OCS-NG 2.2RC1 server – complete install and configuration with LDAP

New and updated version for Debian Stretch and OCS Inventory NG server 2.5 can be found here!

 

 

In this easy tutorial we will install and configure OCS-NG Server. If you want to know what OCS-NG is, please read below and visit product site.

Table of contents:

  1. What is OCS-NG
  2. Requirements for this tutorial
  3. Installation
  4. LDAP Patch
  5. Finish!

1. What is OCS-NG

Open Computers and Software Inventory Next Generation is a technical management solution of IT assets.
Since 2001, OCS Inventory NG tries to make the automated inventory of computer hardware more efficiently .
Today, our solution not only extends to the inventory. It includes a sophisticated deployment system, interfacing with third tier applications, a network devices scans, and more…

Full description on ocs-ng project home page: http://www.ocsinventory-ng.org/en/

Highlights

  • Lightweight bandwith usage and small OS footprint.
  • High performance: about 1 000 000 of computers inventoried per day using a server bi-Xeon 3 GHz and 4 GB RAM.
  • Based on well known products such as Apache web server, MySQL database server, PHP and PERLscripting languages.
  • Modular solution with lot of plugins and interfacing with others IT and Asset Management Software like GLPI.

 2. Requirements for this tutorial

Software

In this tutorial we will need following peaces of software:

I strongly recommend running this install inside of virtual machine since wiping it, reformatting or restarting is much faster than on standalone server:)

I performed all steps few times inside virutal environment (Vsphere 5.5 hypervisor aka esxi) but this should apply for any other environment.

Hardware/vm requirements

Our machine should have at least:

  • 1 (v)CPU with 2 cores
  • 2Gigs of RAM
  • 1 Gigabit Ethernet
  • 16GB of storage

Once again, I assume installing it in virtual environment so things like vm-tools will not be necessary to install on standalone servers. I will not cover how to install ESXi or VMWare Player since it’a a material (especially ESXi) for complete series of guides:)

3. Installation

To be honest installation is quite simple since all packages are available for Debian 8.x (Jessie). We don’t need to compile anything from sources and manually register or install dependencies. That saves us quite a bit of work. I know that on some other Linux distros installation might go more straightforward but I’m used to Debian and feel quite comfortable in this environment.

Installation consists of three main steps:

  1. Installation of Debian OS
  2. Installation of required packages
  3. Installation of OCS-NG

Installation of Debian OS

  1. Burn Debian ISO to disk or mount is as cd/dvd in VM
  2. Boot from above
  3. Select to install Debian in 64bit version with minimum options: SSH Server, system utilities. Do not install WWW, DB or other services.
  4. Rest of the options like language or partitioning leave with their default settings.
  5. Reboot and login to shell
  6. Now, we need to install required packages in order to be able to perform rest of the steps. Of course all installs must be performed with root privileges.
  7. Lets type some commands, at last!:

Installation of required packages

Update repositories:

Install Open VM Tools – they simply work better than original VM-tools from VMWARE.

After above it’s good to restart the VM. Good old Windows school 🙂
Now, install rest of the packages (system utils):

Install Apache2:

Now, packages for it:

Restart Apache with the following command:

Continue with installation of packages:

Configure CPAN:

Install Zip package for perl:

Now, install MySQL:

After typing above command you will have to specify root and admin password for MySQL server. Note them somewhere.
As addition to MySQL I like to have visual representation of databases so lets install phpMyAdmin:

Now, we need to link phpMyAdmin to Apache to be able to actually use it:

After that restart apache or even the whole server:

Now, you should be able to access your new server at:

  • http://localhost – default apache landing page
  • http://localhost/phpmyadmin – MySQL phpMyAdmin management suite

Good idea (in case of troubleshooting and config checks) is to place a little apache info file in WWW Root. It will display all apache info in one place. This can be very useful for monitoring changes in apache config, loaded modules etc. So let’s add this file:

New screen will appear
Paste below code into it, press CTRL+X and then confirm changes by pressing Y and then ENTER:

Now, by navigating to:
http://localhost/info.php
you will have a nice view at whole apache config. I personally find it very useful. Of course, after setting up everything remove this file for security reasons.

Installation of OCS-NG Server

Installation of server itself is quite simple. OCS team provided us a nice install script that does pretty much of everything for us. If all required packages are available and running user has root privileges all should go hassle free.

First of all we need to download latest build:

Then extract it somewhere. Might be your current dir if you are in for example in /home/ or /tmp/:

Enter new directory and execute:

Now install script should configure pretty much for you. At one point you will have to answer non default way:

  • When script will ask about main apache conf file. If you didn’t change anything paste this:/etc/apache2/apache2.conf*
  • When script checks: Checking for Apache Include configuration directory…, paste this: /etc/apache2/sites-enabled*
  • Script will ask if you want to use SOAP extensions and more likely report that libraries are missing. Just continue.

*this might be found in info.php results 🙂

Script should finish with a message that apache service needs to be restarted. We will do it in few moments.

Now it’s good time to fix some permissions:

Now, restart apache:

After this there is OCS server is almost ready.
Navigate to:
http://localhost/ocsreports
You should get install screen for OCS. Type in:

  • root user for mySql
  • root pass for mySql
  • name of database: I use default: ocsweb
  • hostname of mySql: localhost (since it all runs on one server)

Now you will get screen, that DB needs to updated. Press Perform the update. After upgrade you will be able to login to OCS server by typing admin as user and password.

Ok, back to command line. Installer sets default user and pass for ocsweb DB as ocs/ocs. It’s ok for test environment, but in production we need to change it.

  1. Login to phpMyAdmin with DB root login and pass
  2. Find users TAB in main windows
  3. Note, that there will be two ocs users, click on ocs@localhost (or whatever the host is)
  4. Click Edit Permissions
  5. Click Change password
  6. Change password and submit changes.

Now, OCS will stop working. It’s ok. Now we need to change password in OCS config:

Now OCS reports should be running again.
Now, just delete install script by typing following command:

Base OCS is now installed and running:)

4. LDAP Patch

As you should know by now, ocs supports external authentication through LDAP to Active Directory. It is very useful since you do not need to define users inside ocs, manage passwords etc. LDAP configuration tutorial is provided by OCS team on their wiki page: http://wiki.ocsinventory-ng.org/index.php/Documentation:OCSsynchroLDAP.

Above tutorial is quite simple, but I found group checking a little not working after setting all according to it. Basically all configuration is covered in it and you must follow it to enable LDAP. Just after enabling I encourge you to patch it a little to avoid:

  • every LDAP authenticated user may login to ocs (no matter if he/she has specifed LDAP group)
  • user with ldap group is added to local users DB. After removing user from group or group from user – he/she is still able to login
  • LDAP user is granted specifed rights no matter if he/she is member of a specifed group or not

I think I have managed to fix this a little by editing 2 files:

  • /usr/share/ocsinventory-reports/ocsreports/backend/AUTH/auth.php
  • /usr/share/ocsinventory-reports/ocsreports/backend/identity/identity.php

Changed sources are attached below:
/usr/share/ocsinventory-reports/ocsreports/backend/AUTH/auth.php:

/usr/share/ocsinventory-reports/ocsreports/backend/identity/identity.php:

You may also download it here:https://miloszengel.com/downloads/ocsng/ocsng-ldap2.2-fixed.zip
Fix permissions for /usr/share/ocsinventory-reports/, by issuing below command:

Now, one last restart of the apache (just to make sure everything is working):

It wasn’t so hard, wasn’t it 🙂 ?

5. Finish!

That is pretty much all. One more thing is important. Users authenticated by LDAP are added to local user DB (this is by desing). In order to restrict only users who are members of specifed AD group to be able to login and get proper permissions local authentication must be switched off by setting  $list_methode=array(0=>”ldap.php”); in both, AUTH/auth.php and identity/identity.php. Otherwise users once added to local DB after successful login will still be able to login even after removing AD group membership because, they are already in local user DB. Switching local authentication ensures that only AD users with proper AD group are allowed to login. This might be little problematic if AD source is not available, but in that case just re-enable local authentication in above files and you will be able to login using local accounts like admin, etc.

Thank you for reading this tutorial as it’s my first one. I hope you enjoyed it. That being said, I encourage to leave a reply.

I will cover switching to SSL in next part allowing you to enable deployment feature which is quite powerful if used right.

Enjoy 🙂

[/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]

By |2018-11-02T14:46:28+00:00October 21st, 2015|How-To's, OCS Inventory NG|20 Comments

About the Author:

I am passionate about Systems Administration. I like to face new challenges and test new environments.Windows and Linux Debian boxes (both physical and virtual) are my favourites. I like solving problems related to Windows Server roles and services as well as Linux but some distributions in particular. I'm not considering myself as Linux master but surely, I always do my best to fit the needs. On the other hand I consider myself as a Windows Server Professional and in terms of WS and Windows Desktops I always follow best practices, good advices and opinions from other admins.

20 Comments

  1. Calamarz December 8, 2015 at 17:07 - Reply

    Great job ! Tanks for this how to !!

    Philippe

  2. Calamarz December 9, 2015 at 10:47 - Reply

    An observation if you change the default mysql password for the OCS user you must change the password in the :

    /etc/apache2/sites-enabled/z-ocsinventory-server.conf

    otherwise the agent on pc can’t connect and back up the inventory

    • milosz December 9, 2015 at 14:42 - Reply

      Yes this is true. You might, however edit the file
      nano /usr/share/ocsinventory-reports/ocsreports/dbconfig.inc.php
      In the followng line
      define(“COMPTE_BASE”,”ocsservice”);
      change “ocsservice” to your mysql SQL user name. This should do the trick and let you avoid mixing conf files:)

  3. Jacopo December 18, 2015 at 09:42 - Reply

    Hi, thank you to for this how to !!

    It all works fine,
    but when I try to use all plugins, even if the installation does not report errors, in the configuration page appears this error:”400 Bad Request”.
    Did you have the same problem ?
    Can you help me?

    • milosz December 18, 2015 at 11:47 - Reply

      Hello, I didn’t test plugins on 2.2RC1 yet, but few things you might want to check besides, can you provide some more detail on which plugin you want to install?
      Do you encounter this error on plugins page itself or for specific plugin?
      Have you performed all necessary steps to install plugin? Most of them have to be installed manually, not by install script from GUI.
      To be honest I encountered a few errors with plugins installation on 2.1 but they wasn’t so hard to fix. Keep in mind, that after all it’s just a apache with plain php site:)

      For example after installing msofficekey retrieval plugin I had to modify few things on management server as well according to this guide:
      http://wiki.ocsinventory-ng.org/index.php/Plugins:MSofficeKey
      and then modify a table in DB (I do not remember now, but have plans to develop a guide about installing plugins in 2.2 :)). Then plugin started to work.
      Basically HTTP error 400 means that server doesn’t know what to do with HTTP request from client (you through GUI). I assume something is missing with config, maybe a permission problem. You may wan to check apache logs located in: /var/log/apache2.
      This might help you point the problem. I assume you restarted apache and / or server?
      If you provide some more details I could try to reproduce the error and provide more help.
      Cheers

  4. Konrad April 19, 2016 at 09:19 - Reply

    Hello

    I followed your instructions but without LDAP,

    I was trying to add PC (windows) using the ocs_windows_agent setup (2.1.1.3) but in OCS Inventory PC’s number is “0”,

    in logs on server is something like that:

    Mon Apr 18 23:48:36 2016;2915;322;XYZ-HP-2016-04-12-11-29-23;172.20.1.88;OCS-NG_WINDOWS_AGENT_v2.1.1.3;notify;no_device

    Installation on windows agents looks like that:

    1. Server URL: http://172.20.1.89/ocsinventory

    I leave the rest unchanged

    2. the only thing I marked is “=/NOW”

    I will be grateful for your help 🙂

  5. Elias April 27, 2016 at 14:17 - Reply

    Hi Milosz,

    When using your customised version of the auth.php and identity.php files I get the following errors in my log

    [Wed Apr 27 14:15:53.026843 2016] [:error] [pid 33037] [client 172.17.38.141:58801] PHP Fatal error: Call to undefined function connexion_local_read() in /usr/share/ocsinventory-reports/ocsreports/backend/AUTH/auth.php on line 27

    Do you have any idea what I should change to get this working?

    Thanks

    • Miłosz Engel April 27, 2016 at 14:59 - Reply

      Have you tried downloading the files from https://miloszengel.com/downloads/ocsng/ocsng-ldap2.2-fixed.zip and replacing with yours? Link is below the 2 long code blocks in post. In original version (from download) line 27 is commented out. Code embedded on site might have corrupted characters like “& l t ; ? php” instead “

      • Elias April 28, 2016 at 11:02 - Reply

        I managed to get it working, I had accidentally placed the ldap.php file in the wrong subfolder. Thanks!

  6. Murat May 4, 2016 at 14:44 - Reply

    Debian 8.4 works very well.

  7. Holger September 20, 2016 at 14:17 - Reply

    Awesome!!! Thank you so much! Everyone could install OCS with this…

  8. Elton October 21, 2016 at 15:53 - Reply

    Hello, thanks for the post, was very helpful. I would like to ask for your help, I am getting the below error after the user logs on.
    NO RIGHTS DEFINED LEVEL TO YOUR PROFILE

    I also realized that even the User not pariticipamento especificicado the group he can authenticate.

    Grateful.

    • Miłosz Engel October 22, 2016 at 00:24 - Reply

      Ad I understand you didn’t assigned profile for that user. What kind of authentication you are using? Ldap/AD or built in?

      • Elton October 24, 2016 at 12:35 - Reply

        Thanks for the feedback. I am using your script to authenticate the LDAP / AD.
        This profile is created in OCS? Because there exist groups, I believe that’s it. The logic is that after logging OCS adds this user to a group, if Super Administrator, as configured in the properties.

        I need to create the user both on AD and in OCS? Does not make sense.

        • Miłosz Engel October 24, 2016 at 19:01 - Reply

          Apart from configuring apache to allow ldap(aka backend/ldap.php patch)authentication you need to define profile that will be assigned to ldap groups. You do that in OCS GUI. Whole thing about creating users is that OCS automatically creates a user when successful ldap authentication is performed.

Leave A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.