Hi all,
Does anyone know how many users can login through Guacamole
simultaneously?
What are the bottlenecks?
Thank you,
Stewart Alexander
------ Original Message ------
From: "Fabio Corsi" <[email protected]>
To: [email protected]
Sent: 3/2/2020 5:01:07 PM
Subject: Re: ldap-user-search-filter problem
CAUTION: This email originated from outside your organization. Exercise
caution when opening attachments or clicking links, especially from
unknown senders.
Hi,
I was wondering if anyone could provide some insight on this issue.
To recap my previous message I have a ldap-user-search-filter set to
(&(objectClass=person)(memberof=cn=guacusers,ou=groups,dc=asrc,dc=crossroads))
however any valid LDAP user is allowed to login on the Guacamole web
page.
My configuration: Guacamole 1.1.0, Ubuntu 18.04, openLDAP
(libldap-2.4-2:amd64) on a separate Ubuntu 18.04 VM.
since my first message I’ve done some additional investigation into the
problem.
By looking at the logs on my LDAP server I can see that the filters are
passed on to the LDAP server and they do return the correct number of
entries.
There are a couple of things that seem strange to me:
Not sure why the "(|(uid=*)) clause is added to the main group filter
defined in my configurationFor the user in the guacusers group the
SeeAlso seems to expand to all the object of class groupOfNames in my
directory
Here are the log entries for the user that is in the guacusers group:
slapd[904]: conn=9470 fd=48 ACCEPT from IP=10.16.33.12:52422
(IP=0.0.0.0:389)
slapd[904]: conn=9470 op=0 BIND
dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" method=128
slapd[904]: conn=9470 op=0 BIND
dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE ssf=0
slapd[904]: conn=9470 op=0 RESULT tag=97 err=0 text=
slapd[904]: conn=9470 op=1 SRCH base="ou=groups,dc=my,dc=domain"
scope=2 deref=0
filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_in_guacusers,ou=users,dc=my,dc=domain)))"
slapd[904]: conn=9470 op=1 SEARCH RESULT tag=101 err=0 nentries=5
text=
slapd[904]: conn=9470 fd=48 closed (connection lost)
slapd[904]: conn=9471 fd=48 ACCEPT from IP=10.16.33.12:52424
(IP=0.0.0.0:389)
slapd[904]: conn=9471 op=0 BIND
dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" method=128
slapd[904]: conn=9471 op=0 BIND
dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE ssf=0
slapd[904]: conn=9471 op=0 RESULT tag=97 err=0 text=
slapd[904]: conn=9471 op=1 SRCH base="ou=users,dc=my,dc=domain"
scope=2 deref=0
filter="(&(&(objectClass=person)(memberOf=cn=guacusers,ou=groups,dc=my,dc=domain))(|(uid=*)))"
slapd[904]: conn=9471 op=1 SEARCH RESULT tag=101 err=0 nentries=6
text=
slapd[904]: conn=9471 op=2 SRCH base="ou=groups,dc=my,dc=domain"
scope=2 deref=0 filter="(&(!(objectClass=guacConfigGroup))(|(cn=*)))"
slapd[904]: conn=9471 op=2 SEARCH RESULT tag=101 err=0 nentries=46
text=
slapd[904]: conn=9471 op=3 SRCH base="ou=groups,dc=my,dc=domain"
scope=2 deref=0
filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_in_guacusers,ou=users,dc=my,dc=domain)))"
slapd[904]: conn=9471 op=3 SEARCH RESULT tag=101 err=0 nentries=5
text=
slapd[904]: conn=9471 op=4 SRCH base="ou=guac_config,dc=my,dc=domain"
scope=2 deref=0
filter="(&(objectClass=guacConfigGroup)(|(member=uid=user_in_guacusers,ou=users,dc=my,dc=domain)(seeAlso=cn=group1,ou=groups,dc=my,dc=domain)(seeAlso=cn=group2,ou=groups,dc=my,dc=domain)(seeAlso=cn=group3,ou=groups,dc=my,dc=domain)(seeAlso=cn=group4,ou=groups,dc=my,dc=domain)(seeAlso=cn=guacusers,ou=groups,dc=my,dc=domain)))"
slapd[904]: conn=9471 op=4 SEARCH RESULT tag=101 err=0 nentries=1
text=
And for the user that is not in the guacusers group:
slapd[904]: conn=9478 fd=88 ACCEPT from IP=10.16.33.12:52430
(IP=0.0.0.0:389)
slapd[904]: conn=9478 op=0 BIND
dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" method=128
slapd[904]: conn=9478 op=0 BIND
dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE
ssf=0
slapd[904]: conn=9478 op=0 RESULT tag=97 err=0 text=
slapd[904]: conn=9478 op=1 SRCH base="ou=groups,dc=my,dc=domain"
scope=2 deref=0
filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_not_in_guacusers,ou=users,dc=my,dc=domain)))"
slapd[904]: conn=9478 op=1 SEARCH RESULT tag=101 err=0 nentries=0
text=
slapd[904]: conn=9478 fd=88 closed (connection lost)
slapd[904]: conn=9479 fd=88 ACCEPT from IP=10.16.33.12:52432
(IP=0.0.0.0:389)
slapd[904]: conn=9479 op=0 BIND
dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" method=128
slapd[904]: conn=9479 op=0 BIND
dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE
ssf=0
slapd[904]: conn=9479 op=0 RESULT tag=97 err=0 text=
slapd[904]: conn=9479 op=1 SRCH base="ou=users,dc=my,dc=domain"
scope=2 deref=0
filter="(&(&(objectClass=person)(memberOf=cn=guacusers,ou=groups,dc=my,dc=domain))(|(uid=*)))"
slapd[904]: conn=9479 op=1 SEARCH RESULT tag=101 err=0 nentries=6
text=
slapd[904]: conn=9479 op=2 SRCH base="ou=groups,dc=my,dc=domain"
scope=2 deref=0 filter="(&(!(objectClass=guacConfigGroup))(|(cn=*)))"
slapd[904]: conn=9479 op=2 SEARCH RESULT tag=101 err=0 nentries=46
text=
slapd[904]: conn=9479 op=3 SRCH base="ou=groups,dc=my,dc=domain"
scope=2 deref=0
filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_not_in_guacusers,ou=users,dc=my,dc=domain)))"
slapd[904]: conn=9479 op=3 SEARCH RESULT tag=101 err=0 nentries=0
text=
slapd[904]: conn=9479 op=4 SRCH base="ou=guac_config,dc=my,dc=domain"
scope=2 deref=0
filter="(&(objectClass=guacConfigGroup)(|(member=uid=user_not_in_guacusers,ou=users,dc=my,dc=domain)))"
slapd[904]: conn=9479 op=4 SEARCH RESULT tag=101 err=0 nentries=0
text=
And this is my full configuration file:
# Hostname and port of guacamole proxy
guacd-hostname: localhost
guacd-port: 4822
#skip-if-unavailable: mysql, ldap
api-session-timeout: 15
# LDAP properties
ldap-hostname: configserver.my.domain
ldap-port: 389
ldap-user-base-dn: ou=users,dc=my,dc=domain
ldap-username-attribute: uid
ldap-user-search-filter:
(&(objectClass=person)(memberof=cn=guacusers,ou=groups,dc=my,dc=domain))
ldap-config-base-dn: ou=guac_config,dc=my,dc=domain
ldap-group-base-dn: ou=groups,dc=my,dc=domain
# MySQL properties
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
mysql-password: MySecret
Thanks,
Fabio
On Feb 25, 2020, at 10:46, Fabio Corsi
<[email protected]> wrote:
We're using openLDAP (libldap-2.4-2:amd64) on a separate Ubuntu 18.04
installation.
Many thanks,
Fabio
On Feb 24, 2020, at 22:57, Mike Jumper <[email protected]> wrote:
On Mon, Feb 24, 2020, 19:52 Fabio Corsi
<[email protected]> wrote:
Hi,
I’ve a fresh install of Guacamole 1.1.0 on Ubuntu 18.0.4 Server.
I have the LDAP extension installed (along with the MySQL one) and
I’ve defined connections directly into LDAP.
Everything works just fine, users are authenticated and are allowed
the proper connections, however I would like to allow only users
MemberOf a one LDAP group (e.g. guacusers) to login to my Guacamole
site.
I’m using ldap-user-search-filter, but it does not seem to work. As
of now any active users in my LDAP directory can login into the
Guacamole site.
No connections are displayed for the users that I would like to
disallow, but nevertheless they can still login...
This is the LDAP configuration in my guacamole.properties
<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fguacamole.properties&c=E,1,E8cBBI4_vdYlMnL8xX-O_ehFfvRAlR9c2oz1h0iY4s3lZ_2UFsjyvQ1hDs_Pk46WxCb8Ahl2ZPjzLWyNQTjO8Ct18O1NBHKGKM6iMBOV8ksJlE5VdPND&typo=1>
# LDAP properties
ldap-hostname: configserver.my.domain
ldap-port: 389
ldap-user-base-dn: ou=users,dc=my,dc=domain
ldap-username-attribute: uid
ldap-user-search-filter:
(&(objectClass=person)(memberof=cn=guacusers,ou=groups,dc=asrc,dc=crossroads))
ldap-config-base-dn: ou=guac_config,dc=my,dc=domain
ldap-group-base-dn: ou=groups,dc=my,dc=domain
And I have previously used this same configuration some time back
when I was testing version 0.9.14 and it seemed to be working...
Note that if I run the same filter on my LDAP server, e.g.:
ldapsearch -x -LLL -H ldap:/// -b "ou=users,dc=my,dc=domain" -s sub
"(memberof=cn=guacusers,ou=groups,dc=my,dc=domain)”
I get the expected result….
I’ve also tried adding other specifiers to the filter, like
(memberof=cn=guacusers,ou=groups,dc=my,dc=domain)
they all work when I query the LDAP server with ldapsearch, but
don’t seem to have any effect when I use them in Guacamole.
What LDAP server is being used?
- Mike
