On Mon, Jul 1, 2019 at 9:36 PM Wuth, Antony <antony.w...@verint.com> wrote:
> Hi, > > > > Ldap-base-config-dn is set, properties below. I’m using AD hence the bind > details. > > > > Thanks > > Antony > > -- > > guacd-hostname: localhost > > guacd-port: 4822 > > #auth-provider: > net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider > > > > # Auth provider class > > auth-provider: > net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider > > # LDAP properties > > ldap-hostname: 10.x.x.x > > ldap-port: 389 > > ldap-user-base-dn: OU=Accounts,DC=xx,DC=xxx,DC=com > > ldap-username-attribute: sAMAccountName > > ldap-config-base-dn: OU=guac,OU=Groups,DC=xx,DC=xxx,DC=com > > ldap-group-base-dn: OU=Groups,DC=xx,DC=xxx,DC=com > Based on these two lines, I would say the query you posted previously from the debug logs is not for configurations, but for user groups. > ldap-search-bind-dn: CN=sssd,OU=Service,OU=Accounts,dc=xx,dc=xxx,dc=com > > ldap-search-bind-password: xxx > Does the user who is *logging in* have access to the " OU=guac,OU=Groups,DC=xx,DC=xxx,DC=com" OU? The LDAP module relies upon LDAP security, so even though you have the ldap-search-bind-dn and -password parameters specified, this will *only* ever be used to locate the DN of the user who is attempting to log in. As soon as that user is located, the module re-binds with the user DN and the password they specified, and all subsequent queries (including user groups and configurations) take place with that bind DN. Thus, the user who is logging in must have access to the location where the configurations are stored (ou=guac,ou=Groups). -Nick >
