Extend LDAP plugin to support AD authentication

george1421 · Sep 21, 2016, 8:37 PM

@JJ-Fullmer Wow interesting. I’ll surely take a look at that tonight. I installed RC11 B58 (I think) this AM after Tom updated the master code. The one thing that you must do if the LDAP plugin was installed before (now) is that you must uninstall and reinstall the plugin because the internal structure has changed. This AM after the refresh I had to recreate the ldap server and it installed correctly. Just to be sure uninstall the ldap plugin and then readd it back in.

As far as the status of the LDAP plugin, its (should be) almost complete. The only outstanding issue is adding the code for reauth. So as it stands right now once you are authorized via LDAP, you are authorized forever even if you kill the AD account (which is not to cool). I have a way to fix this tonight.

I’ll add a simple how to to this thread on what the plugin is expecting, but its pretty straight forward.

george1421 · Sep 21, 2016, 8:41 PM

@JJ-Fullmer OK I couldn’t resist checking. I have B54 installed and I was able to add a second ldap server without issue. Let me refresh my install and see if something changed from B54

george1421 · Sep 23, 2016, 2:34 AM

Progress is going very well with the ldap plugin. But we found that when we start bringing in other ldap serves to test, some of the shortcuts that worked for M$ did not work so well with other ldap servers. To that end, I wrote another proof of concept code using the long way to get a user’s ldap attributes. In this method I have to use an authorized read only user to query the ldap server to locate the user’s ldap account, then I use that ldap account to relogin to the ldap server to pick up the user’s group associations.

<?php

    // the user we are going to authenticate
    $user = 'user1234';
    $pass = 'Password';

    // IP address or fqdn of ldap server
    $server = '192.168.1.5';

    // credentials that have read access to the LDAP server
    $bindDN = 'cn=Bob Jones,ou=Users,ou=nyc,dc=domain,dc=com';
    $bindPass = 'Password.2';

    // How deep in ldap from search base are we going to look for the user
    $searchScope = 2;

        // clean up user name we only want the user's short name without any domain component
        // note I did not try to understand the regex expression but I expect there to be
        // issues with non-us english characters, just saying.
        $user = trim(preg_replace('/[^a-zA-Z0-9\-\_@\.]/', '', $user));

        // open connection to the server
        $ldapconn = ldap_connect($server,389);
        ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
        ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);

        $accessLevel = 0;
        $userSearchDN = 'ou=nyc,dc=domain,dc=com';
        $adminGroup = 'FoG_Admins';
        $userGroup = 'FOG_Users';
        $grpMemberAttr = strtolower('memberOf');

        if ( ldap_bind($ldapconn, $bindDN, $bindPass) ) {
            // for the filter we are searching for a person with an NT style account like the contents of $user
            $filter = sprintf('(&(objectCategory=inetOrgPerson)(%s=%s))', 'sAMAccountName', $user);

            // we want to return the user's DN so that we can bind as the user
            // we will get his DN based on his samaccountname for AD
            $attr = array( 'dn' );

            switch ($searchScope) {
                case 1:
                    // LDAP_SCOPE_ONELEVEL search one level down but not base
                    $result = ldap_list($ldapconn, $userSearchDN, $filter, $attr);
                    break;
                case 2:
                    // LDAP_SCOPE_SUBTREE search base + all subtree (OUs) below
                    $result = ldap_search($ldapconn, $userSearchDN, $filter, $attr);
                    break;
                default:
                    // LDAP_SCOPE_BASE search base only and don't look any deeper
                    $result = ldap_read($ldapconn, $userSearchDN, $filter, $attr);
            }

            // count the number of entries returned
            $retcount = ldap_count_entries($ldapconn, $result);

            if ($retcount == 1) {
                // great we only returned one entry
                $entries = ldap_get_entries($ldapconn, $result);
                // pull out the user dn from the entries
                $userDN = $entries[0]['dn'];
            } else {
                $userDN = '';
            }

        }

        // if user dn is populated then attempt to connect (bind) to ldap as user
        if (!$userDN =='') {
            // Now rebind as the user we just found
            if ( ldap_bind($ldapconn, $userDN, $pass) ) {
                // If we get to here the user is authorized, now lets get the group membership

                // This time since we know the user DN (fully qualified ldap path) we can look up the user based on that
                // this filter just matches all objects (cheat)
                $filter = '(objectclass=*)';

                // get what groups this user is a member of
                $attr = array( $grpMemberAttr );
                
                // read in the attributes of this user
                $result = ldap_read($ldapconn, $userDN, $filter, $attr);


                // count the number of entries returned
                $retcount = ldap_count_entries($ldapconn, $result);

                if ($retcount > 0) {
                    $entries = ldap_get_entries($ldapconn, $result);

                    // check groups for membership
                    foreach($entries[0][$grpMemberAttr] as $grps) {
                        // is admin user, set level and break loop
                        if(strpos( $grps, $adminGroup )) { $accessLevel = 2; break; }

                       // is user, set level and keep looking just incase user is in both groups
                       if(strpos( $grps, $userGroup )) $accessLevel = 1;
                   }
                }

                // close our connection as bindDN
                ldap_unbind( $ldapconn );

                echo $accessLevel;

            } else {
                print 'unable to bind using user info, user is not authorized in ldap';

            }
     } else {
          echo 'User not found in LDAP';
     }
 ?>

JJ Fullmer · Sep 23, 2016, 3:02 PM

@george1421 Updated to latest rc11 and reinstalled the ldap plugin, great success.
I was able to add a server no problem.

Just a recommendation though, or maybe it’s a question. I figure the bindDN is the user you use to sign in to the domain and the same with the password. Perhaps it’s possible to utilize the same method or maybe even link to the existing one that fog uses for joining to the domain?
Just cause it’s gonna be prone to error and confusion if to set up a binding user you have to put in that full ldap style query with the cn’s and the ou’s, and the dc’s and what have you. Or maybe I’m misunderstanding that field.

JJ Fullmer · Sep 23, 2016, 3:04 PM

@george1421 Also, maybe I’m just looking in the wrong place for the documentation, so feel free to direct me to where this may already be written. But what do I do after I set up a server? Are users going to just populate automatically or is there another step? I feel like I’m missing something.

george1421 · Sep 23, 2016, 3:08 PM

@JJ-Fullmer I’m not sure I fully understand your question.

In rc11 it may or may not show the bind dn just yet. That code is in a state of flux a bit.

But in general we will switch over to using a bind DN (which needs to be in full ldap format) to initially connect to the ldap server to look up the user’s cn (in full ldap format). We were using just the short form of the user’s credentials (user@domain.com) to bind to ldap, but that only appears to work reliably with AD.

Tom and (or at least I) will have another coding session tonight to see if we can get this wrapped up. All of the parts work independently now we just need to get them to work together.

george1421 · Sep 23, 2016, 3:10 PM

@JJ-Fullmer The documentation hasn’t been written just yet because our approach changed overnight. Let me refresh my server and I’ll post something here to get you started. I can’t guarantee it works until I update my server and test it.

george1421 · Sep 23, 2016, 3:26 PM

Here is a screen shot of what is expected.

Wayne Workman · Sep 23, 2016, 3:28 PM

@george1421 I’d go further by limiting the bind DN account to only the OUs where the fog users and fog groups will be.

Tom Elliott · Sep 24, 2016, 7:55 PM

I don’t know how well it will work, but my testing of the most current ldap stuff appears to be working pretty well.

At least when done against the ldap server from forumsys.

Here’s my “configuration” that seems to work.

I don’t know all the other potentials but at least others can see the “POC” in action.

With any luck, others can see the “potential” and perform some more testing within their own environments.

It follows, more or less, in line with what @george1421 has done, but with a few caveat’s to what was required to get it working for the ldap I was testing against.

Hopefully it will work for AD environments just as easily as it will for what I’ve tested already.

Tom Elliott · Sep 24, 2016, 7:58 PM

@Wayne-Workman BindDN can be anything really. This is totally up to the administrator, and it typically requires a password. This is simply so the server can find data and ensure all is fine.

Once the bind is validated and finds the user, the bind is handed over to the user who’s actually trying to login. From there we find the associated elements for that user and validate the area (or not) they are to be a part of.

Wayne Workman · Sep 24, 2016, 9:47 PM

@Tom-Elliott Right. I was talking about restricting the specified user’s privileges - less loose ends. This is not a fog thing, this is something an admin would do in Active Directory.

Fernando Gietz · Sep 26, 2016, 3:00 PM

Hello!! A little feedback about this wonderful plugin
I installed it this morning (this morning here in Spain) and I like the different options to setup it but, for me, is a little confused fill the correct boxes to run it.

Actually we use openLDAP server (we have AD too but we don use it to validate the user under FOG), then I dont know which boxes need to fill to run the plugin well. The old version (RC-10) was easy (although I need to change some things in the code to run it well).

Questions:
Admin groups and Mobile groups, what these parameters are for? ¿purpose?
If I have a LDAP server, Bind DN and Bind password, is necessary fill these parameters?

Bugs:
In line 370 from ldap.class.php file:

$userDN = sprintf(
                 '%s=%s,%s',
                 $userNamAttr,
                 $user,
                 $userSearchDN
);

The $userNamAttr and $userSearchDN are empty, I dont know the reason, I have changed it to:

$userDN = sprintf(
                 '%s=%s,%s',
                 strtolower($this->get('userNamAttr')),
                 $user,
                 strtolower($this->get('searchDN'))
);

When the code tries to do the bind, always return me false.

george1421 · Sep 26, 2016, 9:24 AM

@Fernando-Gietz I haven’t tested it as of now since it was pushed to RC11. I was working on a pre release of RC11 and it worked with AD.

I know the wiki page hasn’t been written as of now so there is no information on the new features of the plugin and we have not tested it with all situations.

I’ll have to look at the lines you mentioned to see what is going on.

To answer your question about the logic of the Admin and mobile groups. The reason is security. Just because you are a valid ldap user doesn’t mean you should have access to FOG. So in addition to being a valid ldap user, your account must be found in either an Admin group (as defined by that field) or a Mobile group (as defined by that field). This is consistent with the two user classes in FOG. If your account appears in both groups then the Admin account wins and you have admin access to FOG. There is a graphic below in this thread that I posted with text telling what each field does too.

I’ll refresh my server with RC11 and see if I can track down the bug.

I do have to say if you had the ldap plugin installed before RC11 you must uninstall and reinstall it for the database to be updated correctly. The structure has changed from the older style ldap plugin

george1421 · Oct 4, 2016, 5:06 PM

@george1421 ~~I can report (at least for AD LDAP) the plugin works as intended. I’m going to dig a bit deeper to make sure its not just a mistake on my part.~~

I can say I based it working off a false assumption. I still had the AD user cached based on some of the intermediate code. That is why the login worked every time. There is something wrong in the code. Tom and I worked on it for several hours last night. I see what its doing, but need to focus on why its doing what its doing.

george1421 · Oct 4, 2016, 5:06 PM

@george1421 This thread and the ldap plugin is not dead. I have the code working with AD just fine, I need to perform some GUI updates to the web form to get it to work the way I want it to. But I think we are really close with the working solution.

george1421 · Oct 16, 2016, 9:49 PM

@george1421 I’ve been working on other projects and haven’t had time to get back to this one. I have this plugin working in my production environment and it is working well. I’m to the point where I would like to test it in a few more AD environment as well as OpenLDAP. If you are willing to help test, please let me know and I’ll send the instructions. I have not yet submitted the code to the Developers for their review to be included in the official 1.3.0RC stream as of now. I wanted to ensure it functioned as we expected it before adding additional workload one the developers.

Here is a current screen clip of the fields and the expected values. We’ve added the ability to only do a name match with users at the search base dn. With this option the user must only appear in a defined OU or below. If a user is in that OU and the uid and password match then the user is considered a FOG admin. I don’t like using this option but there were several use cases (like all my fog admins are already in a defined OU) where I can understand the requirement (but still not like it ). The more secure way is to use group matching. In this case you will need to create an AD/LDAP group and put the admin/mobile users in these groups. This now changes the login requirements to 1) You must be a users in the specified OU, 2) Your uid and password must authenticate 3) Your uid must be in the authorized group for FOG.

Fernando Gietz · Oct 17, 2016, 10:17 AM

Hi George,

I can see that you added the option to use AD groups to define admin/mobile profiles or not. Can I test it anyway? I have update the server version to RC13, and in this version until is not operative these changes.

Tom Elliott · Oct 18, 2016, 6:20 PM

I’ve updated the working RC 15 branch to contain the changes as @george1421 made and tested some more things. Appears to still work with open LDAP though I need more confirmation to know if it is working for ad.

x23piracy · Oct 18, 2016, 6:20 PM

@Tom-Elliott Hi, i would like to test it but what’s the url to checkout working branch with git?
What if RC15 is released can i just change to trunk /bin/installfog.sh again?

Regards X23

Extend LDAP plugin to support AD authentication

206

12.0k

17.3k

155.2k