Hello Mike,
I understand your point about no caching.
About debugging, yes I have, and it gives me something like:
Result code : (INVALID_CREDENTIALS) invalidCredentials
Matched Dn : ‘'
My guess is that indeed the LDAP is not in a consistent state at that point.
Thanks!
Bogdan
> On 10 Mar 2020, at 23:30, Mike Jumper <[email protected]> wrote:
>
> On Tue, Mar 10, 2020, 14:16 Stefan Bogdan Cimpeanu <[email protected]
> <mailto:[email protected]>> wrote:
> Hello all,
>
> I’m using Azure Active Directory Domain Services as my ldap source for
> Guacamole. The main use is for RDP with domain joined machines.
> I sometimes experience two (I think related issues):
> - some of the user accounts are not able to login to guacamole even though
> supplied user/password are correct (the user can RDP to the VM directly, but
> not login to guacamole). Error in logs don’t say much except "Authentication
> attempt from [ IP ] for user xxxx failed”
> - sometimes it takes few hours or even a server restart to see newly created
> AADDS users in guacamole
>
> Is there a way I can “force” an ldap sync so that users are added to
> guacamole?
>
> There is no sync. When using LDAP, Guacamole authenticates against LDAP
> directly. The relevant users and groups do not need to exist in the database
> except where you are granting those users/groups permissions for connections
> stored on the database, however the web interface is organized such that
> attempting to do so would result in their creation.
>
> If you are seeing inconsistencies in whether users/groups exist, I don't
> believe that inconsistency would be on the Guacamole side. There's no cache
> between sessions, nothing stored from LDAP. Data from LDAP is queried
> directly as needed. It may be that the LDAP server takes time to become
> consistent, and that the correlation with server restarts is a coincidence.
>
> Regarding the login failures, have you tried enabling debug-level logging in
> for the webapp?
>
> - Mike
>
