[
https://issues.apache.org/jira/browse/GUACAMOLE-804?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16853111#comment-16853111
]
Michael Jumper commented on GUACAMOLE-804:
------------------------------------------
{quote}
I have found a bug and reported it with solid description.
You have closed it on a hunch and now you are referring me to some mailing list?
No, that is not how things should be done.
{quote}
Please remain respectful:
https://www.apache.org/foundation/policies/conduct.html
This isn't personal and you aren't being summarily redirected to "some mailing
list" because of a poor description. You are being redirected to _the_ mailing
list because it is where the community gathers to help each other. It is where
all discussion for the project occurs and is the most appropriate forum for
this, as it is the official forum for the project. It is the place where you
would stand the best chance of solving what you're encountering, and where the
community would most benefit from the surrounding discussion.
If it is determined to be a bug, the issue in JIRA will be reopened. JIRA is
simply not the place for this as JIRA lacks the same visibility and the issue
itself does not appear to be a bug.
{quote}
Well, you suspect, but I have tested it many times and it is a bug.
{quote}
The fact that you observe the same thing ("Unable to query list of objects")
given the same environmental conditions (your LDAP server and related Guacamole
configuration), only means the cause of the error you are seeing is
deterministic. It does not mean in itself that the error indicates a bug, nor
that the conclusion that the error must be due to the search DN not being part
of the user base DN is correct.
Overall:
* The design of the LDAP extension does not expect that the search DN will be
part of the base DN. The LDAP extension simply binds using the search DN during
the login process to determine the user's login DN.
* The search DN is not used in any way for the part of the application where
you see the error (Settings/Users). At this point, only the user's login DN is
used.
* Maintaining the search DN outside of the base DN is an expected configuration
and is explicitly tested. This happens to be the exact configuration of my own
development environment:
{code:none}
ldap-user-base-dn: ou=People,dc=dev-mjumper,dc=glyptodon,dc=org
ldap-username-attribute: cn
ldap-group-base-dn: ou=Groups,dc=dev-mjumper,dc=glyptodon,dc=org
ldap-group-name-attribute: cn
ldap-config-base-dn: ou=Connections,dc=dev-mjumper,dc=glyptodon,dc=org
ldap-search-bind-dn:
uid=Guacamole,ou=Services,dc=dev-mjumper,dc=glyptodon,dc=org
ldap-search-bind-password: REDACTED
{code}
No one is disputing what you're _seeing_, but it is unlikely to be due to a
bug. You can likely solve what you're encountering on the mailing list.
> LDAP authentication not working correctly
> -----------------------------------------
>
> Key: GUACAMOLE-804
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-804
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole-auth-ldap
> Reporter: Peter Kubica
> Priority: Minor
>
> LDAP authentication with database backend (as proposed
> [here|https://guacamole.apache.org/doc/gug/ldap-auth.html#ldap-and-database])
> can't correctly handle situation, when _ldap-search-bind-dn_ is not contained
> in _ldap-user-base-dn_.
> Eg.:
> {{ldap-user-base-dn: ou=common,ou=users,dc=example,dc=com}}
> {{ldap-search-bind-dn: uid=guacamole,ou=system,ou=users,dc=example,dc=com}}
> In this situation _guacamole_ user will not show LDAP users in Settings/Users
> and common user authentication will result it successful authentication
> followed by _Unable to query list of objects from LDAP directory_ error.
> Even with:
> {{ldap-user-base-dn: ou=users,dc=example,dc=com}}
> things are not working correctly for users from
> _ou=common,ou=users,dc=example,dc=com_.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
