On Fri, Aug 9, 2019 at 6:56 PM surfrock66 <[email protected]> wrote:
> Sorry for constant messages, but we have a working test case...when we > target > an OU outside the root. Referencing the above OU layout: > No worries at all - that's part of the process :-). > > #LDAP/AD Properties > ldap-hostname: 10.1.10.3 > ldap-port: 389 > ldap-user-base-dn: OU=Office2,DC=AD,DC=DOMAIN,DC=org > ldap-search-bind-dn: CN=svcLDAPLookup,OU=Service > Accounts,DC=AD,DC=DOMAIN,DC=org > ldap-search-bind-password: ******** > ldap-follow-referrals: true > ldap-username-attribute: SAMAccountName > What happens when you put the user base DN to the root, but set "ldap-follow-referrals" to "false"? > > The user being tested is in an OU below the referenced base DN, so > traversing works, since anonymous binding is disabled the search user is > working, but if we change the base DN to hit the root of the domain and not > an OU, we get a null referral error. > > I see nothing in my research about what in my AD might be causing a null > referral and instead see it as an issue in general with targeting root > domains, but this seems pretty DOA for our org. > This is a peculiarity of Active Directory - the "Global Catalog" work-around (port 3268) is a well-known work-around for accessing AD information via LDAP, and not just with Guacamole. But disabling referral following should take care of the issue. -Nick
