On Sat, Jan 5, 2019, 16:49 Philip Herbert <[email protected] wrote: > ... > > Because of global catalogue port(3269), all users in the entire directory > are returned and shown in Users, independant from the ou. >
Are you saying your LDAP server ignores the base DN for queries? > ... > > dap-username-attribute:sAMAccountName > Is this a correct copy of your guacamole.properties? The "ldap" in this property name is missing the "l". ldap-user-search-filter:(objectClass=user)(!(objectCategory=computer)) > Is "user" a valid objectClass? simply adding: > > ldap-user-base-dn:dc=mydomain,dc=de > > > > causes a failure: > > > > 01:32:21.232 [http-bio-8080-exec-9] WARN > o.a.g.r.auth.AuthenticationService - Authentication attempt from > [192.168.121.212, 127.0.0.1] for user "service" failed. > > 01:32:25.523 [http-bio-8080-exec-1] INFO > o.a.g.r.auth.AuthenticationService - User "philip" successfully > authenticated from [192.168.121.212, 0:0:0:0:0:0:0:1]. > > 01:32:26.498 [http-bio-8080-exec-1] WARN > o.a.g.e.AuthenticationProviderFacade - The "ldap" authentication provider > has encountered an internal error which will halt the authentication > process. If this is unexpected or you are the developer of this > authentication provider, you may wish to enable debug-level logging. If > this is expected and you wish to ignore such failures in the future, please > set "skip-if-unavailable: ldap" within your guacamole.properties. > There should be an earlier, more specific error. Anything else in your logs? > > When I set: > > ldap-user-base-dn:cn=Users,dc=mydomain,dc=de > > > > I can log in, but in the Administration Groups Tab > > I see all Users and Groups in the Users Container oft the Directory and > not only groups. > You will also need to set the "ldap-group-base-dn" property. As long as your users and groups are beneath separate, distinct base DNs (there are no users beneath the group DN and no groups beneath the user DN), they will be properly distinguished from each other. If you keep your groups in the same part of your LDAP directory as your users, Guacamole will not be able to differentiate an LDAP group from an LDAP user when attempting to list either within the admin interface. - Mike
