldapconn, $userSearchDN, $filter, $attr);
                                        }
                            
                                        // count the number of entries returned
                                        $retcount = ldap_count_entries($ldapconn, $result);
                            
                                        if ($retcount == 1) {
                                            // great we only returned one entry
                                            $entries = ldap_get_entries($ldapconn, $result);
                                            // pull out the user dn from the entries
                                            $userDN = $entries[0]['dn'];
                                        } else {
                                            $userDN = '';
                                        }
                            
                                    }
                            
                                    if (!$userDN =='') {
                                        // Now rebind as the user we just found
                                        if ( ldap_bind($ldapconn, $userDN, $pass) ) {
                                            // If we get to here the user is authorized, now lets get the group membership
                                            // This time since we know the user DN we can look up the user based on that
                                            $filter = '(objectclass=*)';
                                            // get what groups this user is a member of
                                            $attr = array( $grpMemberAttr );
                                            $result = ldap_read($ldapconn, $userDN, $filter, $attr);
                            
                                            // count the number of entries returned
                                            $retcount = ldap_count_entries($ldapconn, $result);
                            
                                            if ($retcount > 0) {
                                                $entries = ldap_get_entries($ldapconn, $result);
                            
                                                // check groups for membership
                                                foreach($entries[0][$grpMemberAttr] as $grps) {
                                                    // is admin user, set level and break loop
                                                    if(strpos( $grps, $adminGroup )) { $accessLevel = 2; break; }
                            
                                                   // is user, set level and keep looking just incase user is in both groups
                                                   if(strpos( $grps, $userGroup )) $accessLevel = 1;
                                               }
                                            }
                                            // close our connection as bindDN
                                            ldap_unbind( $ldapconn );
                            
                                            echo $accessLevel;
                            
                                        } else {
                                            print 'unable to bind using user info, user is not authorized in ldap';
                            
                                        }
                                 } else {
                                      echo 'User not found in LDAP';
                                 }
                             ?>
                            
                            

                            Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                            T X 2 Replies Last reply Dec 14, 2016, 2:12 PM Reply Quote 0
                            • T
                              Tom Elliott @george1421
                              last edited by Dec 14, 2016, 2:12 PM

                              @george1421 I’m downloading a Windows Server 2012 ISO right now.

                              I’ll create a domain and this will extend my testing a bit.

                              1. I can test the LDAP plugin in a semi real world environment.
                              2. I can test client domain joins internally. (Joe created a server for us to use, but i’m always hesitant towards it as it is going straight across the internet).
                              3. I can test LDAP Groups in an AD frameset.
                              4. I can test mutations and hopefully figure out a solution to this ever going problem. (Or validate with certainty that this will not work).

                              Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                              Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                              Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                              G 1 Reply Last reply Dec 14, 2016, 2:18 PM Reply Quote 0
                              • G
                                george1421 Moderator @Tom Elliott
                                last edited by Dec 14, 2016, 2:18 PM

                                @Tom-Elliott I do have questions if it is failing on mine because I don’t have some international character set loaded. While I’m not saying that is the case, it is a possibility.

                                At home I have a 2012 reference image that is built by mdt. That way I can spin up a new 2012 server quickly and have 3 days before it needs to be activated. Its not an ideal situation, but if you are playing and mess the up the server you can rebuild it quickly. (been there, done that).

                                Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                                1 Reply Last reply Reply Quote 0
                                • X
                                  x23piracy @george1421
                                  last edited by Dec 14, 2016, 2:23 PM

                                  @george1421 @Tom-Elliott if you like tom i will give you tv access to my environment and you can do your experiments if you like?

                                  Regards X23

                                  ║▌║█║▌│║▌║▌█

                                  1 Reply Last reply Reply Quote 0
                                  • W
                                    Wayne Workman
                                    last edited by Dec 14, 2016, 7:20 PM

                                    I have a windows domain at home…

                                    Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
                                    Daily Clean Installation Results:
                                    https://fogtesting.fogproject.us/
                                    FOG Reporting:
                                    https://fog-external-reporting-results.fogproject.us/

                                    1 Reply Last reply Reply Quote 0
                                    • T
                                      Tom Elliott
                                      last edited by Dec 14, 2016, 7:33 PM

                                      I have a windows domain at home now.

                                      And I’m very close to figuring this out, I hope.

                                      Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                                      Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                                      Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                                      1 Reply Last reply Reply Quote 0
                                      • W
                                        Wayne Workman
                                        last edited by Dec 14, 2016, 7:50 PM

                                        I’m trying to setup the LDAP stuff at work right now… some guidance would be appreciated… I’m going to poke around still though.

                                        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
                                        Daily Clean Installation Results:
                                        https://fogtesting.fogproject.us/
                                        FOG Reporting:
                                        https://fog-external-reporting-results.fogproject.us/

                                        1 Reply Last reply Reply Quote 0
                                        • T
                                          Tom Elliott
                                          last edited by Dec 14, 2016, 8:04 PM

                                          With any luck, this will now work woot woot.

                                          Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                                          Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                                          Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                                          1 Reply Last reply Reply Quote 0
                                          • 1
                                          • 2
                                          • 3
                                          • 4
                                          • 3 / 4
                                          • First post
                                            Last post

                                          201

                                          Online

                                          12.0k

                                          Users

                                          17.3k

                                          Topics

                                          155.2k

                                          Posts
                                          Copyright © 2012-2024 FOG Project