guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Thorn <al...@cam.ac.uk>
Subject Re: Path forward to get Guacamole working with AD LDAP?
Date Fri, 09 Aug 2019 21:43:16 GMT
On 09/08/2019 22:02, surfrock66 wrote:

> When the ldap-user-base-dn is the root of the domain, or the bind user is in
> a different OU than the ldap-user-base-dn, the ldap plugin seems to have
> issues.  Our domain is structured like this:
> 
> DC=AD,DC=DOMAIN,DC=org
> |--OU=Office1
> |    |--OU=Users
> |--OU=Office2
> |    |--OU=Users
> |         |--CN=username
> |--OU=Office3
> |    |--OU=Users
> |--OU=ServiceAccounts
>       |--CN=svcLDAPLookup

That's broadly the same structure as my AD, in as much as

a) ldap-user-base-dn is the root of the domain
b) the ldap-search-bind-dn is not in the root

The only difference that leaps out to me is that my ldap-search-bind-dn 
is in the standard cn=users AD container (so a container rather than an 
OU) but that seems like an unlikely reason for your problem.

I am running an older version of guacamole, though, so it's entirely 
possible that the current release of the LDAP code differs from my 
installation.

> ldap-port:                            389

> This results in the following errors, which are DIFFERENT than the
> "referrals disabled" error from above:
> 
> ERROR o.a.g.auth.ldap.ObjectQueryService - Could not follow referral: null

The only possible lead I've come across there is if the server running 
guacamole uses different DNS servers to your AD, which might lead to the 
LDAP client (i.e. guacamole) being unable to resolve the referral it's 
issued with, e.g. 
https://confluence.atlassian.com/jirakb/user-lookups-fail-with-partialresultexceptions-due-to-active-directory-follow-referrals-configuration-235668642.html

but that feels tenuous.

A possible workaround, depending on the structure of your domain/forest, 
could be to specify ldap-port: 3268 to query the GC rather than the 
domain, which (due to the pecularities of AD) means that no referral is 
returned in the first place. But that means a) you're querying the 
forest and not the domain, which in some setups will be undesirable, and 
b) masking the underlying problem rather than fixing it.

Adam

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org


Mime
View raw message