RE: Does LDAPS work during iPXE menu login?

@george1421 I ran wireshark while pxe booting fog and logging in to the ipxe menu, saw that the creds were sent via HTTP, not LDAP. So I should upgrade to the latest trunk using the -s switch and all will be SSL? I’d still have to compile the ipxe kernel with a cert or is that done during setup?

@george1421 So the alternative would be to use SSL and embed the cert into the ipxe kernel right? I saw a post about this topic and a post pointed to this link https://wiki.fogproject.org/wiki/index.php?title=Upgrade_to_trunk about the latest build already has SSL set up? I’d just have to run installfog.sh -s and HTTPS would be working for the web gui as well as ipxe?

I have LDAP configured properly for logging into the FOG UI as well as authentication during the IPXE menu login. I’m trying to add security layers to the FOG server and environment. I ran wireshark to see how FOG sends LDAP credentials, and it appears to send them clear text over HTTP. If I use LDAPS, will FOG still send those clear credentials via HTTP or will it be secure?

In case anyone else has this question, the Reports tab serves this purpose. Once an AD user logs into FOG and starts doing things, the history report will log it.

Re: [LDAP with Access Control](default role assignment at first login)
I want to continue this conversation. I was looking at the “Mobile Group” in LDAP plugin settings, and I created an Security Group called FOGTechnicians-SG in my AD, and put that group in Mobile Group. I read that Mobile Group was deactivated (maybe I misunderstood that?). But is there a way to predefine AD users in FOG and put them in the appropriate roles so that when they log in, the proper rules will be applied?

I successfully set up the LDAP plugin for FOG, and can login to the Web UI with my AD creds as well as authenticate to the iPXE menu with my AD creds, but when I register a host, it still says
“Created by FOG Reg on October 25, 2022, 6:45 pm”. Also when I create an image, it doesn’t show that I created the image. Does FOG have this functionality? My intention of setting up LDAP was to be able to keep track of who captures, deploys, and registers hosts.

@mcana66 What I did was create a file in /tftproot called autoexec.ipxe and put this in:

#!ipxe
ifopen net0
dhcp net0

chain ${boot-url}/scripts/menu_EFI.ipxe

This is for my FreeNAS box that I use for other projects and testing. You can chain any ipxe script (or any boot script like boot.php on the fog server) you want from there. The ${boot-url} variable is set in the default.ipxe file also located in /tftproot.

@mcana66 autoexec.ipxe is the default script that the ipxe kernel looks for unless another file is specified by your DHCP server or if you compile the kernel with an embedded menu script.

@fog_newb It starts the ipxe and stops where exactly? Configuring Devices?

My settings in FOG Config>IPXE General Config>Menu Hide/No Menu settings:

And FOG Config>FOG Settings>FOG Boot Settings:

Problem is during ipxe boot, I still get prompted to hit the ESC key. I’d like to change it to F12 instead of ESC because ESC also cancels the boot process and some of my staff like to spam the ESC key…

@rrtern Just wondering, did you create a route between the two subnets? The firewall(s) may also need rules to allow pxe, http, and tftp traffic between those subnets. I didn’t see anything mentioned about routes so that’s why I asked. For instance in pfsense, by default different VLANs can communicate with each other. But at my job’s network environment they have to create routes so that vlans and subnets can communicate.

I can say that we aren’t constantly imaging and reimaging PCs in our environment. The FOG server does a lot of idling. I do the most because I’m always working on golden images and testing. But that’s about it. I don’t think I could make a solid proposal to my employer to pay a small team full-time for full support of FOG. It wouldn’t be feasible. If anything we need to get more people using FOG instead of other very expensive imaging solutions. If the community grows then you’ll have a higher chance of gaining a few more volunteers.

@george1421 Ah ok I misread the OP. Well last time I checked, True Image can still create a boot image ISO with Windows kernels in addition to Linux kernels. If I’m not mistaken I believe you need to have the Windows ADK suite installed in order to create a WinPE boot ISO.

@Pitohui
How big is the ISO file? Perhaps you can try the sanboot or memdisk methods?

What about the wimboot method?
This is my ipxe entry for booting PMagic11 that is WinPE.

set tftp-path tftp://${fog-ip}
set web-path http://${fog-ip}
set pe-path ${web-path}/pm11_winpe
kernel ${tftp-path}/wimboot gui
imgfetch --name BCD ${pe-path}/BCD BCD
imgfetch --name boot.sdi ${pe-path}/boot.sdi boot.sdi
imgfetch --name bootmgr ${pe-path}/bootmgr bootmgr
imgfetch --name boot.wim ${pe-path}/boot.wim boot.wim
boot || goto MENU

You’ll have to extract the files listed above from your Acronis ISO. Download the latest wimboot from here.

You can place wimboot in your /tftproot and download it via tftp, the rest of the files you can place in /var/www/acronis to download via http and make sure to change ownership to fogproject:www for all the files in /var/www/acronis.

Any reason why we can’t use SMB instead of NFS for deploy/capture? An .smbcredentials file can be stored securely and creds can be sent securely. Just wondering because I couldn’t find anything related to the topic and I don’t know if the devs have tried this already.

@george1421 As you said those ports are dynamic, however I found a way to lock some ports to make sure they don’t change from this thread

I did everything except RPCRQUOTADOPTS and the post init scripts ran fine without delay. I’m assuming this won’t change as I had to restart the nfs-kernel-server.service to apply the changes. Hopefully this will stick.

Small note at the bottom of the linked thread, make sure you allow the ports in ufw.

I want to disable IPv6 on my FOG servers but want to make sure that FOG does not need it. That is all.