My experience with LDAP and AD is, you need to user [email protected] or DOMAIN\user, not the DN/CN
-----Oorspronkelijk bericht----- Afzender: Robin Cook <[email protected]> Verstuurd: Dinsdag 22 November 2016 10:39 Aan: [email protected]; Amin Joodaki <[email protected]> Onderwerp: RE: Multiple Guacamole Properties Hello, A couple of things to try, point guacamole at a global catalogue and use port 3268. Try pointing the LDAP Bind DN to your root domain like this: LDAP_PORT=3268 LDAP_USER_BASE_DN=dc=test,dc=com 'LDAP_SEARCH_BIND_DN=CN=guac service,OU=Service_Accounts,DC=test,DC=com' LDAP_SEARCH_BIND_PASSWORD=yourpassword Then any account should be able to log in. Kind regards, Robin From: Amin Joodaki [mailto:[email protected]] Sent: 22 November 2016 07:43 To: [email protected] Subject: Re: Multiple Guacamole Properties Hi Mike, First of All, special appreciate to Guac. team. After that: Our exact Active Directory 2012 layout is as below: dc=test,dc=com ou=dep1,OU=Accounts,dc=test,dc=com ou=dep2,OU=Accounts,dc=test,dc=com ou=serviceAccounts,OU=Accounts,dc=test,dc=com And the settings in the file Guac.properties is as below: ldap-hostname: 172.24.3.24 ldap-port: 389 ldap-user-base-dn: OU=Accounts,dc=test,dc=com ldap-search-bind-dn: CN=ldapUser,ou=serviceAccounts,OU=Accounts,dc=test,dc=com ldap-search-bind-password: P@ssw0rd ldap-username-attribute: sAMAccountName Also the iP Address of the Guac. is 172.24.3.23 (Which is directly connected to AD, without any firewall in between). The problem!!! is that, with the above configuration, no user can login. But, when the change the ldap-user-base-dn to ou=dep1,OU=Accounts,dc=test,dc=com, Users under OU dep1 can successfully login while the users under ou=dep2,OU=Accounts,dc=test,dc=com can not login. Looking forward for your kindly reply. Best Hopes On Sunday, November 20, 2016 3:51 AM, Mike Jumper <[email protected] <mailto:[email protected]> > wrote: Hi Amin, Guacamole doesn't support multiple instances under the same servlet container. That said, even if it did, I don't think that is a good solution to your problem. If the current LDAP support does not properly map users within your Active Directory, then the best way forward would be to identify what needs to change in the LDAP auth to support the way your users are organized. If you can guarantee that the username are unique, even if they are within different OU's, you can probably get things working as-is by simply choosing an "ldap-user-base-dn" which is common to the DN's of all users (even if they are otherwise technically within different OU's) and using "ldap-search-bind-dn", "ldap-search-bind-password", and (if necessary) "ldap-username-attribute" to define how AD should be queried to translate usernames to fully-qualified DN's. If the above doesn't work, can you provide a more concrete example of how your AD users are organized? Thanks, - Mike On Wed, Nov 16, 2016 at 1:01 AM, Amin Joodaki <[email protected] <mailto:[email protected]> > wrote: Dear All, I connect Guacamole to Database and Active Directory, but guacamole unable to detect all OU in active and it understand just the OU that defined in path properties file. then I want to set some guacamole.war ( Client) file in tomcat to separate my department in login page for example : <http://192.168.1.1:8080/department> http://192.168.1.1:8080/ departmen1 <http://192.168.1.1:8080/department> http://192.168.1.1:8080/ department2 <http://192.168.1.1:8080/department> ... and assign specific guacamole.properties for each department. how can I set different properties file and assign them to my guacamole.war files ? Best Amin PLEASE READ: This message is for the designated recipient(s) only and may contain privileged, proprietary, and/or confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. Any views or opinions expressed are solely those of the author and do not necessarily represent those of MDSL.. Market Data Services Ltd is a company registered in England and Wales. Company Number: 03031342. Registered Office: Floor 2 Building 4, Century Place, Lamberts Road, Tunbridge Wells, Kent TN2 3EH. VAT Registration Number: GB624962327 De inhoud van dit bericht is alleen bestemd voor de geadresseerde en kan vertrouwelijke of persoonlijke informatie bevatten. Als u dit bericht onbedoeld heeft ontvangen verzoeken wij u het te vernietigen en de afzender te informeren. Het is niet toegestaan om een bericht dat niet voor u bestemd is te vermenigvuldigen dan wel te verspreiden. Aan dit bericht inclusief de bijlagen kunnen geen rechten ontleend worden, tenzij schriftelijk anders wordt overeengekomen. E-genius aanvaardt geen enkele aansprakelijkheid voor schade en/of kosten die voortvloeien uit onvolledige en/of foutieve informatie in e-mailberichten.
