Thanks Nick. Not sure what *above* would be in my case. Can you suggest what kind of information should I be looking for in my log file?
The two groups of entries I posted are consecutive in the log file and there are no entries in between the two sets. I only split them for clarity... Thanks, Fabio > On May 3, 2020, at 8:41 AM, Nick Couchman <[email protected]> wrote: > > > See responses inline... > >> On Wed, Apr 29, 2020 at 8:55 AM Fabio Corsi >> <[email protected]> wrote: >> Hi Nick, >> >> Sorry for my previous emails that kept sending before I was done… didn’t >> have access to my computer yesterday. >> >> My configuration is a bit different as I’m using openLDAP >> (libldap-2.4-2:amd64) on Ubuntu 18.04. >> >> My LDAP configuration in my guacamole.properties is: >> >> # LDAP properties >> ldap-hostname: configserver.my.domain >> ldap-port: 389 >> ldap-user-base-dn: ou=users,dc=my,dc=domain >> ldap-username-attribute: uid >> ldap-user-search-filter: >> (&(objectClass=person)(memberof=cn=guacusers,ou=groups,dc=my,dc=domain)) >> ldap-config-base-dn: ou=guac_config,dc=my,dc=domain >> ldap-group-base-dn: ou=groups,dc=my,dc=domain >> >> Which I’m expecting to allow login only to members of the group “guacusers”. >> However what I'm experience is that every user on my LDAP server is allowed >> to login, whether they are members of the guacusers group or not. >> >> I have previously used this same configuration when I was testing version >> 0.9.14 and it seemed to be working... >> >> I can use the same filter directly querying my LDAP server, e.g.: >> ldapsearch -x -LLL -H ldap:/// -b "ou=users,dc=my,dc=domain" -s sub >> "(memberof=cn=guacusers,ou=groups,dc=my,dc=domain)” >> And I get the expected result…. >> >> I’ve also tried adding other specifiers to the filter, like >> (memberof=cn=guacusers,ou=users,dc=my,dc=domain) >> >> they all work when I query the LDAP server with ldapsearch, but don’t seem >> to have any effect when I use them in Guacamole. >> >> Here are the log entries on my LDAP server for a Guacamole access for a user >> (“user_in_guacusers”) that is in the guacusers group: >> slapd[904]: conn=9470 fd=48 ACCEPT from IP=10.16.33.12:52422 (IP=0.0.0.0:389) >> slapd[904]: conn=9470 op=0 BIND >> dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" method=128 >> slapd[904]: conn=9470 op=0 BIND >> dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE ssf=0 > > I think the relevant entries might actually be *above* this, because at this > point it is already accepting the bind as the user, which means it has > already bound as the search user, done the search for the user who is logging > in, and successfully located the entry. > >> slapd[904]: conn=9470 op=0 RESULT tag=97 err=0 text= >> slapd[904]: conn=9470 op=1 SRCH base="ou=groups,dc=my,dc=domain" scope=2 >> deref=0 >> filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_in_guacusers,ou=users,dc=my,dc=domain)))" >> slapd[904]: conn=9470 op=1 SEARCH RESULT tag=101 err=0 nentries=5 text= >> slapd[904]: conn=9470 fd=48 closed (connection lost) >> slapd[904]: conn=9471 fd=48 ACCEPT from IP=10.16.33.12:52424 (IP=0.0.0.0:389) >> slapd[904]: conn=9471 op=0 BIND >> dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" method=128 >> slapd[904]: conn=9471 op=0 BIND >> dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE ssf=0 >> slapd[904]: conn=9471 op=0 RESULT tag=97 err=0 text= >> slapd[904]: conn=9471 op=1 SRCH base="ou=users,dc=my,dc=domain" scope=2 >> deref=0 >> filter="(&(&(objectClass=person)(memberOf=cn=guacusers,ou=groups,dc=my,dc=domain))(|(uid=*)))" >> slapd[904]: conn=9471 op=1 SEARCH RESULT tag=101 err=0 nentries=6 text= >> slapd[904]: conn=9471 op=2 SRCH base="ou=groups,dc=my,dc=domain" scope=2 >> deref=0 filter="(&(!(objectClass=guacConfigGroup))(|(cn=*)))" >> slapd[904]: conn=9471 op=2 SEARCH RESULT tag=101 err=0 nentries=46 text= >> slapd[904]: conn=9471 op=3 SRCH base="ou=groups,dc=my,dc=domain" scope=2 >> deref=0 >> filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_in_guacusers,ou=users,dc=my,dc=domain)))" >> slapd[904]: conn=9471 op=3 SEARCH RESULT tag=101 err=0 nentries=5 text= >> slapd[904]: conn=9471 op=4 SRCH base="ou=guac_config,dc=my,dc=domain" >> scope=2 deref=0 >> filter="(&(objectClass=guacConfigGroup)(|(member=uid=user_in_guacusers,ou=users,dc=my,dc=domain)(seeAlso=cn=group1,ou=groups,dc=my,dc=domain)(seeAlso=cn=group2,ou=groups,dc=my,dc=domain)(seeAlso=cn=group3,ou=groups,dc=my,dc=domain)(seeAlso=cn=group4,ou=groups,dc=my,dc=domain)(seeAlso=cn=guacusers,ou=groups,dc=my,dc=domain)))" >> slapd[904]: conn=9471 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text= >> >> …and for the user (“user_not_in_guacusers”) that is not in the guacusers >> group: >> slapd[904]: conn=9478 fd=88 ACCEPT from IP=10.16.33.12:52430 (IP=0.0.0.0:389) >> slapd[904]: conn=9478 op=0 BIND >> dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" method=128 >> slapd[904]: conn=9478 op=0 BIND >> dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE ssf=0 > > Again, I think you need the log entries from slapd *above* this, because the > search has already succeeded, determined the user is okay, and is now > re-binding as that user. > > -Nick
