On Mon, Feb 24, 2020, 19:52 Fabio Corsi <[email protected]> wrote:
> Hi, > > I’ve a fresh install of Guacamole 1.1.0 on Ubuntu 18.0.4 Server. > > I have the LDAP extension installed (along with the MySQL one) and I’ve > defined connections directly into LDAP. > Everything works just fine, users are authenticated and are allowed the > proper connections, however I would like to allow only users MemberOf a one > LDAP group (e.g. guacusers) to login to my Guacamole site. > I’m using ldap-user-search-filter, but it does not seem to work. As of > now any active users in my LDAP directory can login into the Guacamole > site. > No connections are displayed for the users that I would like to disallow, > but nevertheless they can still login... > > This is the LDAP configuration in my guacamole.properties > > # LDAP properties > ldap-hostname: configserver.my.domain > ldap-port: 389 > ldap-user-base-dn: ou=users,dc=my,dc=domain > ldap-username-attribute: uid > ldap-user-search-filter: (memberof=cn=guacusers,ou=users,dc=my,dc=domain) > ldap-config-base-dn: ou=guac_config,dc=my,dc=domain > ldap-group-base-dn: ou=groups,dc=my,dc=domain > > > And I have previously used this same configuration some time back when I > was testing version 0.9.14 and it seemed to be working... > > > Note that if I run the same filter on my LDAP server, e.g.: > > ldapsearch -x -LLL -H ldap:/// -b "ou=users,dc=my,dc=domain" -s sub > "(memberof=cn=guacusers,ou=groups,dc=my,dc=domain)” > > I get the expected result…. > > I’ve also tried adding other specifiers to the filter, like > > &(objectClass=person)(memberof=cn=guacusers,ou=groups,dc=my,dc=domain)) > > > they all work when I query the LDAP server with ldapsearch, but don’t > seem to have any effect when I use them in Guacamole. > What LDAP server is being used? - Mike
