I fear the ldap module may be incompatible with our AD structure. I reference the following:
https://www.reddit.com/r/sysadmin/comments/61tct8/apache_guacamole_and_active_directory/dldkibg/ https://issues.apache.org/jira/browse/GUACAMOLE-243 When the ldap-user-base-dn is the root of the domain, or the bind user is in a different OU than the ldap-user-base-dn, the ldap plugin seems to have issues. Our domain is structured like this: DC=AD,DC=DOMAIN,DC=org |--OU=Office1 | |--OU=Users |--OU=Office2 | |--OU=Users | |--CN=username |--OU=Office3 | |--OU=Users |--OU=ServiceAccounts |--CN=svcLDAPLookup This cannot be changed, but means the bind dn must be the root of our domain. I have the native install working, and the guacamole.properties file is the following: #LDAP/AD Properties ldap-hostname: 10.1.10.3 ldap-port: 389 ldap-user-base-dn: DC=AD,DC=DOMAIN,DC=org ldap-search-bind-dn: CN=svcLDAPLookup,OU=ServiceAccounts,DC=AD,DC=DOMAIN,DC=org ldap-search-bind-password: ******** ldap-username-attribute: cn ldap-follow-referrals: true This results in the following errors, which are DIFFERENT than the "referrals disabled" error from above: ERROR o.a.g.auth.ldap.ObjectQueryService - Could not follow referral: null ERROR o.a.g.a.l.AuthenticationProviderService - Cannot bind with LDAP server: Unable to query list of objects from LDAP directory. WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 10.1.18.39 for user "username" failed. Somehow a null referral is being sent, and thus the plugin cannot follow it. The only reference to this I can find is this ticket seeking to DISABLE referral following: https://mail-archives.apache.org/mod_mbox/guacamole-issues/201904.mbox/%3cjira.13210013.1547674443000.160567.1556478180...@atlassian.jira%3E I am starting to believe our configuration is incompatible with the ldap plugin, unless I'm missing something. -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/ --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
