[
https://issues.apache.org/jira/browse/GUACAMOLE-1216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17235715#comment-17235715
]
Robert commented on GUACAMOLE-1216:
-----------------------------------
I feel sto stupid right now. It's been days of troubleshooting and.....thanks.
> LDAP SearchRequest default atribute not overwriten by ldap-username-atribute
> parameter
> --------------------------------------------------------------------------------------
>
> Key: GUACAMOLE-1216
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1216
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole, guacamole-auth-ldap
> Affects Versions: 1.2.0, 1.3.0
> Environment: HW: Raspberry PI 3B
> OS: Raspberry Pi OS Lite (buster 5.4.72-v7+) up to date
> SW: Guacamole server, client, ldap extension 1.2.0 (tested also 1.3.0 from
> github with same result), JVM 1.8.0_65-b17, Servlet Apache Tomcat/9.0.31
> (Debian)
> Reporter: Robert
> Priority: Major
> Labels: ActiveDirectory, EasyFix, RasberryPi, SearchRequest,
> attribute, authentication, ldap
>
> When using ldap authentication against Microsoft Active Directory, the
> default attribute for username is "sAMAccountName" which needs to be set with
> ldap-username-attribute property in guacamole.properties. Even if its
> explicitly set, LDAP search request still use "uid" attribute instead, which
> is not set in Active Directory be default and search response ends with empty
> result. When "uid" manually set in AD, user is properly authenticated. Please
> fix this weird behavior. Thank you.
> {code:java}
> #### /etc/guacamole/guacamole.properties
> enable-environment-properties: true
> guacd-hostname: localhost
> guacd-port: 4822
> guacd-ssl: true
> # AD
> ldap-hostname: winserv2019.rsdome.com
> ldap-port: 389
> ldap-encryption-method: none
> ldap-user-base-dn: CN=Users,DC=rsdome,DC=com
> ldap-username-atribute: sAMAccountName
> ldap-search-bind-dn: CN=adtest,CN=Local,CN=Users,DC=rsdome,DC=com
> ldap-search-bind-password: Test123
> ldap-user-search-filter:
> (&(objectClass=user)(memberOf=CN=GuacamoleUsers,CN=Local,CN=Users,DC=rsdome,DC=com))
> {code}
>
> See end of the filter line in SearchRequest...
> {code:java}
> #### part of cataline.out
> [2020-11-19 20:03:34] [info] 20:03:34.602 [http-nio-8001-exec-6] DEBUG
> o.a.d.l.c.api.LdapNetworkConnection - MSG_04104_SENDING_REQUEST (MessageType
> : SEARCH_REQUEST
> [2020-11-19 20:03:34] [info] Message ID : 2
> [2020-11-19 20:03:34] [info] SearchRequest
> [2020-11-19 20:03:34] [info] baseDn : 'CN=Users,DC=rsdome,DC=com'
> [2020-11-19 20:03:34] [info] filter :
> '(&(&(objectClass=user)(memberOf=CN=GuacamoleUsers,CN=Local,CN=Users,DC=rsdome,DC=com))(|(uid=mspkt)))'
> [2020-11-19 20:03:34] [info] scope : whole subtree
> [2020-11-19 20:03:34] [info] typesOnly : false
> [2020-11-19 20:03:34] [info] Size Limit : 1000
> [2020-11-19 20:03:34] [info] Time Limit : 30
> [2020-11-19 20:03:34] [info] Deref Aliases : never Deref Aliases
> [2020-11-19 20:03:34] [info] attributes :
> .
> .
> .
> [2020-11-19 20:03:34] [info] 20:03:34.659 [NioProcessor-5] DEBUG
> o.a.d.l.c.api.LdapNetworkConnection - MSG_04131_SEARCH_SUCCESSFUL
> (MessageType : SEARCH_RESULT_DONE
> [2020-11-19 20:03:34] [info] Message ID : 2
> [2020-11-19 20:03:34] [info] Search Result Done
> [2020-11-19 20:03:34] [info] Ldap Result
> [2020-11-19 20:03:34] [info] Result code : (SUCCESS) success
> [2020-11-19 20:03:34] [info] Matched Dn : '' #<<< EMPTY RESULT
> [2020-11-19 20:03:34] [info] Diagnostic message : ''
> [2020-11-19 20:03:34] [info] )
> .
> .
> .
> [2020-11-19 20:03:34] [info] 20:03:34.663 [http-nio-8001-exec-6] WARN
> o.a.g.r.auth.AuthenticationService - Authentication attempt from 10.5.2.3 for
> user "mspkt" failed.
> {code}
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
