Not sure if this is a paste error or how you actually have it, but you have an 
extra quotation mark:

ldap-user-search-filter; 
"(&(objectCategory=Group)(sAMAccountName=*)(memberOf=cn=Accounting,ou=groups,ou="Superior
 Paving Employees,dc=superiorpaving,dc=net))"

There should not be a quote in front of "Superior" in the memberOf= part of the 
filter - LDAP filters can deal fine with spaces in the components of the 
filter, so your filter should look like this:
ldap-user-search-filter: 
"(&(objectCategory=Group)(sAMAccountName=*)(memberOf=cn=Accounting,ou=groups,ou=Superior
 Paving Employees,dc=superiorpaving,dc=net))"

Also, in the line you pasted in to the e-mail, you had a semicolon, instead of 
a colon, at the end of ldap-user-search-filter.
If it still doesn't work, try using that filter in an "ldapsearch" command and 
make sure you get results back:
ldapsearch -H ldap://ad.superiorpaving.net -D <YOUR BIND DN HERE> -W 
'(&(objectCategory=Group)(sAMAccountName=*)(memberOf=cn=Accounting,ou=groups,ou=Superior
 Paving Employees,dc=superiorpaving,dc=net))'
Should do the trick.  If you get no results back or you get an error, fix it 
and try, again.
-Nick

On Wednesday, August 9, 2017, 12:46:13 PM EDT, Erik Berndt 
<erikber...@superiorpaving.net> wrote:


I'm attempting to filter AD groups permitted to login through Guacamole, which 
is making use of the auth-mysql and auth-ldap extensions. Login works fine for 
the users defined in the ldap-user-base-dn.

When I define the ldap-user-search-filter and reset the servlet container, all 
users are prevented from loggin in.

This is my first time writing ldap filters, so it's very possible this is a 
syntax issue. My search filter in guacamole.properties is as follows:

ldap-user-search-filter; 
"(&(objectCategory=Group)(sAMAccountName=*)(memberOf=cn=Accounting,ou=groups,ou="Superior
 Paving Employees,dc=superiorpaving,dc=net))"

Can anyone assist me with this filter? 

I also have tried to restrict the ldap-user-base-dn to the specific group I 
want to give access to, but am running into the same issue.

Erik Berndt / Systems Administrator

Reply via email to