@Fernando-Gietz found it!
Posts made by antonionardella
-
RE: LDAP plugin - apache2/error.log - password in plaintext
@Fernando-Gietz Hello, I am terribly sorry I could not replicate the error and apache already rotated the logs.
Let’s close this issue, I will open it again if I am able to replicate it.Cheers,
Antonio -
LDAP plugin - apache2/error.log - password in plaintext
Hello,
I set up the LDAP plugin.
During some tests I discovered that failed logins are logged in /var/log/apache2/error.log with the password in plaintext, this does not feel as a secure setup.Cheers,
Antonio -
Add hosts to group via different inventory attributes
Hello,
is there a possibility to add hosts to a group using e.g. a part of the System Product model number from the inventory fields?
Let’s say for example that I have Debian 9 installed and a bug with USB-3 and the 4.9 Linux kernel has been discovered and now I have to upgrade only specific PCs/ or notebook models with USB-3 to the 4.19 Linux backports kernel.
I would:
- capture a new image
- create a new group for the PCs/notebooks that need the USB-3 update
- add PCs/notebooks based on their model to the group
- set a task to deploy the new image to this group
How and where could I do this in FOG?
Thanks,
Antonio -
RE: LDAP Plugin with openLDAP
Hello @Fernando-Gietz,
thanks for the awesome help and support, it works now as needed.
Is there something I should be aware or edit in our openLDAP implementation to make the plugin work correctly without editing the /var/www/[html/]fog/lib/plugin/ldap/class/ldap.class.php file?
Ciao,
Antonio -
RE: LDAP Plugin with openLDAP
Hi @Fernando-Gietz, I am terribly sorry, but making everyone an admin does not look like an option.
It’s less about the web UI access, but more about restricting users (see students) from deploying random images to the systems and breaking things or activating licenses of pre-imaged software.What if the group would be called dsp, is it in no way possibile to limit the access only to this group here?
What is the issue exactly?Thank you for your time.
Ciao,
Antonio -
RE: LDAP Plugin with openLDAP
Hello,
I tried with Search Base DN set to:
- dsptest
- ou=dsptest
- ou=dsptest,dc=example,dc=com
- ou=dsp
- ou=dsp,dc=example,dc=com
with no luck:
[Fri Apr 05 10:10:09.017746 2019] [proxy_fcgi:error] [pid 9652] [client ::1:51122] AH01071: Got error 'PHP message: PHP Warning: ldap_search(): Search: Invalid DN syntax in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: PHP Warning: ldap_count_entries() expects parameter 2 to be resource, boolean given in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: Plugin LDAP::_result(). Search Method: search; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest)); Result: \nPHP message: Plugin LDAP::authLDAP() Search results returned false. Search DN: dsptest; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest))\n', referer: http://localhost/fog/management/index.php [Fri Apr 05 10:45:05.644639 2019] [proxy_fcgi:error] [pid 9707] [client ::1:59212] AH01071: Got error 'PHP message: PHP Warning: ldap_search(): Search: No such object in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: PHP Warning: ldap_count_entries() expects parameter 2 to be resource, boolean given in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: Plugin LDAP::_result(). Search Method: search; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest)); Result: \nPHP message: Plugin LDAP::authLDAP() Search results returned false. Search DN: ou=dsptest,dc=example,dc=com; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest))\n', referer: http://localhost/fog/management/index.php [Fri Apr 05 10:45:10.428643 2019] [proxy_fcgi:error] [pid 9681] [client ::1:59270] AH01071: Got error 'PHP message: PHP Warning: ldap_search(): Search: No such object in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: PHP Warning: ldap_count_entries() expects parameter 2 to be resource, boolean given in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: Plugin LDAP::_result(). Search Method: search; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest)); Result: \nPHP message: Plugin LDAP::authLDAP() Search results returned false. Search DN: ou=dsptest,dc=example,dc=com; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest))\n', referer: http://localhost/fog/management/index.php?node=home [Fri Apr 05 10:46:43.542053 2019] [proxy_fcgi:error] [pid 9652] [client ::1:59972] AH01071: Got error 'PHP message: PHP Warning: ldap_search(): Search: No such object in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: PHP Warning: ldap_count_entries() expects parameter 2 to be resource, boolean given in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: Plugin LDAP::_result(). Search Method: search; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest)); Result: \nPHP message: Plugin LDAP::authLDAP() Search results returned false. Search DN: ou=dsptest; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest))\n', referer: http://localhost/fog/management/index.php [Fri Apr 05 10:47:32.359197 2019] [proxy_fcgi:error] [pid 9650] [client ::1:60348] AH01071: Got error 'PHP message: PHP Warning: ldap_search(): Search: No such object in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: PHP Warning: ldap_count_entries() expects parameter 2 to be resource, boolean given in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: Plugin LDAP::_result(). Search Method: search; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest)); Result: \nPHP message: Plugin LDAP::authLDAP() Search results returned false. Search DN: ou=dsp; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest))\n', referer: http://localhost/fog/management/index.php [Fri Apr 05 10:48:28.842830 2019] [proxy_fcgi:error] [pid 9648] [client ::1:60670] AH01071: Got error 'PHP message: PHP Warning: ldap_search(): Search: No such object in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: PHP Warning: ldap_count_entries() expects parameter 2 to be resource, boolean given in /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php on line 124\nPHP message: Plugin LDAP::_result(). Search Method: search; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest)); Result: \nPHP message: Plugin LDAP::authLDAP() Search results returned false. Search DN: ou=dsp,dc=example,dc=com; Filter: (&(|(objectcategory=person)(objectclass=person))(cn=dsptest))\n', referer: http://localhost/fog/management/index.php
Cheers,
Antonio -
RE: LDAP Plugin with openLDAP
Hello @Fernando-Gietz it works using that code!
-
RE: LDAP Plugin with openLDAP
Hi @Fernando-Gietz,
here the output:
It’s not working because the filter only works with this query:
(&(|(name=dsp))(memberuid=dsptest));
without ,ou=Users,dc=example,dc=com
as shown here:
@antonionardella said in LDAP Plugin with openLDAP:
@Fernando-Gietz and @george1421
Hello and thank you for your answers, thing is that the filter is putting
(&(|(name=dsp))(memberuid=uid=dsptest,ou=Users,dc=example,dc=com));
while it should be without =uid and ,ou=Users,dc=example,dc=com like so:
(&(|(name=dsp))(memberuid=dsptest));
Then I get an output with ldapsearch (see image)
I tried to look at the two functions authLDAP() and _getAccessLevel() but I miss enough understanding of PHP to find the extra =uid and ,ou=Users,dc=example,dc=com
Cheers,
Antonio -
RE: LDAP Plugin with openLDAP
Hello @Fernando-Gietz, on Friday I’ll be working on that system again and let you know.
Thanks,
Antonio -
RE: LDAP Plugin with openLDAP
As soon as I add anything to the filter I get no answer:
-
RE: LDAP Plugin with openLDAP
@Fernando-Gietz and @george1421
Hello and thank you for your answers, thing is that the filter is putting
(&(|(name=dsp))(memberuid=uid=dsptest,ou=Users,dc=example,dc=com));
while it should be without =uid and ,ou=Users,dc=example,dc=com like so:
(&(|(name=dsp))(memberuid=dsptest));
Then I get an output with ldapsearch (see image)
I tried to look at the two functions authLDAP() and _getAccessLevel() but I miss enough understanding of PHP to find the extra =uid and ,ou=Users,dc=example,dc=com
Cheers,
Antonio -
LDAP Plugin with openLDAP
Hello,
first post here.
I am testing the FOG and openLDAP integration on one of my systems and have an issue with the filters.
Server
FOG Version: 1.5.5 OS: Debian 9
Client
Service Version: OS: N/A
Description
I’ve added and setup the LDAP plugin, following different posts on the forums. So far I have found only M$ Active Directory configurations and I am not sure what is different with openLDAP.- The openLDAP user is named: dsptest
- The openLDAP group is names: dsp
Here the sanitized ldapsearch result to have more information about the user dsptest with this query ldapsearch -x -D “uid=admin,ou=users,dc=example,dc=com” -W -H ldap://<IPADDRESS> -b “dc=example,dc=com” -s sub
# dsptest, Users, example.com dn: uid=dsptest,ou=Users,dc=example,dc=com sambaPwdCanChange: 0 uid: dsptest sambaLogoffTime: 2147483647 givenName: dsptest loginShell: /bin/bash sambaAcctFlags: [UX] uidNumber: 10001 sambaKickoffTime: 2147483647 objectClass: posixAccount objectClass: top objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: shadowAccount objectClass: sambaSamAccount objectClass: person gecos: I am a DSP Test sambaLogonTime: 0 sambaPwdMustChange: 2147483647 sn: dsptest sambaHomeDrive: H: sambaSID: S-1-5-21-2258386664-3013221354-3332613826-21002 homeDirectory: /home/dsptest displayName: dsptest cn: dsptest shadowLastChange: 17980 sambaPwdLastSet: 1553502597 sambaPrimaryGroupSID: S-1-5-21-2258386664-3013221354-3332613826-2026 gidNumber: 516 ou: teachers shadowMax: 99999
and the dsp group:
# dsp, Groups, example.com dn: cn=dsp,ou=Groups,dc=example,dc=com objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping displayName: dsp cn: dsp sambaGroupType: 2 sambaSID: S-1-5-21-2258386664-3013221354-3332613826-2032 gidNumber: 516 memberUid: dsptest
Here the sanitized LDAP Server configuration:
The interesting parts is:
User Name Attribute: uid
Group Member Attribute: memberuidWhen I go to login to the web portal the apache2 log shows:
[Mon Mar 25 14:12:41.159898 2019] [proxy_fcgi:error] [pid 11845] [client ::1:48370] AH01071: Got error 'PHP message: Plugin LDAP::_result(). Search Method: search; Filter: (&(|(name=dsp))(memberuid=uid=dsptest,ou=Users,dc=example,dc=com)); Result: 0\nPHP message: Plugin LDAP::_result(). Search Method: search; Filter: (&(|(name=))(memberuid=uid=dsptest,ou=Users,dc=example,dc=com)); Result: 0\nPHP message: Plugin LDAP::authLDAP() Access level is still 0 or false. No access is allowed!\n', referer: http://localhost/fog/management/index.php
The interesting parts is:
memberuid=uid=dsptestI tried to use the proposed filter for a ldapsearch query and I am getting errors.
Could anyone please be of assistance?
Thank you,
Antonio