Robert created GUACAMOLE-1216:
---------------------------------
Summary: LDAP SearchRequest default atribute not overwriten by
ldap-username-atribute parameter
Key: GUACAMOLE-1216
URL: https://issues.apache.org/jira/browse/GUACAMOLE-1216
Project: Guacamole
Issue Type: Bug
Components: guacamole, guacamole-auth-ldap
Affects Versions: 1.2.0, 1.3.0
Environment: HW: Raspberry PI 3B
OS: Raspberry Pi OS Lite (buster 5.4.72-v7+) up to date
SW: Guacamole server, client, ldap extension 1.2.0 (tested also 1.3.0 from
github with same result), JVM 1.8.0_65-b17, Servlet Apache Tomcat/9.0.31
(Debian)
Reporter: Robert
When using ldap authentication against Microsoft Active Directory, the default
attribute for username is "sAMAccountName" which needs to be set with
ldap-username-attribute property in guacamole.properties. Even if its
explicitly set, LDAP search request still use "uid" attribute instead, which is
not set in Active Directory be default and search response ends with empty
result. When "uid" manually set in AD, user is properly authenticated. Please
fix this weird behavior. Thank you.
{code:java}
#### /etc/guacamole/guacamole.properties
enable-environment-properties: true
guacd-hostname: localhost
guacd-port: 4822
guacd-ssl: true
# AD
ldap-hostname: winserv2019.rsdome.com
ldap-port: 389
ldap-encryption-method: none
ldap-user-base-dn: CN=Users,DC=rsdome,DC=com
ldap-username-atribute: sAMAccountName
ldap-search-bind-dn: CN=adtest,CN=Local,CN=Users,DC=rsdome,DC=com
ldap-search-bind-password: Test123
ldap-user-search-filter:
(&(objectClass=user)(memberOf=CN=GuacamoleUsers,CN=Local,CN=Users,DC=rsdome,DC=com))
{code}
See end of the filter line in SearchRequest...
{code:java}
#### part of cataline.out
[2020-11-19 20:03:34] [info] 20:03:34.602 [http-nio-8001-exec-6] DEBUG
o.a.d.l.c.api.LdapNetworkConnection - MSG_04104_SENDING_REQUEST (MessageType :
SEARCH_REQUEST
[2020-11-19 20:03:34] [info] Message ID : 2
[2020-11-19 20:03:34] [info] SearchRequest
[2020-11-19 20:03:34] [info] baseDn : 'CN=Users,DC=rsdome,DC=com'
[2020-11-19 20:03:34] [info] filter :
'(&(&(objectClass=user)(memberOf=CN=GuacamoleUsers,CN=Local,CN=Users,DC=rsdome,DC=com))(|(uid=mspkt)))'
[2020-11-19 20:03:34] [info] scope : whole subtree
[2020-11-19 20:03:34] [info] typesOnly : false
[2020-11-19 20:03:34] [info] Size Limit : 1000
[2020-11-19 20:03:34] [info] Time Limit : 30
[2020-11-19 20:03:34] [info] Deref Aliases : never Deref Aliases
[2020-11-19 20:03:34] [info] attributes :
.
.
.
[2020-11-19 20:03:34] [info] 20:03:34.659 [NioProcessor-5] DEBUG
o.a.d.l.c.api.LdapNetworkConnection - MSG_04131_SEARCH_SUCCESSFUL (MessageType
: SEARCH_RESULT_DONE
[2020-11-19 20:03:34] [info] Message ID : 2
[2020-11-19 20:03:34] [info] Search Result Done
[2020-11-19 20:03:34] [info] Ldap Result
[2020-11-19 20:03:34] [info] Result code : (SUCCESS) success
[2020-11-19 20:03:34] [info] Matched Dn : '' #<<< EMPTY RESULT
[2020-11-19 20:03:34] [info] Diagnostic message : ''
[2020-11-19 20:03:34] [info] )
.
.
.
[2020-11-19 20:03:34] [info] 20:03:34.663 [http-nio-8001-exec-6] WARN
o.a.g.r.auth.AuthenticationService - Authentication attempt from 10.5.2.3 for
user "mspkt" failed.
{code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
