guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Couchman <vn...@apache.org>
Subject Re: LDAP search vs. bind - what does guacamole use when?
Date Wed, 01 May 2019 18:40:10 GMT
On Wed, May 1, 2019 at 11:38 AM nicoschottelius <
nico.schottelius@ungleich.ch> wrote:

> Hello,
>
> I've tried several combinations of ldap-search-bind-dn,
> ldap-user-search-filter, ldap-max-search-results - all with one result:
>
> - User  successfully authenticated in the logs
> - Unable to query list of objects from LDAP directory message on the login
> screen
>
> What I would expect guacamole to do:
>
> - bind as the user to find out whether it can login
> - use the search-bind-dn to look for other objects
>

No.  And there's a good reason for this - see below.


>
> What I *assume* guacamole is actually doing:
>
> - search the DN of the user using the search-bind-dn
> - searching other objects using the USER dn
>

It depends a little bit on how you have things configured.  If you do not
enter a ldap-search-bind-dn and password, the extension attempts to
generate the bind DN using the ldap-username-attribute (uid by default),
the username entered, and the ldap-user-base-dn.  So, if you leave the
attribute as uid, set ldap-user-base-dn to "dc=example,dc=com", and log in
with "testuser", the bind DN that the extension will use would be:
uid=testuser,dc=example,dc=com.

If you enter the ldap-search-bind-dn and password values, the extension
will bind with those credentials, search the LDAP tree for the user that is
logging in, using the username attribute (uid by default), and then will
attempt to re-bind with the DN that was located and the password provided
by the user at login time.

All of the other searches within the LDAP tree - for connections (assuming
ldap-config-base-dn is set) and user groups (assuming ldap-group-base-dn is
set) are done using the bind DN and password of *the user that logged in*
(NOT the ldap-search-bind-dn).  The *only* thing the ldap-search-bind-dn
value and password are used for is to locate the user logging in.  The
reason it behaves this way, and not the way you expect, is that the LDAP
extension relies explicitly on LDAP access control for the user who is
logging in to govern what other users, groups, and connections
(configurations) the user can see within Guacamole.  This is by design.

This behavior is described in the LDAP section of the manual:
http://guacamole.apache.org/doc/gug/ldap-auth.html

-Nick

Mime
View raw message