guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Jumper <mike.jum...@guac-dev.org>
Subject Re: Configuring LDAP
Date Fri, 01 Dec 2017 17:30:50 GMT
On Mon, Nov 27, 2017 at 10:49 AM, <harry.devine@faa.gov> wrote:

> Here’s my current /etc/guacamole/guacamole.properties file:
>
>
>
> #MySQL properties
>
> mysql-hostname: localhost
>
> mysql-port:3306
>
> mysql-database: guacdb
>
> mysql-username: guacuser
>
> mysql-password: guacadmin
>
> mysql-default-max-connections-per-user: 0
>
> mysql-default-max-group-connections-per-user:0
>
>
>
> #LDAP properties
>
> ldap-hostname:my.hostname
>
> ldap-port:389
>
> ldap-encryption-method:none
>
> ldap-dereference-aliases:never
>
> ldap-search-bind-dn:cn=Directory Manager
>
> ldap-search-bind-password:pass123
>
> ldap-user-base-dn:dc=example,dc=com
>
> #ldap-username-attribute=cn=users,cn=accounts,dc=example,dc=com
>
> ldap-username-attribute:cn
>
> ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com
>
>
>
>
>
> When I use the ldap-username-attribute:cn setting, I get the error where
> the Multiple DNs are what’s being complained about.
>

If Guacamole is complaining about multiple DNs matching the user, then the
user base DN is likely not specific enough, and multiple distinct user
accounts are matching otherwise valid usernames. To translate a user's
username into their corresponding DN via LDAP search, there must be exactly
one DN which matches the username beneath the base DN. If there are
multiple such DNs, then Guacamole cannot safely choose one arbitrarily, and
it fails the authentication attempt.

The value for "ldap-search-bind-dn" here is odd, as "cn=Directory Manager"
is not a fully qualified DN. If your LDAP server accepts it anyway, then it
will work, but I am surprised to not see "dc=example,dc=com" within that DN.

If I use the other one (the commented out one above), I simply get
> “Authentication attempted …… failed”.  We use the “cn=users,cn=accounts”
> string in other projects where we communicate with our LDAP server, so I’m
> pretty sure that’s correct.
>

The commented-out "ldap-username-attribute" value is definitely incorrect,
as it is not the name of an attribute; it is a fully-qualified DN. The
value of "ldap-username-attribute" needs to be the name of an attribute.

Taking a step back here ... can you describe how your LDAP directory is
organized? What attribute contains the username for each user? Where are
these users located within the LDAP tree? Is the username within the DN of
each user, and thus the DN of the user can be directly derived from the
username, or can the DN only be determined from the username through an
LDAP search?

- Mike

Mime
View raw message