Can you provide an exact copy of the YAML that is being used, redacted
as needed?
- Mike
On 8/8/2023 9:22 AM, Luciano Oliveira wrote:
Thanks, Mike!
The original file is correct!
Just a CTRL+C, CTRL+V on this email
***Luciano*
------------------------------------------------------------------------
*De:* Michael Jumper <[email protected]>
*Enviado:* terça-feira, 8 de agosto de 2023 12:56
*Para:* [email protected] <[email protected]>
*Assunto:* Re: LDAP - Multiple domains
Watch out for your indentation. As-written, the YAML below is malformed
due to misaligned indentation of properties and would fail to parse.
There may be errors to that effect in your logs.
- Mike
On 8/8/2023 8:48 AM, Luciano Oliveira wrote:
Looked this:
My ldap-servers.yml to login in [email protected] or
[email protected]
$cat /etc/guacamole/ldap-servers.yml
- hostname: dc.domain.local
port: 636
encryption-method: ssl
user-base-dn: dc=domain,dc=local
match-usernames:
- LOCAL\\(.*)
- (.*)@domain\.local
username-attribute: sAMAccountName
search-bind-dn: cn=srv_gcd,ou=ServicesAuth,dc=domain,dc=local
search-bind-password: passwordXsds224e
user-search-filter:
(&(&(objectClass=user)(objectCategory=person))(memberof=cn=acess_guacd,ou=Groups,dc=domain,dc=local))
- hostname: dc.sub.domain.local
port: 636
encryption-method: ssl
user-base-dn: dc=sub,dc=domain,dc=local
match-usernames:
- SUBDOM\\(.*)
- (.*)@sub\.domain\.local
username-attribute: sAMAccountName
search-bind-dn: cn=srv_sub_gcd,ou=ServicesAuth,dc=sub,dc=domain,dc=local
search-bind-password: passwordXX5485
user-search-filter:
(&(&(objectClass=user)(objectCategory=person))(memberof=cn=accesso_guaca_sub,ou=Groups,dc=sub,dc=domain,dc=local))
***Luciano*/
/**
*
*
------------------------------------------------------------------------
*De:* Michael Jumper <[email protected]>
*Enviado:* terça-feira, 8 de agosto de 2023 12:39
*Para:* [email protected] <[email protected]>
*Assunto:* Re: LDAP - Multiple domains
On 8/8/2023 12:41 AM, Molina de la Iglesia, Manuel wrote:
Hello,
Following with the challenge of authenticate users from two different
domains, I'm applying the following settings because could be users
and/or groups with exactly the same sAMAccountName on both domains:
username-attribute: userPrincipalName (will be something like
[email protected])
match-username: (.*@domain\.local)
This regex make sense to me because I want to capture user@domain to
match with userPrincipalName but the authentication fails with the
following errors:
Note that "ldap-user-base-dn" is properly defined because before use
this regex works properly.
This suggests that something else has changed to cause
"ldap-user-base-dn" to no longer be defined, but there really is no
other possible cause of that error.
...
Aug 8 07:34:58 guacamole tomcat9[8489]: 07:34:58.924
[https-openssl-nio-443-exec-3] ERROR o.a.g.rest.RESTExceptionMapper -
Request could not be processed: Property ldap-user-base-dn is required.
This error really does indicate exactly what it says: you have (somehow)
not specified the "ldap-user-base-dn" property that is required for LDAP
to be used. You must either specify this property or include the
"user-base-dn" property for each of the servers defined in your
"ldap-servers.yml".
If you have specified "ldap-user-base-dn" in your guacamole.properties
but are still seeing this error, that suggests that the
guacamole.properties file in question is either not the file that
Guacamole is reading (this will be logged at startup) or possibly cannot
be read due to permissions (this should also be logged). It may also be
the case that there is a typo in your property name, or that it was
inadvertently commented out.
- Mike
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
