Hey Nick,
your tip with the different passwords was in fact the source of my first
problem so thank you very much for that! Would be useful if this were mentioned
in the "Associating LDAP with a Database" part in the Guacamole documentation.
For the second problem I've found out that my test system had oclAccess to * by
* read and my live system had not. I managed to fix the problem by adding
search rights for every user and read and selfread rights for every group a
user is a member of like so:
{3} to dn.children="ou=groups,dc=example,dc=com" attrs=member by dnattr=member
selfread by * none
{4} to dn.children="ou=groups,dc=example,dc=com"
attrs=entry,objectClass,guacConfigGroup by dnattr=member read by * none
{5} to * by * search
Thank you for your help and have a good day!
- Kai
________________________________
Von: Nick Couchman <[email protected]>
Gesendet: Mittwoch, 10. August 2022 16:39:28
An: [email protected]
Betreff: Re: Guacamole LDAP Connection Problems
On Wed, Aug 10, 2022 at 4:21 AM Horn, Kai <[email protected]> wrote:
>
> So I've set up a guacamole server to connect to lxc containers running debian
> 11 uis' via rdp. The authentication is handled by mysql and LDAP.
>
> Now I've run into two problems:
>
>
> (not critical)
>
> I'm unable to associate the LDAP database with the mysql databas. If I've got
> a user that is present within LDAP and mysql database and is a guacamole
> admin and a LDAP admin it only logs this user as mysql user but doesn't show
> the ldap users (if i check the user settings within the guacamole web-ui
> there isn't a LDAP tab).
>
Make sure that when you are logging in with the user that exists in
both places, you are logging in with the user's LDAP password, and
that the MySQL password for the user is *NOT* set to the same thing as
the LDAP password. If the passwords are the same, then the user will
likely be logged in by the MySQL (JDBC) authentication extension, and
the LDAP extension will never be evaluated. Unless the LDAP extension
is evaluated for the user (because it is evaluated first or the MySQL
authentication for the user does not succeed), the system will not
pull in any LDAP information for the user.
>
> (Critical)
>
> I've set up a test LDAP server via proxmox and turnkey-openLDAP image and
> everything works fine. I get logged in and instantly redirected to the rdp
> connection that I created on the LDAP-Server. Now I went testing it on the
> production openLDAP server and used the same connection parameters that I
> used within the test system (apart from the hostname of course). When I log
> in via a LDAP user it will work but the rdp redirection won't fire and the
> connection list provided in the guacamole web-ui is empty.
>
You said you're storing your connection in LDAP? Is the schema
extended correctly for the "production" OpenLDAP server? Does the
connection exist in the same OU on the production side, or have you
set the LDAP configuration for Guacamole to point to the correct OU?
What do the logs say?
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
--
E-Mail: [email protected]<mailto:[email protected]>
Web: https://www.infosim.net
Infosim GmbH & Co. KG
Germany - USA - Singapore
Landsteinerstr. 4, 97074 Wuerzburg, Germany
Phone: +49 931 205 92 200
Infosim GmbH & Co. KG - trade register Wuerzburg HRA 5400 / CEO Dr. Stefan
Koehler
Infosim Verwaltungs GmbH - trade register Wuerzburg HRB 8208 / CEO Dr. Stefan
Koehler
Infosim(r) and StableNet(r) are registered trademarks of Infosim GmbH & Co. KG
Follow us on Twitter: https://twitter.com/Infosimdotcom
Follow us on YouTube: https://www.youtube.com/user/infosimtv
Follow us on LinkedIn: https://www.linkedin.com/company/infosim
Follow us on Facebook: https://www.facebook.com/infosimhq/
StableNet(r) 11 SP5 is available now!
<https://www.infosim.net/stablenet/en/support/release/>
--
