guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From surfrock66 <>
Subject Re: Path forward to get Guacamole working with AD LDAP?
Date Fri, 09 Aug 2019 21:02:11 GMT
I fear the ldap module may be incompatible with our AD structure.  I
reference the following:

When the ldap-user-base-dn is the root of the domain, or the bind user is in
a different OU than the ldap-user-base-dn, the ldap plugin seems to have
issues.  Our domain is structured like this:

|    |--OU=Users
|    |--OU=Users
|         |--CN=username
|    |--OU=Users

This cannot be changed, but means the bind dn must be the root of our
domain.  I have the native install working, and the
file is the following:

#LDAP/AD Properties
ldap-port:                            389
ldap-user-base-dn:               DC=AD,DC=DOMAIN,DC=org
ldap-search-bind-password:  ********
ldap-username-attribute:      cn
ldap-follow-referrals:            true

This results in the following errors, which are DIFFERENT than the
"referrals disabled" error from above:

ERROR o.a.g.auth.ldap.ObjectQueryService - Could not follow referral: null
ERROR o.a.g.a.l.AuthenticationProviderService - Cannot bind with LDAP
server: Unable to query list of objects from LDAP directory.
WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from for user "username" failed.

Somehow a null referral is being sent, and thus the plugin cannot follow it.
The only reference to this I can find is this ticket seeking to DISABLE
referral following:

I am starting to believe our configuration is incompatible with the ldap
plugin, unless I'm missing something.

Sent from:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message