On Sun, Jan 13, 2019 at 7:43 AM Philip Herbert <[email protected]> wrote:
> as it seems impossible to change the structure of an ldap, because a > single application expects users and groups > > In different parts oft the ldap directory, I would like to try to find out > why this config is failing > We certainly do not try to design the LDAP authentication extension with the notion of having you reorganize your entire tree to suite the needs of Guacamole. The Guacamole extension does not expect users and groups to be in different parts of the tree - it simply gives you different options for searching for users, groups, and connections, and leaving them out allows you to disable items that you don't use. For example, I use Guacamole, with Active Directory, but don't care about having either LDAP groups or connections pulled in from AD - I'm only interested in authentication and users. Hopefully this helps explain why it is structured the way it is. > > > If I set ldap-user-base-dn and ldap-group base-dn to he same value > (pointng to the root of the directory like: > > > > DC=DOMAIN,DC=DE > > > > then any attempt to login causes an error: > > > > 13:12:15.772 [http-bio-8080-exec-4] INFO > o.a.g.r.auth.AuthenticationService - User "philip" successfully > authenticated from [192.168.121.212, 0:0:0:0:0:0:0:1]. > > 13:12:16.745 [http-bio-8080-exec-4] WARN > o.a.g.e.AuthenticationProviderFacade - The "ldap" authentication provider > has encountered an internal error which will halt the authentication > process. If this is unexpected or you are the developer of this > authentication provider, you may wish to enable debug-level logging. If > this is expected and you wish to ignore such failures in the future, please > set "skip-if-unavailable: ldap" within your guacamole.properties. > > > > There is no additional output in catalina.out > > Might be worth putting logging into DEBUG mode and see if anything else is captured. Instructions for that is here: http://guacamole.apache.org/doc/gug/configuring-guacamole.html#webapp-logging This looks like it could be a bug, but hard to know for sure without some more detailed logging. > > > In my last post: > > dap-username-attribute:sAMAccountName > > was a copy/past error. The ‚l‘ before ldap is not missing … > > > > I have managed to get clean user / group lists by modifying > > > > The function getGroupSearchFilter in UserGroupService.jar to return only > objectClass=group > > > > //return "(objectClass=*)"; > > return "(objectClass=group)"; > > > > > > > > with the following properties: > > > > > > ldap-hostname: dc.domain.de > > ldap-port:3269 > > ldap-encryption-method:ssl > > ldap-search-bind-dn:cn=GuacamoleLDAP,cn=Users,dc=domain,dc=de > > ldap-search-bind-password:<something> > > ldap-user-base-dn:dc=domain,dc=de > > ldap-group-base-dn:dc=domain,dc=de > > ldap-username-attribute:sAMAccountName > > ldap-max-search-results:4000 > > ldap-follow-referrals:true > > ldap-user-search-filter:(objectClass=user)(!(objectCategory=computer)) > > > > > > With this config and change, I get a clean lisst of (person)users in the > user tab and a clean list of groups in the group tab. > > When I assign a connection profile to a group, the connection is visible > to the users, but he can not connect, due to missing permissions. > > ‚You do not have permissions to access this connection‘ > > > Hmmm. I wonder if this is related to this issue: https://issues.apache.org/jira/browse/GUACAMOLE-696 ?? -Nick >
