guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Couchman <nick.couch...@yahoo.com>
Subject Re: ldap-user-search-filter
Date Wed, 09 Aug 2017 18:31:39 GMT
Are you getting any errors in your Tomcat log files?
Can you try pointing at port 3268 on your AD server, instead of the default 389?  There's
an issue with querying the global catalog that is in the process of being fixed (PR is open
for it), and I think querying the non-GC-port sometimes works.
-Nick


On Wednesday, August 9, 2017, 2:26:42 PM EDT, Erik Berndt <erikberndt@superiorpaving.net>
wrote:

Thanks Nick. I tweaked the search filter a little bit and am able to return the group membership
with ldapsearch, but when applying that same filter to guacamole.properties, no users are
able to authenticate. 
Is it possible there is an additional parameter that needs to be used in conjunction with
ldap-user-search-filter?
Erik Berndt / Systems Administrator
5551 Wellington Rd, Gainesville, VA 20155
703.631.0004 x520 (Phone) / 703.257.1725 (Fax)
http://www.superiorpaving.net

Need to open an IT support ticket?  
http://FixIT.superiorpaving.net/portal or FixIT@superiorpaving.net

On Wed, Aug 9, 2017 at 12:51 PM, Nick Couchman <nick.couchman@yahoo.com> wrote:

Not sure if this is a paste error or how you actually have it, but you have an extra quotation
mark:

ldap-user-search-filter; "(&(objectCategory=Group)( sAMAccountName=*)(memberOf=cn= Accounting,ou=groups,ou="
Superior Paving Employees,dc=superiorpaving, dc=net))"

There should not be a quote in front of "Superior" in the memberOf= part of the filter - LDAP
filters can deal fine with spaces in the components of the filter, so your filter should look
like this:
ldap-user-search-filter: "(&(objectCategory=Group)( sAMAccountName=*)(memberOf=cn= Accounting,ou=groups,ou=
Superior Paving Employees,dc=superiorpaving, dc=net))"

Also, in the line you pasted in to the e-mail, you had a semicolon, instead of a colon, at
the end of ldap-user-search-filter.
If it still doesn't work, try using that filter in an "ldapsearch" command and make sure you
get results back:
ldapsearch -H ldap://ad.superiorpaving.net -D <YOUR BIND DN HERE> -W '(&(objectCategory=Group)(
sAMAccountName=*)(memberOf=cn= Accounting,ou=groups,ou= Superior Paving Employees,dc=superiorpaving,
dc=net))'
Should do the trick.  If you get no results back or you get an error, fix it and try, again.
-Nick

On Wednesday, August 9, 2017, 12:46:13 PM EDT, Erik Berndt <erikberndt@superiorpaving.net
> wrote:


I'm attempting to filter AD groups permitted to login through Guacamole, which is making use
of the auth-mysql and auth-ldap extensions. Login works fine for the users defined in the
ldap-user-base-dn.

When I define the ldap-user-search-filter and reset the servlet container, all users are prevented
from loggin in.

This is my first time writing ldap filters, so it's very possible this is a syntax issue.
My search filter in guacamole.properties is as follows:

ldap-user-search-filter; "(&(objectCategory=Group)( sAMAccountName=*)(memberOf=cn= Accounting,ou=groups,ou="
Superior Paving Employees,dc=superiorpaving, dc=net))"

Can anyone assist me with this filter? 

I also have tried to restrict the ldap-user-base-dn to the specific group I want to give access
to, but am running into the same issue.

Erik Berndt / Systems Administrator



Mime
View raw message