[
https://issues.apache.org/jira/browse/GUACAMOLE-243?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15931242#comment-15931242
]
Nick Couchman commented on GUACAMOLE-243:
-----------------------------------------
Adam, I believe your logic here was sound for 1/2 the picture - if you don't
want to follow LDAP referrals (the default behavior of the Novell LDAP
library), and the LDAP server sends you one, you should ignore it (rather than
trying to follow it) and continue with the next result. I took this and ran
with it, adding the following things to it:
- New parameters which enable referral following in the LDAP connection.
- If referral following is enabled, and we get an LDAPReferralException, then
we throw a GuacamoleServerException, rather than just ignoring it.
- Your code, which, if referral following is enabled, logs the error but
continues processing results.
- Added the same logic to the ConnectionService class, since it also deals with
LDAP results and could encounter referral following exceptions, as well.
With the current code I can authenticate against the rather large AD system in
my organization with referral following either enabled or disabled.
Mike, I'm not sure what the "proper" way to go about this is - I'm going to
open a new pull request from my copy of the repo with the combination of Adam's
code and mine. If there's a different way I should handle this, let me know.
> LDAP auth fails when search results include an LDAP referral
> ------------------------------------------------------------
>
> Key: GUACAMOLE-243
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-243
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole-auth-ldap
> Reporter: Adam Thorn
>
> The ldap search in
> extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java
> to find the DN of the user who is logging in (i.e. inside getUserDNs() )
> fails if the LDAPSearchResults include an LDAP referral, because
> LDAPSearchResults.next() throws an LDAPReferralException:
> https://www.novell.com/documentation/developer/jldap/jldapenu/api/com/novell/ldap/LDAPSearchResults.html#next()
> This particularly affects Active Directory, where typically the LDAP
> implementation has separate partitions for DNS zones and Configuration (see
> e.g.
> http://stackoverflow.com/questions/32989159/ldapsearch-entire-active-directory-without-refldap-returns
> for an example of the three LDAP referrals that AD returns). Empirically,
> against my AD, even when an ldap search for (sAMAccountName=$USERNAME)
> correctly returns the dn for the searched-for $USERNAME , I still also get
> the three ldap referrals mentioned in that stackoverflow post. Thus, even
> though the first result in the LDAPSearchResults has the correct dn for the
> user logging in, results.next() then throws an exception when it encounters
> the referral and the login fails.
> This only happens when ldap-user-base-dn is set to the base dn of my AD (i.e.
> with dc=example,dc=com I get referrals, but with ou=Users,dc=example,dc=com
> as the search base I do not). The structure of my AD requires me to set the
> base dn as the search base, though.
> N.B. A possible workaround is to explicitly query the Global Catalog (by
> setting ldap-port: 3268). However, that performs a forest-wide search rather
> than just a domain-wide search, which might not be desired.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
