We're using openLDAP (libldap-2.4-2:amd64) on a separate Ubuntu 18.04 installation.
Many thanks, Fabio > On Feb 24, 2020, at 22:57, Mike Jumper <[email protected]> wrote: > > On Mon, Feb 24, 2020, 19:52 Fabio Corsi <[email protected] > <mailto:[email protected]>> wrote: > Hi, > > I’ve a fresh install of Guacamole 1.1.0 on Ubuntu 18.0.4 Server. > > I have the LDAP extension installed (along with the MySQL one) and I’ve > defined connections directly into LDAP. > Everything works just fine, users are authenticated and are allowed the > proper connections, however I would like to allow only users MemberOf a one > LDAP group (e.g. guacusers) to login to my Guacamole site. > I’m using ldap-user-search-filter, but it does not seem to work. As of now > any active users in my LDAP directory can login into the Guacamole site. > No connections are displayed for the users that I would like to disallow, but > nevertheless they can still login... > > This is the LDAP configuration in my guacamole.properties > > # LDAP properties > ldap-hostname: configserver.my.domain > ldap-port: 389 > ldap-user-base-dn: ou=users,dc=my,dc=domain > ldap-username-attribute: uid > ldap-user-search-filter: (memberof=cn=guacusers,ou=users,dc=my,dc=domain) > ldap-config-base-dn: ou=guac_config,dc=my,dc=domain > ldap-group-base-dn: ou=groups,dc=my,dc=domain > > And I have previously used this same configuration some time back when I was > testing version 0.9.14 and it seemed to be working... > > > Note that if I run the same filter on my LDAP server, e.g.: > ldapsearch -x -LLL -H ldap:/// <> -b "ou=users,dc=my,dc=domain" -s sub > "(memberof=cn=guacusers,ou=groups,dc=my,dc=domain)” > I get the expected result…. > > I’ve also tried adding other specifiers to the filter, like > (&(objectClass=person)(memberof=cn=guacusers,ou=groups,dc=my,dc=domain)) > > they all work when I query the LDAP server with ldapsearch, but don’t seem to > have any effect when I use them in Guacamole. > > What LDAP server is being used? > > - Mike
