Just wanted to check in one last time to see if anyone has any thoughts on what might be wrong here.
From: Kevin Leigeb <[email protected]> Sent: Wednesday, September 15, 2021 1:25 PM To: [email protected] Subject: RE: Dockerized Guac LDAP Config Yes to the first question. I’ve additionally created a guacadmin AD account so that I can log in as myself or that account and still see the AD account listings. When I open the user or group page, I see two tabs on the top; one for LDAP which shows a lock and tells me it can’t be edited and one for Postgres. For the guac client, I’m running the latest tag of the image from dockerhub which I pulled again yesterday morning to make sure it was up to date. Happy to pin it to a specific tag if that might help. From: Nick Couchman <[email protected]<mailto:[email protected]>> Sent: Wednesday, September 15, 2021 1:11 PM To: [email protected]<mailto:[email protected]> Subject: Re: Dockerized Guac LDAP Config On Mon, Sep 13, 2021 at 4:42 PM Kevin Leigeb <[email protected]<mailto:[email protected]>> wrote: Hey All – I’ve been having a really rough go lately getting the LDAP configuration to work with Guacamole running in docker compose. I’m able to get users to successfully authenticate, but the group stuff and the connection between LDAP/Postgres seems to be the biggest sticking point for me. Perhaps I’m going about this the wrong way, but I’ve been attempting to set up LDAP to use some RBAC groups in our AD using the LDAP_USER_SEARCH_FILTER set to the following: (&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(memberOf:1.2.840.113556.1.4.1941:=CN=guacamole_users--all,OU=Guacamole,OU=rbac_groups,OU=hey,DC=hi,DC=hello)(memberOf:1.2.840.113556.1.4.1941:=CN=guacamole_users--admins,OU=Guacamole,OU=rbac_groups,OU=hey,DC=hi,DC=hello))) The idea here is to just get this working with two groups: admins and non-admins for the time being. The user page populates with the members of these groups as expected, but the group page is a different story. Ideally I’d like the two groups above to be the only ones pulled from AD, but without a LDAP_GROUP_SEARCH_FILTER setting I’m having a hard time accomplishing this. If I set the group base DN to the OU of the two groups shown above, I see those groups but none of the members of the groups are the actual members pulled from AD as expected. Regardless of nested membership or direct membership in that group, the membership appears empty and the only options to add users are those manually created in the UI (so they also exist in the postgres DB). When you set the configuration for the group search dn, and you're looking at the groups, are you doing so as a user that is part of your AD tree, that is logged in via LDAP? Also, can you confirm what version of Guacamole Client you're running? -Nick
