[
https://issues.apache.org/jira/browse/GUACAMOLE-804?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17065156#comment-17065156
]
Peter Kubica commented on GUACAMOLE-804:
----------------------------------------
I dug in and found the problem.
There are few LDAP searches of users and groups using current user credentials
and not credentials of user specified in _ldap-search-bind-dn_. This means
every user used in guacamole needs to have permissions to search users and
search and read groups.
Consider, please, using uses specified in _ldap-search-bind-dn_ for these
searches.
It is a good practice to use common user account only to verify credentials and
system account for everything else.
This would also allow non-LDAP admin user to see LDAP users and groups.
> LDAP authentication not working correctly
> -----------------------------------------
>
> Key: GUACAMOLE-804
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-804
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole-auth-ldap
> Reporter: Peter Kubica
> Priority: Minor
>
> LDAP authentication with database backend (as proposed
> [here|https://guacamole.apache.org/doc/gug/ldap-auth.html#ldap-and-database])
> can't correctly handle situation, when _ldap-search-bind-dn_ is not contained
> in _ldap-user-base-dn_.
> Eg.:
> {{ldap-user-base-dn: ou=common,ou=users,dc=example,dc=com}}
> {{ldap-search-bind-dn: uid=guacamole,ou=system,ou=users,dc=example,dc=com}}
> In this situation _guacamole_ user will not show LDAP users in Settings/Users
> and common user authentication will result it successful authentication
> followed by _Unable to query list of objects from LDAP directory_ error.
> Even with:
> {{ldap-user-base-dn: ou=users,dc=example,dc=com}}
> things are not working correctly for users from
> _ou=common,ou=users,dc=example,dc=com_.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
