guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robin Cook <Robin.C...@mdsl.com>
Subject RE: Multiple Guacamole Properties
Date Tue, 22 Nov 2016 09:39:14 GMT
Hello,

A couple of things to try, point guacamole at a global catalogue and use port 3268.  Try pointing
the LDAP Bind DN to your root domain like this:

LDAP_PORT=3268
LDAP_USER_BASE_DN=dc=test,dc=com
'LDAP_SEARCH_BIND_DN=CN=guac service,OU=Service_Accounts,DC=test,DC=com'
LDAP_SEARCH_BIND_PASSWORD=yourpassword

Then any account should be able to log in.

Kind regards,

Robin

From: Amin Joodaki [mailto:judaki1364@yahoo.com]
Sent: 22 November 2016 07:43
To: user@guacamole.incubator.apache.org
Subject: Re: Multiple Guacamole Properties

Hi Mike,

First of All, special appreciate to Guac. team.
After that:
Our exact Active Directory 2012 layout is as below:
dc=test,dc=com
ou=dep1,OU=Accounts,dc=test,dc=com
ou=dep2,OU=Accounts,dc=test,dc=com
ou=serviceAccounts,OU=Accounts,dc=test,dc=com

And the settings in the file Guac.properties is as below:
ldap-hostname: 172.24.3.24
ldap-port: 389
ldap-user-base-dn: OU=Accounts,dc=test,dc=com
ldap-search-bind-dn: CN=ldapUser,ou=serviceAccounts,OU=Accounts,dc=test,dc=com
ldap-search-bind-password: P@ssw0rd
ldap-username-attribute: sAMAccountName

Also the iP Address of the Guac. is 172.24.3.23 (Which is directly connected to AD, without
any firewall in between).

The problem!!! is that, with the above configuration, no user can login.

But, when the change the ldap-user-base-dn to ou=dep1,OU=Accounts,dc=test,dc=com, Users under
OU dep1 can successfully login while the users under ou=dep2,OU=Accounts,dc=test,dc=com can
not login.

Looking forward for your kindly reply.
Best Hopes





On Sunday, November 20, 2016 3:51 AM, Mike Jumper <mike.jumper@guac-dev.org<mailto:mike.jumper@guac-dev.org>>
wrote:

Hi Amin,

Guacamole doesn't support multiple instances under the same servlet container. That said,
even if it did, I don't think that is a good solution to your problem.

If the current LDAP support does not properly map users within your Active Directory, then
the best way forward would be to identify what needs to change in the LDAP auth to support
the way your users are organized.

If you can guarantee that the username are unique, even if they are within different OU's,
you can probably get things working as-is by simply choosing an "ldap-user-base-dn" which
is common to the DN's of all users (even if they are otherwise technically within different
OU's) and using "ldap-search-bind-dn", "ldap-search-bind-password", and (if necessary) "ldap-username-attribute"
to define how AD should be queried to translate usernames to fully-qualified DN's.

If the above doesn't work, can you provide a more concrete example of how your AD users are
organized?

Thanks,

- Mike


On Wed, Nov 16, 2016 at 1:01 AM, Amin Joodaki <judaki1364@yahoo.com<mailto:judaki1364@yahoo.com>>
wrote:
Dear All,
I connect Guacamole to Database and Active Directory, but guacamole unable to detect all OU
in active and it understand just the OU that defined in path properties file. then I want
to set some guacamole.war ( Client) file in tomcat to separate my department in login page
for example :

<http://192.168.1.1:8080/department>
http://192.168.1.1:8080/ departmen1
<http://192.168.1.1:8080/department>
http://192.168.1.1:8080/ department2<http://192.168.1.1:8080/department>
...
and assign specific guacamole.properties for each department.
how can I set different properties file and assign them to my guacamole.war files ?
Best
Amin
--------------------------------------------------------------------------------------------------------------------------------------------------
This message is for the designated recipient(s) only and may contain privileged, proprietary,
and/or confidential information.
If you have received it in error, please notify the sender immediately and delete the original.
Any other use of the email by you is prohibited. 
Any views or opinions expressed are solely those of the author and do not necessarily represent
those of MDSL. 
--------------------------------------------------------------------------------------------------------------------------------------------------
Registered Information
MARKET DATA SERVICES LIMITED, FLOOR 2 BUILDING 4, CENTURY PLACE, LAMBERTS ROAD, TUNBRIDGE
WELLS, KENT, TN2 3EH, UNITED KINGDOM
Company No: 03031342 | VAT Reg. No.: GB624962327
Mime
View raw message