RE: Extend LDAP plugin to support AD authentication

Progress is going very well with the ldap plugin. But we found that when we start bringing in other ldap serves to test, some of the shortcuts that worked for M$ did not work so well with other ldap servers. To that end, I wrote another proof of concept code using the long way to get a user’s ldap attributes. In this method I have to use an authorized read only user to query the ldap server to locate the user’s ldap account, then I use that ldap account to relogin to the ldap server to pick up the user’s group associations.

<?php

    // the user we are going to authenticate
    $user = 'user1234';
    $pass = 'Password';

    // IP address or fqdn of ldap server
    $server = '192.168.1.5';

    // credentials that have read access to the LDAP server
    $bindDN = 'cn=Bob Jones,ou=Users,ou=nyc,dc=domain,dc=com';
    $bindPass = 'Password.2';

    // How deep in ldap from search base are we going to look for the user
    $searchScope = 2;

        // clean up user name we only want the user's short name without any domain component
        // note I did not try to understand the regex expression but I expect there to be
        // issues with non-us english characters, just saying.
        $user = trim(preg_replace('/[^a-zA-Z0-9\-\_@\.]/', '', $user));

        // open connection to the server
        $ldapconn = ldap_connect($server,389);
        ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
        ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);

        $accessLevel = 0;
        $userSearchDN = 'ou=nyc,dc=domain,dc=com';
        $adminGroup = 'FoG_Admins';
        $userGroup = 'FOG_Users';
        $grpMemberAttr = strtolower('memberOf');

        if ( ldap_bind($ldapconn, $bindDN, $bindPass) ) {
            // for the filter we are searching for a person with an NT style account like the contents of $user
            $filter = sprintf('(&(objectCategory=inetOrgPerson)(%s=%s))', 'sAMAccountName', $user);

            // we want to return the user's DN so that we can bind as the user
            // we will get his DN based on his samaccountname for AD
            $attr = array( 'dn' );

            switch ($searchScope) {
                case 1:
                    // LDAP_SCOPE_ONELEVEL search one level down but not base
                    $result = ldap_list($ldapconn, $userSearchDN, $filter, $attr);
                    break;
                case 2:
                    // LDAP_SCOPE_SUBTREE search base + all subtree (OUs) below
                    $result = ldap_search($ldapconn, $userSearchDN, $filter, $attr);
                    break;
                default:
                    // LDAP_SCOPE_BASE search base only and don't look any deeper
                    $result = ldap_read($ldapconn, $userSearchDN, $filter, $attr);
            }

            // count the number of entries returned
            $retcount = ldap_count_entries($ldapconn, $result);

            if ($retcount == 1) {
                // great we only returned one entry
                $entries = ldap_get_entries($ldapconn, $result);
                // pull out the user dn from the entries
                $userDN = $entries[0]['dn'];
            } else {
                $userDN = '';
            }

        }

        // if user dn is populated then attempt to connect (bind) to ldap as user
        if (!$userDN =='') {
            // Now rebind as the user we just found
            if ( ldap_bind($ldapconn, $userDN, $pass) ) {
                // If we get to here the user is authorized, now lets get the group membership

                // This time since we know the user DN (fully qualified ldap path) we can look up the user based on that
                // this filter just matches all objects (cheat)
                $filter = '(objectclass=*)';

                // get what groups this user is a member of
                $attr = array( $grpMemberAttr );
                
                // read in the attributes of this user
                $result = ldap_read($ldapconn, $userDN, $filter, $attr);


                // count the number of entries returned
                $retcount = ldap_count_entries($ldapconn, $result);

                if ($retcount > 0) {
                    $entries = ldap_get_entries($ldapconn, $result);

                    // check groups for membership
                    foreach($entries[0][$grpMemberAttr] as $grps) {
                        // is admin user, set level and break loop
                        if(strpos( $grps, $adminGroup )) { $accessLevel = 2; break; }

                       // is user, set level and keep looking just incase user is in both groups
                       if(strpos( $grps, $userGroup )) $accessLevel = 1;
                   }
                }

                // close our connection as bindDN
                ldap_unbind( $ldapconn );

                echo $accessLevel;

            } else {
                print 'unable to bind using user info, user is not authorized in ldap';

            }
     } else {
          echo 'User not found in LDAP';
     }
 ?>

Here is the process for the upgrade to trunk. https://wiki.fogproject.org/wiki/index.php/Upgrade_to_trunk

Understand that 1.3.0 stable has not been released yet. So there may be some instability in the current trunk build. But the more people we can get into the trunk and reporting issues the quicker the devs will feel confident about calling the trunk build stable.

The trunk build does manage uefi systems MUCH better than the kind of support 1.2.0 has.

My initial reaction is that you have 2 dhcp servers on your network.

If your fog server, dhcp server, and pxe booting client are on the same subnet, we can use the FOG server to eavesdrop on the pxe booting process to tell us what is going on.

Please follow these instructions: https://forums.fogproject.org/topic/9673/when-dhcp-pxe-booting-process-goes-bad-and-you-have-no-clue

Upload the pcap to a google drive or drop box and post the link here. If you don’t want to post the link in a public forum, send me an IM and we’ll take a look at it. The captured file will tell us the actors in your pxe booting play.

@Jaymes-Driver said in Missing fogsettings file path forward:

If you moth ball the server, you have something to fall back on in a pinch.

This right here is the key. If an upgrade fails you have to either rebuild the server or revert to a previous backup. If you spin up a new server you have your legacy fog server available if things go sideways as you’re getting the new server up and into shape.

@JJ-Fullmer I’m not sure I fully understand your question.

In rc11 it may or may not show the bind dn just yet. That code is in a state of flux a bit.

But in general we will switch over to using a bind DN (which needs to be in full ldap format) to initially connect to the ldap server to look up the user’s cn (in full ldap format). We were using just the short form of the user’s credentials (user@domain.com) to bind to ldap, but that only appears to work reliably with AD.

Tom and (or at least I) will have another coding session tonight to see if we can get this wrapped up. All of the parts work independently now we just need to get them to work together.

It would be interesting to capture the output of
lspci -m
and
lsblk

Just direct the output into a file and the move the file to some place where you can post the output here. I’m also working on an idea for a debugging tool to. But I’m not quite done yet. But its great you have a live boot system on the surface pro 4, that means there is some hope of success. (!!)

@techadmin said in PXE connection Using Windows 2008 as DHCP Server:

COM Express

OK, just so I understand. You have custom hardware that you need to install an image on. Your hardware doesn’t either have a network adapter that supports pxe, or there is no ethernet adapter in the device so you use an external usb ethernet adapter. It sounds like your custom hardware runs or can run rhel (that is good) and the network adapter IS seen in by rhel.

Since rhel works, then FOG/FOS will most likely work on your custom hardware. We have a couple of paths we can test to see what is the best path for you.

First a little background, FOG uses several technologies to providing imaging. The first technology is iPXE. iPXE is an extension of the PXE ROM that is built into most network adapters (in your case you don’t have a pxe rom compatible network adapter). In FOG’s case we use the built in pxe roms to download iPXE from the FOG server. Then we let iPXE take over for the rest of the image management process. When we get ready to capture or deploy images we instruct iPXE to download FOS (Fog Operating System that is used to capture and deploy images on target computers). FOS does all of the heavy work of imaging the target computer.

So the best choice if you don’t have a PXE compatible network is to see if we can load iPXE from a usb flash drive. Once iPXE is loaded it will contact the FOG server and normal imaging is possible. We have found that iPXE is not compatible with some network adapters. So for this case we can boot right into FOS, via a GRUB usb boot stick. You will loose some features by booting directly into FOS, but if you goal is to capture and deploy then we can go this path.

For the next steps I want you to build a FOS USB boot drive according to these instructions: https://forums.fogproject.org/topic/7727/building-usb-booting-fos-image/4 To save you some time I’ll DM you a link to a boot image I created just recently. Having that image will take you to step 7 in the instructions. You can use rufus (in windows) or dd (in linux) to write the image to the flash drive. The only requirement is the usb flash drive must be 512MB in size or larger.

Once you have the usb flash drive (don’t forget to update the grub.conf file to point to your local fog server) I want you to test option 7 if your custom hardware is bios based, and option 8 if its uefi based. That should jumpstart you into iPXE. I want to know does that jumpstart option display the FOG iPXE menu. If yes then we can do a few other things. If no, then we need to understand what happened. We can then try to register the computer using FOS (option 2 or option 3). That route should work. Just a note before you attempt option 1 you MUST first schedule a capture or deploy task on the FOG server then call option 1.

I know I gave you a lot of information here. Lets first start by creating the usb boot drive from the link I will send you.

@Hongyun FWIW: 1.3.5 has not been released just yet.

If you would like to update to the latest release candidate 1.3.5-RC7 (that will most likely become 1.3.5 stable) you can follow these steps:

git clone https://github.com/fogproject/fogproject.git
cd fogproject
git checkout dev-branch
cd bin
./installfog.sh -y

Understand that will tell git to only look at the dev-branch. So once 1.3.5 stable is released you will want to run these commands to reset git back to the main feed:

cd fogproject
git checkout master
cd bin
./installfog.sh -y

@JJ-Fullmer The documentation hasn’t been written just yet because our approach changed overnight. Let me refresh my server and I’ll post something here to get you started. I can’t guarantee it works until I update my server and test it.

@Wayne-Workman The answer is easy why the live boot environment can run on a wide variety of hardware. Its much more difficult for an embedded environment because of the limited resources.

@sarge_212 Please excuse this post it will be off point of your issue.

The majority of the issue is trying to keep the kernel size below a specific size. I know when I was building kernels for an embedded device back in the 2.2 to 2.4.37 kernel days we had 512KB of nv storage with 1MB of RAM. The kernel and root file system all gzipped up had to fit on that 512K boot device. When booted syslinux would take that kernel build a ram drive and expand both the kernel and root fs into that 1MB of ram, and leave enough ram left over to run the device. (something similar today is the same process how dd-wrt is booted off consumer (home) internet routers). Well when you make these kernels you generally know the target hardware so you throw out drivers for hardware you know will never exist in your environment. (i.e. why include a driver for an IBM token ring board if you will never use it)

When you build a linux kernel you can decide to either statically link the drivers right into the kernel or build them as dynamically linked modules. How they are linked doesn’t matter (much) since the size of the driver itself is the same. In this case the driver will either be in the kernel itself (i.e. bzImage) or if dynamically linked in the root file system (init.xz).

The idea when pxe booting devices is you want to get the kernel and the root fs to the client in a moderately fast time. So you want the kernel and the inits as small as possible yet still remain functional. Plus the tftp process is not designed (really) to handle large file transfers. Transferring a 500MB file is kind of slow over tftp. That’s why the fog devs use http (one reason why they are using ipxe instead of the standard pxe boot code) to deliver the fog kernels and init to the target computers instead of tftp (there are a few other reasons, but speed is very important).

Just for comparison. On my ubuntu laptop the kernel is 5.8MB and the drivers (/lib/modules/<kernel version>) are almost 140MB. Compare that with FOG’s client OS where the kernel is 6M and the inits are about 16MB (understand 16MB is the kernel drivers plus any programs included in the FOG OS).

So for PXE booting you want the smallest kernel and root fs so it can be delivered quickly over the network. One way to get a small kernel is to only include drivers you expect to see in the target’s environment. So in the end its a balancing act between size, flexibility, and speed.

So ultimately the answer to the question is: Why can live boot OSs work where the FOG OS fails? Its because the live boot OSs have the luxury of a huge nv storage to house every driver the kernel supports, plus they really don’t care how fast the target computer boots. I really haven’t timed it, but the FOG OS appears boots in less than 15 seconds (once you get past all of the ipxe stuff).

Back on point of this thread: If we can identify what kernel drivers this new hardware uses, the devs can consider to include that “required” drive in the kernel or the inits. That is why it is important that if a live boot OS to capture what it sees and properly relay that to the devs for consideration. If a live boot OS fails to boot, the owner of that device is out of luck since the linux kernel itself does not support the hardware.

@techadmin said in PXE connection Using Windows 2008 as DHCP Server:

And I would really like instructions on converting the colnezilla image that I have moved over to the server into a FOG image.

First let me say, there are no instructions to do this. We have been saying in theory its possible but no one in the FOG Project has done it since we have been telling you the quickest way is to deploy your clonezilla image to your hardware, and then immediately turn around and capture the image with FOG. That way you get the image formatted and properly compressed for what FOG needs. The issue with converting the images by hand between clonezilla and FOG, is that FOG captures the meta data about the source drive characteristics, you will have to build that stuff by hand if you directly convert the images.

Beyond that…
In the case about using the same network adapter with FOG. In your case you will want to run FOG in OEM mode (its more of a procedure than a switch in FOG). In your case since you will never see these devices again, you will pxe boot (I’ll get to that in a minute) the images into the FOG menu, and from there you will pick quick image (or deploy image) directly from the iPXE menu. You don’t have to register the network interface or the target computer in FOG (because you will never see the computer again, there is no need to register it). When you pick the deploy image from the iPXE menu, fog will send the image to the target computer and then forget about it, like it never happened.

First of all don’t let the replicator run. I don’t know this for sure, but I might guess it may remove the images from your storage node since they don’t exist on the master node.

Now on to getting your images back.

The easiest way is to log into the fog server console as root. Then mount the storage node share and copy the files back to the FOG server. The last step will be to manually recreate your image definitions in the web gui interface.

So the first step is to get your images back to the fog server.

cd /
mount -t nfs <storage_node_ip>:/images /mnt

Now copy the images back to the fog server.

cp -r /mnt/* /images

Once the images have copied we need to disconnect from the storage server share

umount /mnt

The last bit is going to be a little harder.
Via the web management interface you will need to create an image definition for each image you copied back from the storage node. Make sure the image name matches exactly how it appears in the /images directory.

Here is a screen shot of what is expected.

@sarge_212 (this is a repost from another thread, but I want to see if it works with this hardware too)

If you are willing and have a general knowledge of linux, I would like you to try something.

I’ve been working on an idea about booting the FOG Client kernel (the bits of FOG code that run on the target computer to load or capture images) using a usb drive. Understand this is only for debugging purposes. Right now it is not clear in my mind if the booting issues with these newer efi based systems are with the PXE boot kernel, the FOG Client kernel, or the hand off between ipxe and the FOG kernel.

To test this I wrote a document to create a uefi boot media that will boot the fog kernel from USB. You can not capture or deploy using this kernel only access command line tools. But the point of this exercise is to see if it boots, period.

If you have a spare 2GB or larger usb flash drive, are comfortable with some linux commands and have a little time; could you follow the instructions outlined here: https://forums.fogproject.org/topic/6532/usb-boot-target-device-into-fog-debug-os/3

For the sake of the test, I only want you to execute what appears id method #3. Understand these instructions were written for ubuntu, but they should translate to Centos 7 without too much headache ( ) . At the bottom there is a copy and paste section where you can copy the commands paste them into a text editor, change the reference to the usb flash drive and then just execute the commands one after another through a remote terminal. It takes me less and 5 minutes to execute the commands once you have the rpm files installed.

For the flash drive start with a freshly formatted flash drive using a windows computer and format it fat32 (note the first step of my instructions tells linux to reformat the drive, any existing content will be lost). If you have any questions about this, please post back here.

What I want to test:

1. Does it boot?
2. IF it doesn’t boot is there an error message?
3. Does this image boot on any other device you have that is in uefi mode?

After this test we will add in the grub insmod commands and test again. But first lets see if you can build the boot drive and get it to boot on this table as is.

@robtitian16 said in Driver Issues With Dell Latitude 7280 - No Bootable Devices:

o, what can I check/test or run to prevent this from happening in the future? Why does the hard drive disappear after applying the image? Are there any logs I can get to help determine the cause of this issue.

The hard drive will disappear if UEFI detects there is no bootable partition on the drive. You will get the same response if you insert a usb drive or cdrom that is only formatted as a bios (DOS) boot disk.

I did just happen to get in some 7280s earlier this week that are just itching to spring to life. Let me crank one up and deploy an image to it.

@bluesky Yeah, you should be using Wayne’s post. The index.html should work, but there may be some apache configs that need to happen. I was just shooting from where I know. The php solution that wayne posted does the same exact thing but via a php page.

@Fernando-Gietz I haven’t tested it as of now since it was pushed to RC11. I was working on a pre release of RC11 and it worked with AD.

I know the wiki page hasn’t been written as of now so there is no information on the new features of the plugin and we have not tested it with all situations.

I’ll have to look at the lines you mentioned to see what is going on.

To answer your question about the logic of the Admin and mobile groups. The reason is security. Just because you are a valid ldap user doesn’t mean you should have access to FOG. So in addition to being a valid ldap user, your account must be found in either an Admin group (as defined by that field) or a Mobile group (as defined by that field). This is consistent with the two user classes in FOG. If your account appears in both groups then the Admin account wins and you have admin access to FOG. There is a graphic below in this thread that I posted with text telling what each field does too.

I’ll refresh my server with RC11 and see if I can track down the bug.

I do have to say if you had the ldap plugin installed before RC11 you must uninstall and reinstall it for the database to be updated correctly. The structure has changed from the older style ldap plugin

@Tyler-W.-Cox I’m a bit surprised that you had a second dhcp server running and you didn’t have IP conflicts or other random dhcp issues. But we are glad you got it worked out and have fog deployed successfully in your environment.

@george1421 Well the first test was a complete failure. It appears that the hard drive is not detected by FOS.

Some details for background information.
The systems were delivered on 19-Sept-2017
They should be still the skylake design so they are windows 7 compatible.
The firmware release is 1.5.8
Actions taken: I unboxed the unit, went into the bios and switched to uefi mode, disabled secure boot, enabled uefi network stack. Then pxe booted and attempted to do a quick deploy and was abruptly stopped just after FOS started with hard drive not found.

This was done on my production server that’s running FOG 1.4.4

On to manually registering this device and to boot into debug mode. Wait… I have FOS on a usb flash drive, even easier…

Can you explain a bit more why you want to move the ipxe services?

FOG does require pretty tight integration with iPXE to make the menu work seamlessly.