What happens if you query the LDAP directory as each of the users in question, listing all guacConfigGroup objects?
When a user authenticates with Guacamole via LDAP, Guacamole will attempt to bind to the LDAP directory using that user's credentials, and the query retrieving available connections will be executed as that LDAP user. If something is causing the results of those queries to be different depending on the user, perhaps running similar queries as those users manually using a standard LDAP utility will be revealing. - Mike On Wed, Jul 5, 2017 at 12:54 PM, evan.hisey <[email protected]> wrote: > I am using the Docker guacamole containers for 0.9.12 and have them correctly > authenticating to LDAP, however only one user in a guacamole host group is > recognized as having access to a host rdp. To wit > > LDAP HOST GROUP: > dn: cn=cee-rdp,cn=groups,cn=accounts,dc=idm,dc=nwc,dc=nws,dc=noaa,dc=gov > objectClass: guacConfigGroup > objectClass: nestedGroup > objectClass: groupOfNames > objectClass: posixGroup > objectClass: ipaUserGroup > objectClass: top > objectClass: ipaObject > cn: cee-rdp > gidNumber: 1370800062 > guacConfigProtocol: rdp > ipaUniqueID: 4bd337f4-5ac6-11e7-a3b2-0050568843ac > guacConfigParameter: hostname=nwcal-cee-ti1.nwc.nws.noaa.gov > member: uid=evan.hisey,cn=users,cn=accounts,dc=idm,dc=nwc,dc=nws,dc=noaa,dc= > gov > member: uid=alt-evan.hisey,cn=users,cn=accounts,dc=idm,dc=nwc,dc=nws,dc=noaa > ,dc=gov > > Console output of container when users login: > 20:11:09.908 [http-nio-8080-exec-3] INFO o.a.g.r.auth.AuthenticationService > - User "alt-evan.hisey" successfully authenticated from 10.3.0.30. > 20:11:10.150 [http-nio-8080-exec-3] WARN o.a.g.a.l.c.ConnectionService - > guacConfigGroup "cee-rdp" is missing the required "guacConfigProtocol" > attribute. > 20:11:10.150 [http-nio-8080-exec-3] WARN o.a.g.a.l.c.ConnectionService - > guacConfigGroup "common-dev1-rdp" is missing the required > "guacConfigProtocol" attribute. > 20:11:19.820 [http-nio-8080-exec-10] INFO > o.a.g.r.auth.AuthenticationService - User "evan.hisey" successfully > authenticated from 10.3.0.30. > 20:11:20.556 [http-nio-8080-exec-2] INFO o.a.g.tunnel.TunnelRequestService > - User "evan.hisey" connected to connection "cee-rdp". > > Both users are in the correct host group, but only the second user actually > gets the guacConfigProtocol. I am at a bit of a lose as to what could be > causing this. > > > > -- > View this message in context: > http://apache-guacamole-incubating-users.2363388.n4.nabble.com/0-9-12-issue-with-LDAP-host-groups-tp1261.html > Sent from the Apache Guacamole (incubating) - Users mailing list archive at > Nabble.com.
