guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Couchman <nick.couch...@yahoo.com>
Subject Re: ldap-user-search-filter
Date Wed, 09 Aug 2017 16:51:59 GMT
Not sure if this is a paste error or how you actually have it, but you have an extra quotation
mark:

ldap-user-search-filter; "(&(objectCategory=Group)(sAMAccountName=*)(memberOf=cn=Accounting,ou=groups,ou="Superior
Paving Employees,dc=superiorpaving,dc=net))"

There should not be a quote in front of "Superior" in the memberOf= part of the filter - LDAP
filters can deal fine with spaces in the components of the filter, so your filter should look
like this:
ldap-user-search-filter: "(&(objectCategory=Group)(sAMAccountName=*)(memberOf=cn=Accounting,ou=groups,ou=Superior
Paving Employees,dc=superiorpaving,dc=net))"

Also, in the line you pasted in to the e-mail, you had a semicolon, instead of a colon, at
the end of ldap-user-search-filter.
If it still doesn't work, try using that filter in an "ldapsearch" command and make sure you
get results back:
ldapsearch -H ldap://ad.superiorpaving.net -D <YOUR BIND DN HERE> -W '(&(objectCategory=Group)(sAMAccountName=*)(memberOf=cn=Accounting,ou=groups,ou=Superior
Paving Employees,dc=superiorpaving,dc=net))'
Should do the trick.  If you get no results back or you get an error, fix it and try, again.
-Nick

On Wednesday, August 9, 2017, 12:46:13 PM EDT, Erik Berndt <erikberndt@superiorpaving.net>
wrote:


I'm attempting to filter AD groups permitted to login through Guacamole, which is making use
of the auth-mysql and auth-ldap extensions. Login works fine for the users defined in the
ldap-user-base-dn.

When I define the ldap-user-search-filter and reset the servlet container, all users are prevented
from loggin in.

This is my first time writing ldap filters, so it's very possible this is a syntax issue.
My search filter in guacamole.properties is as follows:

ldap-user-search-filter; "(&(objectCategory=Group)(sAMAccountName=*)(memberOf=cn=Accounting,ou=groups,ou="Superior
Paving Employees,dc=superiorpaving,dc=net))"

Can anyone assist me with this filter? 

I also have tried to restrict the ldap-user-base-dn to the specific group I want to give access
to, but am running into the same issue.

Erik Berndt / Systems Administrator

Mime
View raw message