On Wed, Jun 14, 2023 at 8:26 AM Tifaine RIVOIRE OPTI Sécurité < t.rivo...@optisecurite.fr> wrote:
> Hi, > > > > I’m testing Guacamole and I want to configure some extensions. > I already set up guacamole with docker-compose and TOTP Extension. > > > > I have some troubles with the LDAP extension. In fact, I follow a lot of > tutorials that show me how I can set up this one. > > I copy the .jar file in extension directory but after a restart I can’t > log in with an AD user. I’va seen that a new directory called ldap was > created (just like totp) with .jar & .ldif file. > I also try to create a user with same AD name and blank password in > guacamole, I make sure to select create connection permission. > > > When I connect, Guacamole tell me wrong password but this is the correct > one in my AD. > I also see some forwarded communications (through firewall) from my > Guacamole server to my AD. > > > > Can you help me to understand why I can’t log with an AD account ? > You'll need to take a look at the logs for the Guacamole Client container and see what errors might be logged to the container. You may also have to change the log level of Guacamole Client (LOGBACK_LEVEL environment variable) to get more useful information out of the system. I do notice in the Docker Compose file you posted that you appear to be using a search filter that is supposed to make LDAP search nested AD groups. I'm not sure that this will actually work - I think there are some things that need to be implemented within Guacamole to support this, and I don't think those currently exist. You might, at the very least, try changing your search filter to something else - just create a single group with the users you want to have access and search that group, only - and see if that helps. -Nick >