guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Couchman <>
Subject Re: Path forward to get Guacamole working with AD LDAP?
Date Fri, 09 Aug 2019 23:22:47 GMT
On Fri, Aug 9, 2019 at 6:56 PM surfrock66 <> wrote:

> Sorry for constant messages, but we have a working test case...when we
> target
> an OU outside the root.  Referencing the above OU layout:

No worries at all - that's part of the process :-).

> #LDAP/AD Properties
> ldap-hostname:         
> ldap-port:                           389
> ldap-user-base-dn:              OU=Office2,DC=AD,DC=DOMAIN,DC=org
> ldap-search-bind-dn:           CN=svcLDAPLookup,OU=Service
> Accounts,DC=AD,DC=DOMAIN,DC=org
> ldap-search-bind-password:  ********
> ldap-follow-referrals:            true
> ldap-username-attribute:      SAMAccountName

What happens when you put the user base DN to the root, but set
"ldap-follow-referrals" to "false"?

> The user being tested is in an OU below the referenced base DN, so
> traversing works, since anonymous binding is disabled the search user is
> working, but if we change the base DN to hit the root of the domain and not
> an OU, we get a null referral error.
> I see nothing in my research about what in my AD might be causing a null
> referral and instead see it as an issue in general with targeting root
> domains, but this seems pretty DOA for our org.

This is a peculiarity of Active Directory - the "Global Catalog"
work-around (port 3268) is a well-known work-around for accessing AD
information via LDAP, and not just with Guacamole.  But disabling referral
following should take care of the issue.


View raw message