I've set up Guacamole 1.5.2 using Docker with Postgres:13 and LDAP
authentication against Microsoft Server 2019 Active Directory.
LDAP authentication is working properly. Users can log in, and if given
"Administer system" permissions in Guacamole, users can view a list of
Active Directory groups on the Groups page.
I would like to be able to assign connections to Active Directory Groups,
so that when a user logs in, they can see connections for the AD groups
they're a member of.
Currently, when I add a connection to an AD group in Guacamole, users in
that AD group don't get the connection unless I also add the user to the
group within Guacamole. I'd like to manage group membership exclusively in
AD.
I'm not sure if this is normal behaviour, or if I've misconfigured
something, but in Guacamole I'm unable to see which LDAP users are members
of which LDAP groups:
Opening a user profile lists no groups in the PostgreSQL tab, and the LDAP
tab is locked and when opened displays a message that the user can't be
edited.
Opening an LDAP group from the Groups page lists no member users on the
PostgreSQL tab, and the LDAP tab is locked and when opened displays a
message that the group cannot be edited.
Enabling debug logging in Guacamole, there are search result entries for
groups that list the member user DNs, so it looks like Guacamole is
retrieving the info:
----------------------------------------------
Message ID : 4
Search Result Entry
Entry
dn: CN=FPS RDS Full Desktop Users,OU=FPS Groups,OU=FPS
Organization,OU=Dev,DC=home,DC=arpa
member: CN=FPSUser Lastname,OU=FPS Users,OU=FPS
Organization,OU=Dev,DC=home,DC=arpa
member: CN=FPSAdmin Lastname,OU=FPS Users,OU=FPS
Organization,OU=Dev,DC=home,DC=arpa
cn: FPS RDS Full Desktop Users
)
----------------------------------------------
Using ldapsearch, I'm able to confirm that my ldap_search_bind_dn account
can read all of the groups and their members (DNs are listed under member:
attributes), and for each user, can get memberOf groups.
Here are the environmental variables from my docker-compose.yml:
LDAP_HOSTNAME: dc01.home.arpa
LDAP_PORT: 389
LDAP_ENCRYPTION_METHOD: starttls
LDAP_SEARCH_BIND_DN: CN=guacamole bind,OU=Service
Accounts,OU=Admin,OU=Dev,DC=home,DC=arpa
LDAP_SEARCH_BIND_PASSWORD: password
LDAP_USER_SEARCH_FILTER: (objectCategory=person)
LDAP_USER_BASE_DN: OU=Dev,DC=home,DC=arpa
LDAP_USERNAME_ATTRIBUTE: sAMAccountName
LDAP_GROUP_BASE_DN: OU=Dev,DC=home,DC=arpa
LDAP_GROUP_NAME_ATTRIBUTE: cn
LDAP_GROUP_SEARCH_FILTER: (objectCategory=group)
LDAP_MEMBER_ATTRIBUTE: member
LDAP_MEMBER_ATTRIBUTE_TYPE: dn
LDAP_FOLLOW_REFERRALS: true
LDAP_DEREFERENCE_ALIASES: always
Thanks in advance for anyone that can provide some insight into what I'm
doing wrong!
-John
