Hi, Ldap-base-config-dn is set, properties below. I’m using AD hence the bind details.
Thanks Antony -- guacd-hostname: localhost guacd-port: 4822 #auth-provider: net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider # Auth provider class auth-provider: net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider # LDAP properties ldap-hostname: 10.x.x.x ldap-port: 389 ldap-user-base-dn: OU=Accounts,DC=xx,DC=xxx,DC=com ldap-username-attribute: sAMAccountName ldap-config-base-dn: OU=guac,OU=Groups,DC=xx,DC=xxx,DC=com ldap-group-base-dn: OU=Groups,DC=xx,DC=xxx,DC=com ldap-search-bind-dn: CN=sssd,OU=Service,OU=Accounts,dc=xx,dc=xxx,dc=com ldap-search-bind-password: xxx From: Nick Couchman [mailto:[email protected]] Sent: Tuesday, 2 July 2019 11:31 AM To: [email protected] Subject: Re: Issue with LDAP stored sessions On Mon, Jul 1, 2019 at 9:20 PM Wuth, Antony <[email protected]<mailto:[email protected]>> wrote: Hi all, I’ve got a (mostly) working install running, which I’m trying to move the connection details into LDAP. It looks like authentication is working OK: INFO o.a.g.r.auth.AuthenticationService - User "xxx" successfully authenticated from 10.x.x.x. However it appears the query for connections isn’t, as far as I can tell it’s searching for the connections with the following query: 00:24:09.854 [http-nio-8080-exec-1] DEBUG o.a.g.auth.ldap.ObjectQueryService - Searching "OU=Groups,DC=xx,DC=xxx,DC=com" for objects matching "(&(!(objectClass=guacConfigGroup))(member=CN=XXX,OU=XX,OU=Accounts,DC=xx,DC=xxx,DC=com))". Which if I’m reading it correctly will be searching for all objects where the user is listed as a member and the objectClass isn’t guacConfigGroup. Running this query manually with ldapsearch (predictably) produces a list of groups the user is a member of – and not the guac config groups. Running the query without the !( modifier does produce a list of connections. My guess is that this is the query searching, not for configurations, but for user groups. What does your guacamole.properties file contain (minus sensitive information)? Do you have ldap-config-base-dn set? -Nick This electronic message may contain proprietary and confidential information of Verint Systems Inc., its affiliates and/or subsidiaries. The information is intended to be for the use of the individual(s) or entity(ies) named above. If you are not the intended recipient (or authorized to receive this e-mail for the intended recipient), you may not use, copy, disclose or distribute to anyone this message or any information contained in this message. If you have received this electronic message in error, please notify us by replying to this e-mail.
