Hi Marcus, Please note this is AADDS, not Azure AD. It’s a different service where you can actually use Azure AD as an LDAP(S) https://azure.microsoft.com/en-us/services/active-directory-ds/ <https://azure.microsoft.com/en-us/services/active-directory-ds/> . What this gets you is essentially a restricted “traditional” AD with two DC’s that are managed by Azure (you can connect with RSAT to it, but fairly limited capabilities).
Also note this will only work with tenant users, not guests (e.g. external users invited in your tenant). The setup I had to do to get this going was this: - new VNET for guacamole and windows VM’s - VNET peering between the VNET AADDS creates and the VNET used for guacamole and the Windows VMs - overwrite DNS settings in your guacamole/Windows VM’s to use your two DC’s IP’s as resolvers (so you can do AD join on the VM’s and have proper name resolution) - Disable strict secure LDAP (probably not that wise, I was a it lazy here). All my Guacamole connections have the domain pre-filled to use the AADDS domain configured on the tenant. Hopes this helps. Bogdan > On 10 Mar 2020, at 23:20, Marcus Adams <[email protected]> wrote: > > Hi Stefan > Whilst I can't help with your issue do you mind sharing your setup steps to > get AzureAd working as your LDAP source - as that's my next big challenge > > Regards > Marcus > > > > On Tue, 10 Mar 2020 at 21:16, Stefan Bogdan Cimpeanu <[email protected] > <mailto:[email protected]>> wrote: > Hello all, > > I’m using Azure Active Directory Domain Services as my ldap source for > Guacamole. The main use is for RDP with domain joined machines. > I sometimes experience two (I think related issues): > - some of the user accounts are not able to login to guacamole even though > supplied user/password are correct (the user can RDP to the VM directly, but > not login to guacamole). Error in logs don’t say much except "Authentication > attempt from [ IP ] for user xxxx failed” > - sometimes it takes few hours or even a server restart to see newly created > AADDS users in guacamole > > Is there a way I can “force” an ldap sync so that users are added to > guacamole? > > I’m using a hybrid setup with ldap and mysql for authentication. I did not > modify the LDAP schema in any ways. > My ldap settings: > > ldap-hostname: 10.0.1.4 > ldap-port: 389 > ldap-user-base-dn: <full DN for users OU> > ldap-group-base-dn: <full DN for groups OU> > ldap-search-bind-dn: < full DN for bind user> > ldap-search-bind-password: <bind user passowrd> > ldap-username-attribute: sAMAccountName > ldap-encryption-method: none > > Regards, > Bogdan > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > <mailto:[email protected]> > For additional commands, e-mail: [email protected] > <mailto:[email protected]> >
