Re: Dumb LDAP Properties Question
Yes I agree, I am just going to leave it as is and have it be manually entered instead of making assumptions. Thanks -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Dumb LDAP Properties Question
On Mon, Jan 14, 2019 at 2:44 PM Zer0Cool wrote: > Ok so from the responses it sounds like typically: > > ldap-user-base-dn: dc=mydomain,dc=com > ldap-search-bind-dn: cn=myuser,ou=user_ou,dc=mydomain,dc=com > > should be using the same DC entries but that: > > ldap-hostname: myserver./mydomain/./com/ > > could possibly be on another domain. > > However, it sounds like it theoretically possible they are not. > > I ask as I am working on a script in which currently all 3 are prompted for > and hand entered. I was wondering if I could reduce the amount prompted for > and assume the DC portions. > > In other words something like: > prompt for ldap-hostname > skip asking for ldap-user-base-dn (assume the same domain as ldap-hostname) > and then for ldap-search-bind-dn the user only enters > "cn=user_name,ou=user_ou" and assume the DC portions in the underlying > code. > > So far it sounds like the answer is that the majority of time this would be > a safe assumption but there could be instances in which they would differ. > If thats the case I can leave it as is and have it be fully entered and not > make assumptions. > I would say that, while it may be a "safe assumption" 51% ("majority") of the time, it is not a good assumption. There may be a variety of reasons that the DNS domain (mydomain.com) differs from the LDAP tree base dn (dc=mydomain,dc=com), and that you should prompt for each of them individually. As someone who administers a decent number of systems and has done so for 20-ish years, I can say that having to enter that information a couple of different times is preferable to not being given that option and having the system make assumptions about the environment that result in troubleshooting a bad configuration. You could try to derive the values and use those derived values as defaults, but still give the option to enter something different - that might be a good compromise between extra key strokes and environments that don't match your assumptions. -Nick
Re: Dumb LDAP Properties Question
Ok so from the responses it sounds like typically: ldap-user-base-dn: dc=mydomain,dc=com ldap-search-bind-dn: cn=myuser,ou=user_ou,dc=mydomain,dc=com should be using the same DC entries but that: ldap-hostname: myserver./mydomain/./com/ could possibly be on another domain. However, it sounds like it theoretically possible they are not. I ask as I am working on a script in which currently all 3 are prompted for and hand entered. I was wondering if I could reduce the amount prompted for and assume the DC portions. In other words something like: prompt for ldap-hostname skip asking for ldap-user-base-dn (assume the same domain as ldap-hostname) and then for ldap-search-bind-dn the user only enters "cn=user_name,ou=user_ou" and assume the DC portions in the underlying code. So far it sounds like the answer is that the majority of time this would be a safe assumption but there could be instances in which they would differ. If thats the case I can leave it as is and have it be fully entered and not make assumptions. -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Dumb LDAP Properties Question
On Fri, Jan 11, 2019 at 12:59 PM Zer0Cool wrote: > Guac: 1.0.0 with MySQL db + LDAP extension > OS: CentOS/RHEL 7.x (7.6 currently) > > I am specifically talking about the following entries in > guacamole.properties: > > ldap-hostname: myserver./mydomain/./com/ > ldap-user-base-dn: dc=/mydomain/,dc=/com/ > ldap-search-bind-dn: cn=myuser,ou=user_ou,dc=/mydomain/,dc=/com/ > > So in the above example, is there any logical, legitimate reason the parts > in italics could be/should be different than the other entries in red (line > to line)? > > Put another way, is there any reason to have the DC entries be different on > those 3 lines or is it safe to assume that "mydomain" will be the same > across all 3 lines? First, there are two DC entries here, not three. The hostname of your LDAP server is independent of the contents of your LDAP directory and is purely a network concern. Whether it matches the DC attributes of objects in your directory depends on how you set things up and is not guaranteed. It will match if you have set things up such that it matches. As for the user base DN and search bind DN, I don't believe these are guaranteed to match. It definitely would be unusual if they didn't, but the correct values are dictated by the contents of your LDAP directory. You should look at the definitions of those properties, look at the contents of your LDAP directory, and determine the values from your directory which satisfy the requirements of those properties. The user base DN should be the base DN of the part of your LDAP tree that contains the users relevant to Guacamole. The search bind DN needs to have permission to query the objects within the user base DN. - Mike
Re: Dumb LDAP Properties Question
> Put another way, is there any reason to have the DC entries be different on those 3 lines. I can't think of any reason how/why they could be different. What are you trying to accomplish or issue are you running into? >is it safe to assume that "mydomain" will be the same across all 3 lines Yes. Erik Berndt / Systems Administrator On Fri, Jan 11, 2019 at 3:59 PM Zer0Cool wrote: > Guac: 1.0.0 with MySQL db + LDAP extension > OS: CentOS/RHEL 7.x (7.6 currently) > > I am specifically talking about the following entries in > guacamole.properties: > > ldap-hostname: myserver./mydomain/./com/ > ldap-user-base-dn: dc=/mydomain/,dc=/com/ > ldap-search-bind-dn: cn=myuser,ou=user_ou,dc=/mydomain/,dc=/com/ > > So in the above example, is there any logical, legitimate reason the parts > in italics could be/should be different than the other entries in red (line > to line)? > > Put another way, is there any reason to have the DC entries be different on > those 3 lines or is it safe to assume that "mydomain" will be the same > across all 3 lines? > > Sorry for the silly question. Thanks > > > > -- > Sent from: > http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/ > -- This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error, please immediately notify Superior Paving Corp. by telephone at (703) 631-0004. You will be reimbursed for reasonable costs incurred in notifying us.