On Fri, Jan 11, 2019 at 12:59 PM Zer0Cool <[email protected]> wrote:
> Guac: 1.0.0 with MySQL db + LDAP extension > OS: CentOS/RHEL 7.x (7.6 currently) > > I am specifically talking about the following entries in > guacamole.properties: > > ldap-hostname: myserver./mydomain/./com/ > ldap-user-base-dn: dc=/mydomain/,dc=/com/ > ldap-search-bind-dn: cn=myuser,ou=user_ou,dc=/mydomain/,dc=/com/ > > So in the above example, is there any logical, legitimate reason the parts > in italics could be/should be different than the other entries in red (line > to line)? > > Put another way, is there any reason to have the DC entries be different on > those 3 lines or is it safe to assume that "mydomain" will be the same > across all 3 lines? First, there are two DC entries here, not three. The hostname of your LDAP server is independent of the contents of your LDAP directory and is purely a network concern. Whether it matches the DC attributes of objects in your directory depends on how you set things up and is not guaranteed. It will match if you have set things up such that it matches. As for the user base DN and search bind DN, I don't believe these are guaranteed to match. It definitely would be unusual if they didn't, but the correct values are dictated by the contents of your LDAP directory. You should look at the definitions of those properties, look at the contents of your LDAP directory, and determine the values from your directory which satisfy the requirements of those properties. The user base DN should be the base DN of the part of your LDAP tree that contains the users relevant to Guacamole. The search bind DN needs to have permission to query the objects within the user base DN. - Mike
