On Tue, Nov 20, 2018 at 3:54 PM Zer0Cool <[email protected]> wrote:
> I kind of figured it out. At least the base issue. > > ldap-users-search-filter: (memberOf=CN=Domain > Admins,CN=Users,DC=domain,DC=COM) > > Seems to be the proper syntax for the parameter in the guacamole.properties > file. This pulled in just the members of that group. Removing > "(&(objectCategory=user" got it working. I am gonna go out on a limb and > assume it uses something like "objectCategory=*" by default and that's > pre-pended to any conditions put in by the user causing issues? > Well, at least in the current master, the default is just "(objectClass=*)", and it should be overridden (not appended) if you specify the parameter in the configuration: https://github.com/apache/guacamole-client/blob/823bbeace11063b249e3f05c2a1e5c5027107b96/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ConfigurationService.java#L341-L346 I can confirm this is also how it is for 1.0.0, but not sure off the top of my head how 0.9.14 behaves. > > I am still trying to figure out if I can limit the results just to actual > users (not critical at this point) and only active users (a bit more > important to me). > Yes, you should be able to with a valid search filter that includes the object class for user, person, etc. > > Overall, I would really just like to figure out the syntax Guac expects for > this and what options/flexibility/limits it has compared to standard LDAP > queries. > You might try putting Guacamole Client into debug mode and see if you can figure out where it's choking on the query. You can find instructions on this, here: http://guacamole.apache.org/doc/gug/configuring-guacamole.html#webapp-logging -Nick
