See responses inline... On Wed, Apr 29, 2020 at 8:55 AM Fabio Corsi < fabio1299.discussionli...@gmail.com> wrote:
> Hi Nick, > > Sorry for my previous emails that kept sending before I was done… didn’t > have access to my computer yesterday. > > My configuration is a bit different as I’m using openLDAP > (libldap-2.4-2:amd64) > on Ubuntu 18.04. > > My LDAP configuration in my guacamole.properties is: > > # LDAP properties > ldap-hostname: configserver.my.domain > ldap-port: 389 > ldap-user-base-dn: ou=users,dc=my,dc=domain > ldap-username-attribute: uid > ldap-user-search-filter: > (&(objectClass=person)(memberof=cn=guacusers,ou=groups,dc=my,dc=domain)) > ldap-config-base-dn: ou=guac_config,dc=my,dc=domain > ldap-group-base-dn: ou=groups,dc=my,dc=domain > > > Which I’m expecting to allow login only to members of the group > “guacusers”. > However what I'm experience is that every user on my LDAP server is > allowed to login, whether they are members of the guacusers group or not. > > I have previously used this same configuration when I was testing version > 0.9.14 and it seemed to be working... > > I can use the same filter directly querying my LDAP server, e.g.: > > ldapsearch -x -LLL -H ldap:/// -b "ou=users,dc=my,dc=domain" -s sub > "(memberof=cn=guacusers,ou=groups,dc=my,dc=domain)” > > And I get the expected result…. > > I’ve also tried adding other specifiers to the filter, like > > (memberof=cn=guacusers,ou=users,dc=my,dc=domain) > > > they all work when I query the LDAP server with ldapsearch, but don’t > seem to have any effect when I use them in Guacamole. > > Here are the log entries on my LDAP server for a Guacamole access for a > user (“user_in_guacusers”) that is in the guacusers group: > > slapd[904]: conn=9470 fd=48 ACCEPT from IP=10.16.33.12:52422 (IP= > 0.0.0.0:389) > slapd[904]: conn=9470 op=0 BIND > dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" method=128 > slapd[904]: conn=9470 op=0 BIND > dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE ssf=0 > > I think the relevant entries might actually be *above* this, because at this point it is already accepting the bind as the user, which means it has already bound as the search user, done the search for the user who is logging in, and successfully located the entry. > slapd[904]: conn=9470 op=0 RESULT tag=97 err=0 text= > slapd[904]: conn=9470 op=1 SRCH base="ou=groups,dc=my,dc=domain" scope=2 > deref=0 > filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_in_guacusers,ou=users,dc=my,dc=domain)))" > slapd[904]: conn=9470 op=1 SEARCH RESULT tag=101 err=0 nentries=5 text= > slapd[904]: conn=9470 fd=48 closed (connection lost) > slapd[904]: conn=9471 fd=48 ACCEPT from IP=10.16.33.12:52424 (IP= > 0.0.0.0:389) > slapd[904]: conn=9471 op=0 BIND > dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" method=128 > slapd[904]: conn=9471 op=0 BIND > dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE ssf=0 > slapd[904]: conn=9471 op=0 RESULT tag=97 err=0 text= > slapd[904]: conn=9471 op=1 SRCH base="ou=users,dc=my,dc=domain" scope=2 > deref=0 > filter="(&(&(objectClass=person)(memberOf=cn=guacusers,ou=groups,dc=my,dc=domain))(|(uid=*)))" > slapd[904]: conn=9471 op=1 SEARCH RESULT tag=101 err=0 nentries=6 text= > slapd[904]: conn=9471 op=2 SRCH base="ou=groups,dc=my,dc=domain" scope=2 > deref=0 filter="(&(!(objectClass=guacConfigGroup))(|(cn=*)))" > slapd[904]: conn=9471 op=2 SEARCH RESULT tag=101 err=0 nentries=46 text= > slapd[904]: conn=9471 op=3 SRCH base="ou=groups,dc=my,dc=domain" scope=2 > deref=0 > filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_in_guacusers,ou=users,dc=my,dc=domain)))" > slapd[904]: conn=9471 op=3 SEARCH RESULT tag=101 err=0 nentries=5 text= > slapd[904]: conn=9471 op=4 SRCH base="ou=guac_config,dc=my,dc=domain" > scope=2 deref=0 > filter="(&(objectClass=guacConfigGroup)(|(member=uid=user_in_guacusers,ou=users,dc=my,dc=domain)(seeAlso=cn= > group1,ou=groups,dc=my,dc=domain)(seeAlso=cn=group2 > ,ou=groups,dc=my,dc=domain)(seeAlso=cn=group3 > ,ou=groups,dc=my,dc=domain)(seeAlso=cn=group4 > ,ou=groups,dc=my,dc=domain)(seeAlso=cn=guacusers,ou=groups,dc=my,dc=domain)))" > slapd[904]: conn=9471 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text= > > > …and for the user (“user_not_in_guacusers”) that is not in the guacusers > group: > > slapd[904]: conn=9478 fd=88 ACCEPT from IP=10.16.33.12:52430 (IP= > 0.0.0.0:389) > slapd[904]: conn=9478 op=0 BIND > dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" method=128 > slapd[904]: conn=9478 op=0 BIND > dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE ssf=0 > > Again, I think you need the log entries from slapd *above* this, because the search has already succeeded, determined the user is okay, and is now re-binding as that user. -Nick
