On 6/14/23 05:45, Nick Couchman wrote:
On Wed, Jun 14, 2023 at 8:26 AM Tifaine RIVOIRE OPTI Sécurité
<[email protected] <mailto:[email protected]>> wrote:
Hi,____
__ __
I’m testing Guacamole and I want to configure some extensions.
I already set up guacamole with docker-compose and TOTP Extension.____
__ __
I have some troubles with the LDAP extension. In fact, I follow a
lot of tutorials that show me how I can set up this one.____
I copy the .jar file in extension directory but after a restart I
can’t log in with an AD user. I’va seen that a new directory called
ldap was created (just like totp) with .jar & .ldif file.
I also try to create a user with same AD name and blank password in
guacamole, I make sure to select create connection permission.____
When I connect, Guacamole tell me wrong password but this is the
correct one in my AD.
I also see some forwarded communications (through firewall) from my
Guacamole server to my AD.____
__ __
Can you help me to understand why I can’t log with an AD account ?
You'll need to take a look at the logs for the Guacamole Client
container and see what errors might be logged to the container. You may
also have to change the log level of Guacamole Client (LOGBACK_LEVEL
environment variable) to get more useful information out of the system.
I do notice in the Docker Compose file you posted that you appear to be
using a search filter that is supposed to make LDAP search nested AD
groups. I'm not sure that this will actually work - I think there are
some things that need to be implemented within Guacamole to support
this, and I don't think those currently exist. You might, at the very
least, try changing your search filter to something else - just create a
single group with the users you want to have access and search that
group, only - and see if that helps.
Using a recursive group membership query like this within the search
filter should be fine. Active Directory will service such queries a bit
slower, but it will work and will limit both the users visible in the
admin UI and the users that can log in.
Guacamole itself will not perform recursive queries to determine group
memberships from LDAP, so you will not be able to use recursive
memberships to grant permissions, but you can definitely do this within
the search filters.
- Mike
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
