guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Couchman <vn...@apache.org>
Subject Re: Path forward to get Guacamole working with AD LDAP?
Date Fri, 09 Aug 2019 23:22:47 GMT
On Fri, Aug 9, 2019 at 6:56 PM surfrock66 <surfrock66@surfrock66.com> wrote:

> Sorry for constant messages, but we have a working test case...when we
> target
> an OU outside the root.  Referencing the above OU layout:
>

No worries at all - that's part of the process :-).


>
> #LDAP/AD Properties
> ldap-hostname:                   10.1.10.3
> ldap-port:                           389
> ldap-user-base-dn:              OU=Office2,DC=AD,DC=DOMAIN,DC=org
> ldap-search-bind-dn:           CN=svcLDAPLookup,OU=Service
> Accounts,DC=AD,DC=DOMAIN,DC=org
> ldap-search-bind-password:  ********
> ldap-follow-referrals:            true
> ldap-username-attribute:      SAMAccountName
>

What happens when you put the user base DN to the root, but set
"ldap-follow-referrals" to "false"?


>
> The user being tested is in an OU below the referenced base DN, so
> traversing works, since anonymous binding is disabled the search user is
> working, but if we change the base DN to hit the root of the domain and not
> an OU, we get a null referral error.
>
> I see nothing in my research about what in my AD might be causing a null
> referral and instead see it as an issue in general with targeting root
> domains, but this seems pretty DOA for our org.
>

This is a peculiarity of Active Directory - the "Global Catalog"
work-around (port 3268) is a well-known work-around for accessing AD
information via LDAP, and not just with Guacamole.  But disabling referral
following should take care of the issue.

-Nick

Mime
View raw message