guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Jumper <mjum...@apache.org>
Subject Re: ldap groups in 1.0.0 RC1
Date Sun, 06 Jan 2019 07:47:27 GMT
On Sat, Jan 5, 2019, 16:49 Philip Herbert <mail@pherbert.de wrote:

> ...
>
> Because of global catalogue port(3269), all users in the entire directory
> are returned and shown in Users, independant from the ou.
>

Are you saying your LDAP server ignores the base DN for queries?


> ...
>
> dap-username-attribute:sAMAccountName
>

Is this a correct copy of your guacamole.properties? The "ldap" in this
property name is missing the "l".

ldap-user-search-filter:(objectClass=user)(!(objectCategory=computer))
>

Is "user" a valid objectClass?

simply adding:
>
> ldap-user-base-dn:dc=mydomain,dc=de
>
>
>
> causes a failure:
>
>
>
> 01:32:21.232 [http-bio-8080-exec-9] WARN
> o.a.g.r.auth.AuthenticationService - Authentication attempt from
> [192.168.121.212, 127.0.0.1] for user "service" failed.
>
> 01:32:25.523 [http-bio-8080-exec-1] INFO
> o.a.g.r.auth.AuthenticationService - User "philip" successfully
> authenticated from [192.168.121.212, 0:0:0:0:0:0:0:1].
>
> 01:32:26.498 [http-bio-8080-exec-1] WARN
> o.a.g.e.AuthenticationProviderFacade - The "ldap" authentication provider
> has encountered an internal error which will halt the authentication
> process. If this is unexpected or you are the developer of this
> authentication provider, you may wish to enable debug-level logging. If
> this is expected and you wish to ignore such failures in the future, please
> set "skip-if-unavailable: ldap" within your guacamole.properties.
>

There should be an earlier, more specific error. Anything else in your logs?


>
> When I set:
>
> ldap-user-base-dn:cn=Users,dc=mydomain,dc=de
>
>
>
> I can log in, but in the Administration Groups Tab
>
> I see all Users and Groups in the Users Container oft the Directory and
> not only groups.
>

You will also need to set the "ldap-group-base-dn" property.

As long as your users and groups are beneath separate, distinct base DNs
(there are no users beneath the group DN and no groups beneath the user
DN), they will be properly distinguished from each other. If you keep your
groups in the same part of your LDAP directory as your users, Guacamole
will not be able to differentiate an LDAP group from an LDAP user when
attempting to list either within the admin interface.

- Mike

Mime
View raw message