Hey Benjamin,
sorry for the late response but I had to recreate my patch by decompiling my
compiled extension because I lost the patch file. : /
I used this patch for the LDAP 1.4.0 extension.
It is closing the user LDAP connection after the login and using the bind
connection for everything else afterward.
I had to modify it because I'm just one admin in our university with access to
use the LDAP for using the user credentials for authentication in my services.
So, myself (non-bind user) even couldn't see available LDAP groups and assign
these in guacamole. With this patch it is possible.
Because I don't know much about Java, its GC and security implications about
these changes, maybe double check if there is a risk.
You maybe ask why LDAP version 1.4.0.
It was the released version at this time, and I was glad that I understood
enough to make that change.
We also have only one LDAP, so using 1.5.x which is in my understanding was
updated for using multiple LDAPs wasn't necessary at all, and I guess it makes
the patch more difficult.
By the way the logger.info stuff can be removed or commented to disable the
spam on your catalina.out, when you successfully tested it.
Perhaps the patch helps and fixes your problem.
Greetings
Matthias
---
Matthias Druve
Systemadministrator
Technische Universität Berlin
________________________________________
Von: Benjamin Long <[email protected]>
Gesendet: Dienstag, 5. November 2024 19:44
An: [email protected]
Betreff: Permissions Required to Read LDAP Configuration
Hello folks,
Here is my situation. We're setting up a new authentication system using
FreeIPA. So far, so good.
I've been able to configure Guacamole (using the official docker container) to
use LDAP as its user and configuration store. The configuration is in the
cn=guacconfig subtree.
Here's where I'm a little confused
When I use ldap-search-bind-dn to configure a bind user, I thought this was the
login used to pull the configuration from cn=guacconfig. So I have a bind user
set up that has access to this subtree.
However, my users do not have access to this subtree, and I would rather they
not. I don't want them to be able to run ldapsearch with their credentials and
get the login credentials for the remote systems.
When I log into Guacamole as my user, I don't see any connections unless I give
my user search and read access to cn=guacconfig.
Am I missing something, or is this expected behavior?
--
Benjamin Long
Chief Information Officer
Security Service Company
1-484-575-8116
diff '--color=auto' -Naur a/org/apache/guacamole/auth/ldap/AuthenticationProviderService.java c/org/apache/guacamole/auth/ldap/AuthenticationProviderService.java
--- a/org/apache/guacamole/auth/ldap/AuthenticationProviderService.java 2024-11-11 22:03:46.892161895 +0100
+++ c/org/apache/guacamole/auth/ldap/AuthenticationProviderService.java 2024-11-14 17:33:32.711784738 +0100
@@ -327,18 +327,30 @@
CredentialsInfo.USERNAME_PASSWORD);
}
+ String searchDN = this.confService.getSearchBindDN();
+ String searchPassword = this.confService.getSearchBindPassword();
+ ldapConnection.close();
+
+ LdapNetworkConnection ldapConnection2 = this.ldapService.bindAs(searchDN, searchPassword);
+ if (ldapConnection2 == null) {
+ logger.info("Unable to bind as user \"{}\" against LDAP server \"{}\".", searchDN, this.confService.getServerHostname());
+ throw new GuacamoleInvalidCredentialsException("Invalid login.", CredentialsInfo.USERNAME_PASSWORD);
+ }
+
+ logger.info("BINDUSER \"{}\" was successfully authenticated by LDAP server \"{}\".", searchDN, this.confService.getServerHostname());
+
try {
// Build user context by querying LDAP
LDAPUserContext userContext = userContextProvider.get();
- userContext.init(authenticatedUser, ldapConnection);
+ userContext.init(authenticatedUser, ldapConnection2);
return userContext;
}
// Always disconnect
finally {
- ldapConnection.close();
+ ldapConnection2.close();
}
}
return null;
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
