Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 3375A20049D for ; Wed, 9 Aug 2017 20:32:01 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 31C61168CC8; Wed, 9 Aug 2017 18:32:01 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 2BDD4168CA4 for ; Wed, 9 Aug 2017 20:32:00 +0200 (CEST) Received: (qmail 38414 invoked by uid 500); 9 Aug 2017 18:31:59 -0000 Mailing-List: contact user-help@guacamole.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@guacamole.incubator.apache.org Delivered-To: mailing list user@guacamole.incubator.apache.org Received: (qmail 38401 invoked by uid 99); 9 Aug 2017 18:31:59 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 09 Aug 2017 18:31:59 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id C80C51A0C0B for ; Wed, 9 Aug 2017 18:31:58 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 3.474 X-Spam-Level: *** X-Spam-Status: No, score=3.474 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FORGED_MUA_MOZILLA=1.596, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id pByjf5HaqMA9 for ; Wed, 9 Aug 2017 18:31:56 +0000 (UTC) Received: from sonic310-24.consmr.mail.ne1.yahoo.com (sonic310-24.consmr.mail.ne1.yahoo.com [66.163.186.205]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 2AF995F27B for ; Wed, 9 Aug 2017 18:31:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1502303508; bh=2gczgLLlQVqx+Ze8a2lH5qcnNlQlVPTNPxBt+d4VVRI=; h=Date:From:To:In-Reply-To:References:Subject:From:Subject; b=Xm9mIURQBboKFwL7CNLLXZMm8vomkVwBWRyPSvIp6wakWrCSLdQ/v3KhfMlzhYfMDG2x7AL8PKnT6P4/mfJ70Q07ZN7/yFO01ySMaeObD5u3wOHer54vm8MUHunej359FVcHVsR6XQ65SyJSX5ngSHLlXVk4QotCtr9fz8KYx8oaHyRxWgEJ+eeh+yIXNUKS10wP7nhTjDkxSH4Gkvw/2BiA+ksgdfGmO5bY3QhM6NL6V3KEi6Ru8DxpKil46VdU5r8ciYGJBTuvh7HbvHOIm/h62KW7JopDZN7wTbmYJA4MDXtpY13WWB8Ad25CID5KsvvjCsnwxMuVtcXecHmZNA== X-YMail-OSG: p7OCDBIVM1nsSw_DtKNQce00TSGEqRJWmyLu1VeNmzuHlLwPQKI8YuSnNo1zk6W tiau8pujAPB7ToSYokBxfv7bnE0j0Ii4qm4TTV59dZRuytd46T4JALLE_.jfj_gPtjzM3mJy5ZNf ksGwCZGNPhhIifJGL.TkOA78WKHR7sSIkRaWSOei_6c1au3LOuFJ7YX98TmS3ecpl7cmK5x3v4Kp Rl.7KFuuTx8SPy3qrTAb7yhG0uFlRSXGGEu2uwO6oMtcZUOYrDzBr6mez85bTpRzq3nFwl.Cz3.S OxnIom405XogA4uvXX3PyTTGse_0EyNOO6oIuEHZm8JQG6kWhEYT6dcym6UVYR9nmDDotnbxMHsj CbdgP9_X9Fx4I3g.v0jhG8swA15MlZgC3vVhG.BIt.DjfBFjfUvPX39b_06khxcQHrFgsmL.C5sw x2UByPnvHRujFQC0MObLnwcJjHi7is0FzLMYn6pe7xHmgo9BuLL71TETQlA-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic310.consmr.mail.ne1.yahoo.com with HTTP; Wed, 9 Aug 2017 18:31:48 +0000 Date: Wed, 9 Aug 2017 18:31:39 +0000 (UTC) From: Nick Couchman To: Message-ID: <708477906.580654.1502303499653@mail.yahoo.com> In-Reply-To: References: <719279744.486880.1502297519186@mail.yahoo.com> Subject: Re: ldap-user-search-filter MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_580653_1221327464.1502303499650" X-Mailer: WebService/1.1.10318 YMailNorrin Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.78 Safari/537.36 archived-at: Wed, 09 Aug 2017 18:32:01 -0000 ------=_Part_580653_1221327464.1502303499650 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Are you getting any errors in your Tomcat log files? Can you try pointing at port 3268 on your AD server, instead of the default= 389? =C2=A0There's an issue with querying the global catalog that is in th= e process of being fixed (PR is open for it), and I think querying the non-= GC-port sometimes works. -Nick On Wednesday, August 9, 2017, 2:26:42 PM EDT, Erik Berndt wrote: Thanks Nick. I tweaked the search filter a little bit and am able to return= the group membership with ldapsearch, but when applying that same filter t= o guacamole.properties, no users are able to authenticate.=C2=A0 Is it possible there is an additional parameter that needs to be used in co= njunction with ldap-user-search-filter? Erik Berndt / Systems Administrator 5551 Wellington Rd, Gainesville, VA 20155 703.631.0004 x520 (Phone) / 703.257.1725 (Fax) http://www.superiorpaving.net Need to open an IT support ticket? =C2=A0 http://FixIT.superiorpaving.net/portal or FixIT@superiorpaving.net On Wed, Aug 9, 2017 at 12:51 PM, Nick Couchman wr= ote: Not sure if this is a paste error or how you actually have it, but you have= an extra quotation mark: ldap-user-search-filter; "(&(objectCategory=3DGroup)( sAMAccountName=3D*)(m= emberOf=3Dcn=3D Accounting,ou=3Dgroups,ou=3D" Superior Paving Employees,dc= =3Dsuperiorpaving, dc=3Dnet))" There should not be a quote in front of "Superior" in the memberOf=3D part = of the filter - LDAP filters can deal fine with spaces in the components of= the filter, so your filter should look like this: ldap-user-search-filter: "(&(objectCategory=3DGroup)( sAMAccountName=3D*)(m= emberOf=3Dcn=3D Accounting,ou=3Dgroups,ou=3D Superior Paving Employees,dc= =3Dsuperiorpaving, dc=3Dnet))" Also, in the line you pasted in to the e-mail, you had a semicolon, instead= of a colon, at the end of ldap-user-search-filter. If it still doesn't work, try using that filter in an "ldapsearch" command = and make sure you get results back: ldapsearch -H ldap://ad.superiorpaving.net -D -W '(&(ob= jectCategory=3DGroup)( sAMAccountName=3D*)(memberOf=3Dcn=3D Accounting,ou= =3Dgroups,ou=3D Superior Paving Employees,dc=3Dsuperiorpaving, dc=3Dnet))' Should do the trick.=C2=A0 If you get no results back or you get an error, = fix it and try, again. -Nick On Wednesday, August 9, 2017, 12:46:13 PM EDT, Erik Berndt wrote: I'm attempting to filter AD groups permitted to login through Guacamole, wh= ich is making use of the auth-mysql and auth-ldap extensions. Login works f= ine for the users defined in the ldap-user-base-dn. When I define the ldap-user-search-filter and reset the servlet container, = all users are prevented from loggin in. This is my first time writing ldap filters, so it's very possible this is a= syntax issue. My search filter in guacamole.properties is as follows: ldap-user-search-filter; "(&(objectCategory=3DGroup)( sAMAccountName=3D*)(m= emberOf=3Dcn=3D Accounting,ou=3Dgroups,ou=3D" Superior Paving Employees,dc= =3Dsuperiorpaving, dc=3Dnet))" Can anyone assist me with this filter?=C2=A0 I also have tried to restrict the ldap-user-base-dn to the specific group I= want to give access to, but am running into the same issue. Erik Berndt / Systems Administrator ------=_Part_580653_1221327464.1502303499650 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Are you getting any errors= in your Tomcat log files?

Can you try pointing at= port 3268 on your AD server, instead of the default 389?  There's an = issue with querying the global catalog that is in the process of being fixe= d (PR is open for it), and I think querying the non-GC-port sometimes works= .

-Nick


<= div>
On Wednesday, August 9, 2017, 2:26:42 PM ED= T, Erik Berndt <erikberndt@superiorpaving.net> wrote:

<= /div>

Thanks Nick. I tweaked the search filter a little bit and am able to re= turn the group membership with ldapsearch, but when applying that same filt= er to guacamole.properties, no users are able to authenticate.=C2=A0
Is it possible there is an additional parameter= that needs to be used in conjunction with ldap-user-search-filter?

Erik Berndt / Systems Administrator
5551 Wellington Rd, Gainesville, VA 20155
= 703.631.0004 x520 (Phone) / 703.257.1725 (Fax)
http://www.superiorpaving.net

Need to open an IT support ticket? =C2=A0
http://FixIT.superiorpaving.net/portal or FixIT@superiorpaving.net

On Wed, Aug 9, 2017 = at 12:51 PM, Nick Couchman <nick.couchman@yahoo.com> = wrote:
=
Not sure if this is a paste error or how you actually have it= , but you have an extra quotation mark:

ldap-user-search-filter; "(&(objectCategory=3DGroup)( sAMAccount= Name=3D*)(memberOf=3Dcn=3D Accounting,ou=3Dgroups,ou=3D" Superior Pavi= ng Employees,dc=3Dsuperiorpaving, dc=3Dnet))"

There should not be a quote in front of "Superior&qu= ot; in the memberOf=3D part of the filter - LDAP filters can deal fine with= spaces in the components of the filter, so your filter should look like th= is:

ldap-user-search-filter: "= (&(objectCategory=3DGroup)( sAMAccountName=3D*)(memberOf=3Dcn=3D Accoun= ting,ou=3Dgroups,ou=3D Superior Paving Employees,dc=3Dsuperiorpaving, dc=3D= net))"

Also= , in the line you pasted in to the e-mail, you had a semicolon, instead of = a colon, at the end of ldap-user-search-filter.

If it still doesn't work, try using that filter in an &quo= t;ldapsearch" command and make sure you get results back:
ldapsearch -H ldap://ad.superi= orpaving.net -D <YOUR BIND DN HERE> -W '(&(objectCategory= =3DGroup)( sAMAccountName=3D*)(memberOf=3Dcn=3D Accounting,ou=3Dgroups,ou= =3D Superior Paving Employees,dc=3Dsuperiorpaving, dc=3Dnet))'

Should do the trick.=C2=A0 If you get no re= sults back or you get an error, fix it and try, again.

-Nick


On We= dnesday, August 9, 2017, 12:46:13 PM EDT, Erik Berndt <erikberndt@superi= orpaving.net > wrote:


I'm attempting to filter AD groups permitted to login through= Guacamole, which is making use of the auth-mysql and auth-ldap extensions.= Login works fine for the users defined in the ldap-user-base-dn.

When I define the ldap-user-search-filter and = reset the servlet container, all users are prevented from loggin in.

This is my first time writing ldap filters, = so it's very possible this is a syntax issue. My search filter in guaca= mole.properties is as follows:

ldap-us= er-search-filter; "(&(objectCategory=3DGroup)( sAMAccountName=3D*)= (memberOf=3Dcn=3D Accounting,ou=3Dgroups,ou=3D" Superior Paving Employ= ees,dc=3Dsuperiorpaving, dc=3Dnet))"

Can anyone assist me with this filter?=C2=A0

I also have tried to restrict the ldap-user-base-dn to the speci= fic group I want to give access to, but am running into the same issue.

Erik Berndt / Systems Administrator

=
------=_Part_580653_1221327464.1502303499650--