RE: Extend LDAP plugin to support AD authentication

@george1421

Just documenting the ldap requirements from another FOSS application pfsense here. These are the typical fields I would expect to see for any type of LDAP authentication against AD.

Please search the FOG Project forums. There are several threads on this pxe booting surface pro 4. You can pxe boot these guys but you need to send the uefi kernel to them not the bios (legacy) pxe boot kernel. I think there was also a thread about the keyboard not working with the current FOG kernel, but if you use an external usb keyboard you can move past this issue.

@PeterT Just to circle back on the question.

I just received a 7440 AIO and using FOG 1.3.0-RC8 I was able to deploy to the 7440s without making any adjustments to the device. I just unboxed it, plugged it in and pxe booted into the fog menu… and the rest they say is history.

@cschneider.tech -y == don’t ask me questions just do it.

Now try to rerun the installer please.

I can’t say for sure but RC10 seems to cause some issues more than RC9 did.

Can you run the following command from the command window

yum install php-bcmath -y

FWIW when I run that on my production server (centos 7.2.1511) it says the file it needs in the remi-php56 repo.

@Steuve68 said in LDAP Plugins in FOG 1.3.0 RC 8:

Sorry for my bad english … i’m french.

Oh I didn’t know you were French, you loose 50 points for that. (just kidding your engish is great)

Yes lets see if the other developers can chime in. I can take a look at the code but I don’t have a clue on the programming part. I know what has to be in the query based on how other FLOSS applications work.

@Steuve68 Again I’m just speaking in general terms here since I haven’t worked with the FOG LDAP, but I would say there are some missing fields that would typically be required.

Based on what is there, I would say the DN is the base or search DN That would be the container where the ldap plugin would search for users. That field should be in ldap format.

The ldap server address should just be an ip address of the ldap server.

Now what I see missing is the bind dn and password (the user account that is used to query ldap). Some ldap systems allow for unauthenticated queries, and others like AD require an authorized user to be able to query AD (this keeps the bad guys from enumerating your internal AD structure). So I would suspect even if you had the visible fields filled out properly that this query would fail because of an authorization issue.

The last bit of information I see missing is that sometimes there will be a field for a goup name. That way the ldap query would see if the user that is logging in would be a memberof group “abc” would be allowed to login. Right now the way its setup if anyone in the search base dn logs in it will be allowed.

That reminds me of one more for your search base. Typically there is a field for how deep to search from the search base. To only search in the search base or to include all OUs below the search base too.

But again this is only speculation, probably Tom will need to comment on the actual function of the ldap plugin. If it would work, I would surely move to that method, that way we have only valid

I release this is WAY more information than you are asking for. I’m documenting it here since I feel the ldap plugin may require some needed bits.

@kwetiaw I did a quick check this AM and there are excellent powershell examples of creating IE favorites and desktop shortcuts. The bit of a pain was automating the creation of google chrome bookmarks. But as Wayne said, this is all doable with a snapin or third party application like PDQ Deploy.

@Steuve68 As for the DN it depends if its a bind DN or a base DN. The base DN is the search path where users will be searched (i.e. ou=users,ou=nyc,dc=domain,dc=com) if its a bind dn or bind credentials you can “sometimes” use just the AD structure of “domain\user” or if the ldap format is required then you need something like: “cn=Joebob Thomas,ou=admins,ou=nyc,dc=domain,dc=com” or “uid=joebob,ou=admins,ou=nyc,dc=domain,dc=com”

Basically what is needed here is:
The search base (where to look for users) this is called either search base or base dn
An account to connect to LDAP that the ldap client will use to query LDAP. This is typically called bind user or bind dn with a password. Some ldap agents will allow nt formatted autheniticated others require ldap user format.

In regards to AD you can kind of cheat to convert a AD user into ldap format. If you go into AD and look at a user, then select the object tab. On the object tab there is a conical name field: domain.com/NYC/Users/Jimbob Thomas You can convert it to an ldap name by reversing the order as such cn=Jimbob Thomas,ou=users,ou=nyc,dc=domain,dc=com

In the case of FOG, the apache error log may give you an idea why you are getting the white screen, typically this is when the fog server errors out.

@Steuve68 I can’t speak to the ldap plugin directly for FOG. For their windows “NT” style account name you would use the ldap field of sAMAccountName. I also would start off with the non-ssl port and IP address or FQDN of your DC.

While I didn’t see it listed above, typically there is a bind DN and an LDAP search path so you can limit the user search to a specific OU. I deleted my FOG dev server on accident so I can’t confirm the plugin works first hand.

Can you explain what you mean by managing these items?

Unless you are in a workgroup environment, these items are best managed via AD/GPOs. If you are in a workgroup then you can deploy a vbs/ps script to create these items. But for AD a GPP is the much easier way to go.

@Tom-Elliott Actually I think it may be the other way around (I can only give an explanation of what I think I understood).

Lets say you have a reference computer that is a dual boot with both win and linux, and lets say there are 5 partitions 1,2,3 are windows and 4,5 are linux. Now lets say after some time you update your reference image with a new version of linux but don’t change the drive geometry. Now lets say I want to push out this to all of my computers. I just want to update he linux partitions but not touch the windows stuff. So then I might hack the image definitions to only deploy the partitions I’m interested in (edit: when I first read Sebastian’s comments I understood hacking the captured image configuration files. But I see he might be referencing the image definition in the gui so no code may be required). This way the new linux image will be deployed without altering the windows bits.

@Sebastian-Roth So then is this something that can be scripted into the FOG console? Rewrite that file based on the partition you want to deploy and then rewrite it properly after the deploy is done?

I can’t say how many people “need” this feature vs the developers time to implement. If it is only a handful of people then a wiki page would be in order to explain what needs to be done. If its 10 or more then it may be worth the developers time to see if its possible (since the process has already been confirmed by Thiago).

I don’t have the answer only raising the question of should it be considered.

@dholtz-docbox Sorry I’m not following this (maybe).

Let me restate what I think your saying in my words.

I’m attempting to deploy a linux image to a target computer. The image deploys correctly but when the target goes to boot I get an error in that the HDD UUID has changed because of deployment. If that is the case, the easy fix is to remove all references to the uuid in the reference image and just make physical partition references. Then you don’t really care about the uuid.

Do I understand this correctly?

For the other questions, fog 1.3.0-rc10 (as of this post) is the correct version to be on.

While I don’t remember v2929 that number is close to FOG 1.2.0 stable, which does not support NVMe drives, gpt disks, or Win10 (in general).

What error is being thrown when you try to upload that image?

The ultimate answer is to upgrade to 1.3.0-RCX to get new hardware support as well as Win10 Support. But I do have to admit that I have not created a 1607 reference image as of yet, so there may be changes that not even fog 1.3.0 supports as of now.

@juice381 Can you manually install that package from the Odroid debian repository? Does it even exist in that repository?

@juice381 Sure on the getting multicast working too. I’m sure its just a package name or pre-req this is needed. Once we can find the exact cause the developers can have a look at the installer code and made exceptions for your specific issue.

I think your project would be good one to document for a low cost mobile deployment server that could be used in small sales offices where you need a local fog server (storage node) because of the bandwidth issues, but still manage it from a central location.

@juice381 It would be interesting to know of the stats you get with the mobile fog server.

i.e.

1. unicast to a single computer (with d-link)
2. unicast to 2 computers (simultaneously with d-link)
3. unicast to 2 computers (simultaneously with enterprise class switch).

I’m interested in what the Odroid can do, but also the impact of that d-link over an enterprise switch. We see in the forums that the low (discount) switches are under powered for imaging where you will get 1/3 the speed for a multi deployment from a low end switch over an enterprise switch if the switch is the only thing that changes in the mix.

This is what I have in my bashrc profile for my site.

export http_proxy=http://192.168.1.2:3128
export https_proxy=https://192.168.1.2:3128
export ftp_proxy=http://192.168.1.2:3128
export no_proxy=“192.168.1.88”

Where 192.168.1.2 is the proxy server and 192.168.1.88 is the fog server ip address.

Since it appears you are using ubuntu you may need to configure apt to use your proxy server. In my case I use rhel and I have to add a proxy command to the yum.conf file.

@juice381 So if you can extract that configuring updcast stage from the install and then manually execute the commands can you find the exact command that breaks the script?