Closed jelockwood closed 5 days ago
jby
commented
1 week ago This is what I have in my .env, works fine:
# ACTIVE DIRECTORY AUTHENTICATION
# -------------------------------
#
AUTH_AD_ACCOUNT_SUFFIX="@domain.tld"
AUTH_AD_BASE_DN="dc=domain,dc=tld"
AUTH_AD_HOSTS="FQDN of AD DC"
AUTH_AD_PORT=3389
AUTH_AD_ALLOWED_USERS=user1,user2,user3,user4
AUTH_AD_ALLOWED_GROUPS="Group in AD"
AUTH_AD_RECURSIVE_GROUPSEARCH=FALSE
jelockwood
commented
1 week ago @jby Thanks for the response. I have tried translating your example to my situation with variations but it did not work for me.
Does your AD structure with different OU entries in use look similar to your AD structure? Your setup as above seems to suggest you are not binding at all to AD for access, as far as I can see this would not normally work, all the LDAP clients I have working require using a bind account.
jby
commented
1 week ago No, I'm not binding. I just query the AD for Auth of the users
jelockwood
commented
5 days ago Ok I am going to close this issue and open a new one. This issue was more config advice. However it turns out that the currently used library i.e. ADLdap2 is listed by composer as having been abandoned, certainly its own project page seems to suggest this.
This would therefore mean that the author of MunkiReport-PHP should consider selecting an alternative and still supported module which hopefully works better with Active Directory when you need to do an authenticated bind
I have previously successfully setup MunkiReport with an LDAP server and this time around I am needing to do it with Active Directory.
I have as preparation managed to bind and do ldap queries of our AD using other LDAP based tools so I now have a good idea of the details used. I also already have another different open source tool linked to AD successfully but it provides a simple web form for configuration.
As you might gather I have not yet succeeded with MunkiReport-PHP. For those unaware MunkiReport-PHP uses a library called ADLdap2
AUTH_AD_SCHEMA="ActiveDirectory" AUTH_AD_BASE_DN="OU=Employees,dc=domain,dc=secure" AUTH_AD_ACCOUNT_PREFIX="CN=" AUTH_AD_ACCOUNT_SUFFIX=",ou=Employees,dc=domain,dc=secure" AUTH_AD_HOSTS="172.1.1.1,172.2.2.2" AUTH_AD_ALLOWED_USERS="me" AUTH_AD_USE_TLS="FALSE"
AUTH_AD_ALLOWED_GROUPS="mygroup"
AUTH_AD_RECURSIVE_GROUPSEARCH=FALSE AUTH_AD_USERNAME="Ldap Bind Account" AUTH_AD_PASSWORD="thepassword"
I have obviously sanitised the values above but it gives you the general picture.
Using other tools I can indicate that all users are in -
OU=Employees,DC=Domain,DC=Secure
and an individual user account would be -
CN=My Name,OU=Employees,DC=Domain,DC=Secure
The account I need to use to bind to AD is however in -
OU=Administrators,OU=Service Accounts,DC=Gherson,DC=Secure
and would be listed as -
CN=Ldap Bind Account,OU=Administrators,OU=Service Accounts,DC=Gherson,DC=Secure
which is a completely different OU even if on the same server.
I am keeping things simple to start with but the relevant group I wish to use for access will be in
OU=Groups,OU=Employees,DC=Gherson,DC=Secure
e.g.
CN=mygroup,OU=Groups,OU=Employees,DC=Gherson,DC=Secure
As a further example here is a working ldapsearch command again sanitised -
ldapsearch -H ldap://172.1.1.1 -x -W -D "Ldap Bind Account" -b "OU=Administrators,OU=Service Accounts,DC=Domain,DC=Secure" "(sAMAccountName=user)"
I think the main problem is that the users are in a completely different OU to the bind account, the Java tool I have long used even though it is discontinued to 'explore' LDAP servers can let me define a full and different bind path to where the actual users are and I believe this is also possible with ldapseach but I have not found an equivalent example for MunkiReport-PHP i.e. for ADLdap2.