Hi, I ran the (manual) ldap searches as the user who is logging in – and can see the guacConfigGroup returned.
The search being a group search would make sense given it does not include the OU=guac. Thanks Antony From: Nick Couchman [mailto:[email protected]] Sent: Tuesday, 2 July 2019 11:48 AM To: [email protected] Subject: Re: Issue with LDAP stored sessions On Mon, Jul 1, 2019 at 9:36 PM Wuth, Antony <[email protected]<mailto:[email protected]>> wrote: Hi, Ldap-base-config-dn is set, properties below. I’m using AD hence the bind details. Thanks Antony -- guacd-hostname: localhost guacd-port: 4822 #auth-provider: net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider # Auth provider class auth-provider: net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider # LDAP properties ldap-hostname: 10.x.x.x ldap-port: 389 ldap-user-base-dn: OU=Accounts,DC=xx,DC=xxx,DC=com ldap-username-attribute: sAMAccountName ldap-config-base-dn: OU=guac,OU=Groups,DC=xx,DC=xxx,DC=com ldap-group-base-dn: OU=Groups,DC=xx,DC=xxx,DC=com Based on these two lines, I would say the query you posted previously from the debug logs is not for configurations, but for user groups. ldap-search-bind-dn: CN=sssd,OU=Service,OU=Accounts,dc=xx,dc=xxx,dc=com ldap-search-bind-password: xxx Does the user who is *logging in* have access to the "OU=guac,OU=Groups,DC=xx,DC=xxx,DC=com" OU? The LDAP module relies upon LDAP security, so even though you have the ldap-search-bind-dn and -password parameters specified, this will *only* ever be used to locate the DN of the user who is attempting to log in. As soon as that user is located, the module re-binds with the user DN and the password they specified, and all subsequent queries (including user groups and configurations) take place with that bind DN. Thus, the user who is logging in must have access to the location where the configurations are stored (ou=guac,ou=Groups). -Nick This electronic message may contain proprietary and confidential information of Verint Systems Inc., its affiliates and/or subsidiaries. The information is intended to be for the use of the individual(s) or entity(ies) named above. If you are not the intended recipient (or authorized to receive this e-mail for the intended recipient), you may not use, copy, disclose or distribute to anyone this message or any information contained in this message. If you have received this electronic message in error, please notify us by replying to this e-mail.
