On Sun, Jan 13, 2019 at 7:43 AM Philip Herbert <m...@pherbert.de> wrote:
> as it seems impossible to change the structure of an ldap, because a > single application expects users and groups > > In different parts oft the ldap directory, I would like to try to find out > why this config is failing > > > > If I set ldap-user-base-dn and ldap-group base-dn to he same value > (pointng to the root of the directory like: > > > > DC=DOMAIN,DC=DE > > > > then any attempt to login causes an error: > > > > 13:12:15.772 [http-bio-8080-exec-4] INFO > o.a.g.r.auth.AuthenticationService - User "philip" successfully > authenticated from [192.168.121.212, 0:0:0:0:0:0:0:1]. > > 13:12:16.745 [http-bio-8080-exec-4] WARN > o.a.g.e.AuthenticationProviderFacade - The "ldap" authentication provider > has encountered an internal error which will halt the authentication > process. If this is unexpected or you are the developer of this > authentication provider, you may wish to enable debug-level logging. If > this is expected and you wish to ignore such failures in the future, please > set "skip-if-unavailable: ldap" within your guacamole.properties. > > > > There is no additional output in catalina.out > > > > > > In my last post: > > dap-username-attribute:sAMAccountName > > was a copy/past error. The ‚l‘ before ldap is not missing … > > > > I have managed to get clean user / group lists by modifying > > > > The function getGroupSearchFilter in UserGroupService.jar to return only > objectClass=group > > > > //return "(objectClass=*)"; > > return "(objectClass=group)"; > > > > > > > > with the following properties: > > > > > > ldap-hostname: dc.domain.de > > ldap-port:3269 > > ldap-encryption-method:ssl > > ldap-search-bind-dn:cn=GuacamoleLDAP,cn=Users,dc=domain,dc=de > > ldap-search-bind-password:<something> > > ldap-user-base-dn:dc=domain,dc=de > > ldap-group-base-dn:dc=domain,dc=de > > ldap-username-attribute:sAMAccountName > > ldap-max-search-results:4000 > > ldap-follow-referrals:true > > ldap-user-search-filter:(objectClass=user)(!(objectCategory=computer)) > > > > > > With this config and change, I get a clean lisst of (person)users in the > user tab and a clean list of groups in the group tab. > > When I assign a connection profile to a group, the connection is visible > to the users, but he can not connect, due to missing permissions. > > ‚You do not have permissions to access this connection‘ > > > > > > INFO: Server startup in 3508 ms > > 13:38:18.787 [http-bio-8080-exec-7] INFO > o.a.g.r.auth.AuthenticationService - User "philip" successfully > authenticated from [192.168.121.212, 127.0.0.1]. > > 13:38:20.167 [http-bio-8080-exec-9] INFO > o.a.g.r.auth.AuthenticationService - User "philip" successfully > authenticated from [192.168.121.212, 0:0:0:0:0:0:0:1]. > > 13:38:52.504 [http-bio-8080-exec-8] INFO > o.a.g.r.auth.AuthenticationService - User "testdv" successfully > authenticated from [192.168.121.212, 127.0.0.1]. > > 13:38:55.784 [http-bio-8080-exec-2] ERROR > o.a.g.w.GuacamoleWebSocketTunnelEndpoint - Creation of WebSocket tunnel to > guacd failed: Permission denied. > > 13:38:55.846 [http-bio-8080-exec-7] WARN > o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request rejected: > Permission denied. > > 13:39:12.699 [http-bio-8080-exec-5] ERROR > o.a.g.w.GuacamoleWebSocketTunnelEndpoint - Creation of WebSocket tunnel to > guacd failed: Permission denied. > > 13:39:12.754 [http-bio-8080-exec-3] WARN > o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request rejected: > Permission denied. > > > > > > Connections assigned to the user (not the group) are still working fine, > as the did in previous versions. > > > > Thanks, Philip > > > > > > > > *Von:* Mike Jumper <mjum...@apache.org> > *Gesendet:* Sonntag, 6. Januar 2019 08:47 > *An:* user@guacamole.apache.org > *Betreff:* Re: ldap groups in 1.0.0 RC1 > > > > On Sat, Jan 5, 2019, 16:49 Philip Herbert <m...@pherbert.de wrote: > > ... > > Because of global catalogue port(3269), all users in the entire directory > are returned and shown in Users, independant from the ou. > > > > Are you saying your LDAP server ignores the base DN for queries? > > > > > > ... > > dap-username-attribute:sAMAccountName > > > > Is this a correct copy of your guacamole.properties? The "ldap" in this > property name is missing the "l". > > > > ldap-user-search-filter:(objectClass=user)(!(objectCategory=computer)) > > > > Is "user" a valid objectClass? > > > > simply adding: > > ldap-user-base-dn:dc=mydomain,dc=de > > > > causes a failure: > > > > 01:32:21.232 [http-bio-8080-exec-9] WARN > o.a.g.r.auth.AuthenticationService - Authentication attempt from > [192.168.121.212, 127.0.0.1] for user "service" failed. > > 01:32:25.523 [http-bio-8080-exec-1] INFO > o.a.g.r.auth.AuthenticationService - User "philip" successfully > authenticated from [192.168.121.212, 0:0:0:0:0:0:0:1]. > > 01:32:26.498 [http-bio-8080-exec-1] WARN > o.a.g.e.AuthenticationProviderFacade - The "ldap" authentication provider > has encountered an internal error which will halt the authentication > process. If this is unexpected or you are the developer of this > authentication provider, you may wish to enable debug-level logging. If > this is expected and you wish to ignore such failures in the future, please > set "skip-if-unavailable: ldap" within your guacamole.properties. > > > > There should be an earlier, more specific error. Anything else in your > logs? > > > > > > When I set: > > ldap-user-base-dn:cn=Users,dc=mydomain,dc=de > > > > I can log in, but in the Administration Groups Tab > > I see all Users and Groups in the Users Container oft the Directory and > not only groups. > > > > You will also need to set the "ldap-group-base-dn" property. > > > > As long as your users and groups are beneath separate, distinct base DNs > (there are no users beneath the group DN and no groups beneath the user > DN), they will be properly distinguished from each other. If you keep your > groups in the same part of your LDAP directory as your users, Guacamole > will not be able to differentiate an LDAP group from an LDAP user when > attempting to list either within the admin interface. > > > > - Mike > > >