On Wed, May 1, 2019 at 11:38 AM nicoschottelius < [email protected]> wrote:
> Hello, > > I've tried several combinations of ldap-search-bind-dn, > ldap-user-search-filter, ldap-max-search-results - all with one result: > > - User successfully authenticated in the logs > - Unable to query list of objects from LDAP directory message on the login > screen > > What I would expect guacamole to do: > > - bind as the user to find out whether it can login > - use the search-bind-dn to look for other objects > No. And there's a good reason for this - see below. > > What I *assume* guacamole is actually doing: > > - search the DN of the user using the search-bind-dn > - searching other objects using the USER dn > It depends a little bit on how you have things configured. If you do not enter a ldap-search-bind-dn and password, the extension attempts to generate the bind DN using the ldap-username-attribute (uid by default), the username entered, and the ldap-user-base-dn. So, if you leave the attribute as uid, set ldap-user-base-dn to "dc=example,dc=com", and log in with "testuser", the bind DN that the extension will use would be: uid=testuser,dc=example,dc=com. If you enter the ldap-search-bind-dn and password values, the extension will bind with those credentials, search the LDAP tree for the user that is logging in, using the username attribute (uid by default), and then will attempt to re-bind with the DN that was located and the password provided by the user at login time. All of the other searches within the LDAP tree - for connections (assuming ldap-config-base-dn is set) and user groups (assuming ldap-group-base-dn is set) are done using the bind DN and password of *the user that logged in* (NOT the ldap-search-bind-dn). The *only* thing the ldap-search-bind-dn value and password are used for is to locate the user logging in. The reason it behaves this way, and not the way you expect, is that the LDAP extension relies explicitly on LDAP access control for the user who is logging in to govern what other users, groups, and connections (configurations) the user can see within Guacamole. This is by design. This behavior is described in the LDAP section of the manual: http://guacamole.apache.org/doc/gug/ldap-auth.html -Nick
