guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From nicoschottelius <nico.schottel...@ungleich.ch>
Subject Re: LDAP search vs. bind - what does guacamole use when?
Date Wed, 01 May 2019 19:48:02 GMT
Hey Mike,

the problem is that users cannot login like this at the moment. They are
being shown the "Unable to query list of objects from ldap directory" on the
website message after I see a successful login in the guacamole logs.

>From what I can see how this LDAP tree works is pretty "standard", from what
I have seen so far:

The tree basically holds all user information, but users cannot browse it
themselves. Users are only entities that are being managed by system
accounts (i.e. read or writing to the tree).

The tree itself covers 60k+ users and I as far as I can see it is rather
"complex" environment. 

But coming back to your statement before, about accessing objects: the way
we intend to run guacamole is to use LDAP only for authentication and
storing all information in a postgres database. So from my point of view,
the users don't need access to *any* object in the tree, after it is
verified that guacamole could bind to it.

What I however see *after* the successful login is 2 search requests:

User "nico" successfully authenticated from 10.X.X.X.
Searching "ou=V,ou=X,ou=Z,ou=Y,o=A,c=ch" for objects matching
"(&(ou=SOME-OU)(cn=nico))".
Searching "ou=V,ou=X,ou=Z,ou=Y,o=A,c=ch" for objects matching
"(&(ou=SOME-OU)(cn=*))".

And then the final error message on the webinterface.

We are not using the ldap scheme nor trying to store objects in ldap from
guacamole.

If I understood you correctly, this "should work", as there are no objects
that are needed to be accessed, or did I understand that wrong?

Best,

Nico




--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Mime
View raw message