guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Jumper <>
Subject Re: Dumb LDAP Properties Question
Date Fri, 11 Jan 2019 21:25:44 GMT
On Fri, Jan 11, 2019 at 12:59 PM Zer0Cool <> wrote:

> Guac: 1.0.0 with MySQL db + LDAP extension
> OS: CentOS/RHEL 7.x (7.6 currently)
> I am specifically talking about the following entries in
> ldap-hostname: myserver./mydomain/./com/
> ldap-user-base-dn: dc=/mydomain/,dc=/com/
> ldap-search-bind-dn: cn=myuser,ou=user_ou,dc=/mydomain/,dc=/com/
> So in the above example, is there any logical, legitimate reason the parts
> in italics could be/should be different than the other entries in red (line
> to line)?
> Put another way, is there any reason to have the DC entries be different on
> those 3 lines or is it safe to assume that "mydomain" will be the same
> across all 3 lines?

First, there are two DC entries here, not three. The hostname of your LDAP
server is independent of the contents of your LDAP directory and is purely
a network concern. Whether it matches the DC attributes of objects in your
directory depends on how you set things up and is not guaranteed. It will
match if you have set things up such that it matches.

As for the user base DN and search bind DN, I don't believe these are
guaranteed to match. It definitely would be unusual if they didn't, but the
correct values are dictated by the contents of your LDAP directory. You
should look at the definitions of those properties, look at the contents of
your LDAP directory, and determine the values from your directory which
satisfy the requirements of those properties. The user base DN should be
the base DN of the part of your LDAP tree that contains the users relevant
to Guacamole. The search bind DN needs to have permission to query the
objects within the user base DN.

- Mike

View raw message