Forums

Resolved
0 votes
Hello,
This is a rather complicated situation, so I will try to explain the best I can:

We are running a plugin (based on php-ldap functions) on our website that is capable of adding new users to our LDAP server. There are some limitations to what the developer are willing to/capable of change/ing, and the time we have available for this to be finished.

Currently we are capable of syncing every existing clearOS/LDAP user, keeping the existing attributes, but for the situations that require creating new users in LDAP we are limited to standard LDAP attributes. Thankfully we are now able to create users in the DN "ou=Users,ou=Accounts,dc=system,dc=lan" as a "cn" rather than by "uid" (standard openLDAP?) so that clearOS actually recognises it as a user.

objectClass inetOrgPerson (structural)
objectClass organizationalPerson (structural)
objectClass posixAccount (auxiliary)
objectClass shadowAccount (auxiliary)
objectClass top (abstract)

And also
cn, gidNumber, homeDirectory, sn, uid, uidNumber, displayName, gecos, givenName, initials, loginShell, mail, userPassword

By making sure the uidnumber and gidnumber are unique numbers we can both login to clearOS with the user and get it accpected using radtest. But for actual radius auth through our Unifi wifi it requires a bit more info added to the LDAP user entry...

So, now we are faced with the choice of either
- making the php-plugin including all the needed attributes and classes (see list below) with everything hashed and proper.
Or
- triggering the "Update" webconfig-function on the newly created user. This populates the LDAP user listing with the missing attributes. If it also specifies the user password it will re-write it (in the userPassword attribute) as a hashed password, and populate all the additional hashed password entries (clearMicrosoftNTPassword, clearSHA1Password, clearSHAPassword, sambaNTPassword)

We would prefer the second option, since this will require a lot less changes in the current plugin (which also requires the developer to get a full overview of all the attributes involved, their relations, their hashing configurations, etc) and are hoping for a solution to trigger the Update-function on any newly created user in the LDAP database.

Thankfully it is currently the plugin-default to store the users password in plain text, so it would be possible for the clearOS server to actually read both the password and the username to trigger an Update on it.

But how to trigger such a web-function in clearOS, either from a remote website or from an internal function that watches for changes in the LDAP directory?
We recently discovered that there is a script to update and create users from the CLI (/usr/sbin/clearos_user -u <uid> -p <password>;) but at the moment this script is not capable of updating the password unless the user already have all the clearOS LDAP attributes...

As I said, its a rather complicated situation :-)
Hope someone has some valuable input on this!

Thank you!




The List of attributes of a complete clearOS user's LDAP entry:

objectClasses
clearAccount (auxiliary)
clearNextcloudUser (auxiliary)
inetOrgPerson (structural)
posixAccount (auxiliary)
sambaSamAccount (auxiliary)
shadowAccount (auxiliary)
top (abstract)
clearAccountStatus
cn
gidNumber
homeDirectory
sambaSID
sn
uid
uidNumber
clearMicrosoftNTPassword
clearNextcloudEnabled
clearNextcloudQuota
clearSHA1Password
clearSHAPassword
givenName
loginShell
sambaAcctFlags
sambaBadPasswordCount
sambaBadPasswordTime
sambaDomainName
sambaNTPassword
sambaPrimaryGroupSID
sambaPwdLastSet
userPassword
Thursday, March 17 2022, 10:24 PM
Share this post:
Responses (11)
  • Accepted Answer

    Monday, March 21 2022, 10:19 AM - #Permalink
    Resolved
    0 votes
    Dag Ove Hoel wrote:
    Is there a clearOS 8 nearby=?

    It does not say much but see this thread - https://www.clearos.com/clearfoundation/social/community/is-clearos-still-under-active-development.
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, March 20 2022, 08:58 PM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    I am afraid I can't really help you here. ClearOS7 is pretty much feature complete and is in maintenance mode. The developers who did this side of ClearOS have moved on and I have no idea who could now give you help.


    Ok, thats too bad but I think I'll manage to figure out this myself. Been chewing on this for many many days now and starting to see the picture. Also found out most of what I need for the password attributes. Hopefully the developer will be able to get this thing working as needed.

    Is there a clearOS 8 nearby=?
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, March 19 2022, 10:04 PM - #Permalink
    Resolved
    0 votes
    I am afraid I can't really help you here. ClearOS7 is pretty much feature complete and is in maintenance mode. The developers who did this side of ClearOS have moved on and I have no idea who could now give you help.
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, March 19 2022, 08:25 PM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    The thread you linked to is for 5.x, I think. The LDAP schema changed massively when 6.x was released. 7.x is the same as 6.x. I thought the 7.x structure was fairly standard. The only thing I think we do differently from standard is manipulate the uidNumber and sambaSID.


    Ok, I don't know much about LDAP standards but according to the developer its not following the typical structure. They will need to customise the plugin to get it to replicate the structure of clearOS. Thankfully it's an Indian company so the hourly payment is liveable, as long is its not an extreme amount of work.

    They have mentioned the DN of each user, which is normally indexed by "uid" but in clearOS its indexed by "cn". They have also mentioned that the uidNumber and gidNumber by openLDAP standard is "-1". Other than that I am unsure what is standard compared to what clearOS uses and what they use, but it seems to me that they look at using the objectclass "organizationalPerson" as standard, while in clearOS it seems like the same/similar attributes are connected to the "InetOrgPerson" objectclass.

    I wouldn't know, and I can now see that this might be a bit too much for us to wrap our heads around, and to try reverse engineering php code and how clearOS is built will probably not be worth it for us in this case either. Especially since the user generation must be initiated from the website side, anyways.

    I will ask the developer to give me a quote on the work of changing the plugin so that it works for our need and clearOS.



    ### The customisations I must ask the developer to do ###

    It seems that new users must be added with the cn=[Full Name],ou=Users,ou=Accounts,dc=system,dc=lan and with the objectClasses clearAccount, inetOrgPerson, posixAccount, sambaSamAccount, shadowAccount and top. They usually add the organizationalPerson objectClass but this seems to mess things up (unable to remove afterwards, and possibly giving objectclass violations in clearos_users) so I should probably make sure isn't included.

    I think I understand most of the attributes now, so that I can give them the info they need to replicate:

    • clearAccountStatus = enabled

    • cn = [Full Name]

    • gidNumber = 63000
    • They usually use -1 but by clearOS default this is 63000 for any new normal user. It's also the gid for the linux group of any new users added through clearOS web.

    • homeDirectory = /home/[uid]
    • They usually use /home/[givenName] but this would give a conflict if any two users have the same first name so I prefer something unique such as the uid/username

    • sambaSID = [long line of numbers] and at the end the [uidNumber]
    • I'm guessing the first part is unique to the samba-install/network, because its the same for every user. Would be something else on a different clearOS server, and if samba was somehow reinstalled with all new config?

    • sn = [Family Name/Surname]
    • This one is required by inetOrgPerson objectclass, I think, but only sn is required for a user and not a givenName. organizationalPerson might require both?

    • uid = [username]
    • A unique username which will be the users login for clearOS, radius, etc. It will also be the same as the username the user has on our website.

    • uidNumber = [four digit unique user number, above 2000]
    • Any number below this is for system users and such, but if I remember correctly this can be set between 2000 and 65000. I want it to be some correlation to the website users number (3 digits at the moment), so easiest now is just to add a "2" in front of website user number which gives us more than enough unique numbers.

    • givenName = [First Name]
    • The users First name, e.g. "John". Attribute is not required by clearOS standards it seems...

    • loginShell = /sbin/nologin
    • Blocking the user from accessing shell through ssh, or through terminal if they had direct access to the servers HID

    • sambaAcctFlags = [U_____] (whitespace replaced by underscore because of formatting)
    • Something that is the same for every user, even for "users" such as "Flexshare System" and "Windows Administrator". No need to research further

    • sambaBadPasswordCount = 0
    • For every normal user we have this is always "0" but I'm guessing it has to do with the password policy and it's a count of number of failed logins or something

    • sambaBadPasswordTime = 0
    • Also always "0" so I won't spend much time on this

    • sambaDomainName = [domain without the ending]
    • If the system was online through the domain "google.com" then this would be just "google" - at least it is like that for us, and for every user (except Guest Account, Windows Administrator, etc, and for the first "normal" user created?)

    • sambaPrimaryGroupSID = [same long line of numbers as in sambaSID] but at the end it's a 3 digit number
    • The last 3 digits probably refers to any normal users group within the samba-realm. It's the same on every user so I should probably keep it simple and just replicate this for every new user added through LDAP

    • sambaPwdLastSet = [10 digit number] This could be some kind of binary date or time, usually set when changing the password for a user through clearOS webconfig, but as far as I have experienced this can also be "0" without messing anything up. Also connected to password policy, I guess?

    Can you, or someone at clearfoundation, confirm?


    The following attributes are not used by clearOS, as far as I can see, so they could be excluded:

    • displayName
    • gecos
    • initials

    Agree?


    Last, but not least, these attributes with various types of encrypted passwords, I might need to understand more about:

    • clearSHA1Password = [40 digits, lowercase letters and numbers]
    • The hashed password (in hex??), and the same that I find under "userPassword" attribute when browsing the directory through ApacheDirectoryStudio. Is there something I need to share with the developer for them to modify the code to be able to store hashed passwords? Their plugin currently store plain text password.

    • clearSHAPassword = [starts with {sha} and then 28 digits of various symbols, numbers and letters in both upper- and lowercase]
    • The actual password, in hashed version? Same goes for this; any details I might need to share with them?

    • clearMicrosoftNTPassword = [32 digits, uppercase letters and numbers]
    • Set by clearOS php code when updating password, and it seems to be needed for auth to work for wpa2 enterprise wifi through radius? Nothing obvious about how this password is created though, and I cannot find it anywhere else in the directory.

    Can you offer me any guidance on these, please?


    So sorry for the lengthy posts, and for asking such an extreme amount of questions. But, hopefully this thread will be of some use for someone else with a related problem in the future.

    THANK YOU
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, March 19 2022, 03:35 PM - #Permalink
    Resolved
    0 votes
    The thread you linked to is for 5.x, I think. The LDAP schema changed massively when 6.x was released. 7.x is the same as 6.x. I thought the 7.x structure was fairly standard. The only thing I think we do differently from standard is manipulate the uidNumber and sambaSID.
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, March 19 2022, 01:55 PM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    I have no idea if what you want is achievable. To do it you would need to reverse engineer what ClearOS does. I would start with the /usr/sbin/clearos_user command which is php. That takes you back to \clearos\apps\users\User_Factory which is /usr/clearos/apps/users/libraries/User_Factory.php and so on. I don't know the code and can only read some php.


    Ouch, yeah I see that it might be a major challenge. And it is starting to become clear to me that the issues we have with the website-plugin not being able to utilise the LDAP directory properly is something that has been debated before: the non-standard structure of the directory clearOS has chosen. It seems that the standard openldap structure is quite different.

    This thread gives me quite a bit of info on the subject:
    https://www.clearos.com/clearfoundation/social/community/ldap-hell#16194

    And, I have come across multiple other threads too where the user is frustrated with this being the case. I'm sure it had its reason during development, but its becoming more and more obvious that this is not ideal and will create issues with almost every client out there since its not following the standard structure.

    ###


    This is the errors we get from /usr/sbin/clearos_user

    PHP notice: Undefined index: members - /usr/clearos/apps/openldap_directory/libraries/User_Driver.php (411)
    PHP warning: in_array() expects parameter 2 to be array, null given - /usr/clearos/apps/openldap_directory/libraries/User_Driver.php (411)
    PHP warning: ldap_modify(): Modify: Object class violation - /usr/clearos/apps/ldap/libraries/LDAP_Client.php (405)
    Object class violation

    Looking into the code this has to do with the group memberships of the user, and although the user I am trying to update the password for really is a member of multiple groups (including the default allusers) there is something in the code of clearos_user that makes it unable to list the groups even though the webconfig "Update" actually will continue with updating the users attributes...


    ###

    If we only found a way to bypass this violation we could always call the clearos_user function from a wekhook of some sorts.

    But, in this case it could also be better to just have the developer of our website plugin do the changes needed to acommodate for the different structure that clearOS is using. For us its the end result that matter: It works, and does what we need it to do - and it doesn't cost us a fortune :-|
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, March 19 2022, 12:50 PM - #Permalink
    Resolved
    0 votes
    I have no idea if what you want is achievable. To do it you would need to reverse engineer what ClearOS does. I would start with the /usr/sbin/clearos_user command which is php. That takes you back to \clearos\apps\users\User_Factory which is /usr/clearos/apps/users/libraries/User_Factory.php and so on. I don't know the code and can only read some php.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, March 18 2022, 09:39 PM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    ClearOS


    Yes, that would be perfect!

    Main criteria is that the new user's DN must be created by the plugin on our website*. This includes at least the cn, the uid, and the userPassword. If we can find a way to call an existing PHP code in clearOS that will follow up on this newly created LDAP user then that would be absolutely perfect.

    But - what php code should we look for/work with to be able to actually replicate the processes getting triggered when we click the "Update" button (in /app/users/edit/NEWUSER) of a new user created directly in the LDAP directory like this?

    I have noticed that the file user_driver.php could be the one triggered when initiating this Update manually. I have also learned that similar/same function can be available using /usr/sbin/clearos_user but this doesn't seem to be capable of the same as the actual webconfig Update-button (throwing errors and not populating with the missing attributes).

    Also, without actually inputting the password of the new user when clicking "Update" doesn't end with creating the attributes clearMicrosoftNTPassword, clearSHA1Password and clearSHAPassword. During our testing these attributes (hashed passwords?) seems to be needed for the user to be able to authenticate on our wifi (ubiquity Unifi APs with cloudkey) that is using the radius-service on the clearOS server to control access.

    *The reason being that the user creating needs to be automated, on initiation from the user and without any need for admin approval or interference.

    We are thankful for any pointers on this! If we cannot make it work by calling some php code in clearOS straight after the user appears in the LDAP directory then we are left with modifying the website plugin to actually populate every needed attribute correctly, which could become difficult since we are not the owners of the code used...
    The reply is currently minimized Show
  • Accepted Answer

    Friday, March 18 2022, 07:53 PM - #Permalink
    Resolved
    0 votes
    ClearOS
    The reply is currently minimized Show
  • Accepted Answer

    Friday, March 18 2022, 01:12 PM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:
    I don't know the answer to this, but be careful of creating a watcher to monitor the LDAP database and then make a change to it. You could end up with a loop.


    Ok, so better to keep the edits to the php-based plugin on our website?

    Nick Howitt wrote:
    Can you not call some of the existing PHP code rather than reinventing the wheel?


    Absolutely! But are you referring to php code in clearOS, or php code in the plugin on our website?
    The reply is currently minimized Show
  • Accepted Answer

    Friday, March 18 2022, 09:53 AM - #Permalink
    Resolved
    0 votes
    I don't know the answer to this, but be careful of creating a watcher to monitor the LDAP database and then make a change to it. You could end up with a loop.

    [edit]
    Can you not call some of the existing PHP code rather than reinventing the wheel?
    [/edit]
    The reply is currently minimized Show
Your Reply