LDAP Plugin Troubles

aparker · Mar 15, 2017, 5:49 PM

[Wed Mar 15 11:01:20.401032 2017] [php7:warn] [pid 1887] [client 10.2.20.21:53857] PHP Warning:  sprintf(): Too few arguments in /var/www/fog/lib/plugins/ldap/class/ldap.class.php on line 829, referer: http://fogurl/fog/management/index.php

aparker · Mar 15, 2017, 5:53 PM

[Wed Mar 15 11:01:20.401092 2017] [php7:notice] [pid 1887] [client 10.2.20.21:53857] , referer: http://fogurl/fog/management/index.php

Tom Elliott · Mar 15, 2017, 5:54 PM

@aparker Is samaccountname actually set to arparker on the ldap server?

It’s making it that far, so connectivity speaking it’s working properly. At least from what I can see.

The sprintf, while not “useful” shouldn’t be preventing issues. If you’re running 1.3.4 on all, then this error should present the same way on all systems.

For what it’s worth I’ve found and hopefully corrected the issue of what you’ve presented here.

aparker · Mar 15, 2017, 6:01 PM

@Tom-Elliott It is, yes. It’s the same domain across all sites and FOG servers, so samaccountname will match across all sites and domain controllers. Authentication via that same account works on the other two servers, but not this one.

george1421 · Mar 15, 2017, 6:02 PM

samaccountname is essentially the NT style account name.

According to the error message the search DN MyDN (which I assume has been obfuscated) didn’t contain the user arparker

Make sure you have the search scope setup correctly of subtree and below

george1421 · Mar 15, 2017, 6:05 PM

You’ve compared the two FOG server’s settings line by line and to two ldap setups are the same, except for the ldap server being used? Have you change the non-working fog server ldap server to another site’s that is working (just to rule out the DC being at fault)?

aparker · Mar 15, 2017, 6:16 PM

@george1421 You are correct, I did obfuscate the DN. The actual DN does match that of the OU containing the group we are searching on.

I’ve compared the configs side by side via the GUI, but was curious where these settings actually get written to compare what is actually being saved. Where are these settings saved?

Great idea on the LDAP server, I haven’t tried that. I had been pointing it to the FQDN of the domain and letting DNS pick the closest DC. I’ll try pointing it a DC that I know works and see how that goes.

george1421 · Mar 15, 2017, 6:23 PM

@aparker The settings are saved in the mysql/mariadb database, in the LDAPServers table.

Do you/are you using any non-ascii characters (umlaut or accent characters) in the search DN or user accounts?

As for the ldap server value, we have not tested using the fqdn of your AD. In my case I always used the IP address of the closest AD/DC server that way I “know” which server its querying.

aparker · Mar 15, 2017, 6:26 PM

@george1421 No non-ascii characters in the DN or user account. I just tested a known good LDAP server, but still no dice. I even went so far as to change one of the working FOG servers from the domain FQDN to the IP of a local DC and confirmed it worked. I then used that same DC in the non-working FOG LDAP config, but authentication still fails.

george1421 · Mar 15, 2017, 6:30 PM

@aparker I just sent you an IM (little talk bubble on FOG Forum tool tray).

And your apache error log is still throwing the same error?

Is there any firewall between the fog server and AD?

But if that was the case, the ldap plugin should have thrown a different error before this point.

aparker · Mar 15, 2017, 6:45 PM

@george1421 George hooked me up after sending him a screenshot. Turned out to be something incredibly simply on my part–search scope was set to “Base and Subtree” instead of “Subtree and below”. I seriously compared these side by side I don’t know how many times, but my brain was not seeing that difference for some reason.

Really appreciate the help!

LDAP Plugin Troubles

225

12.1k

17.3k

155.3k