I tried port 3268 on the AD server, but the following errors return in the Tomcat error logs.
14:39:28.097 [http-nio-8080-exec-4] ERROR o.a.g.a.l.AuthenticationProviderService - Cannot bind with LDAP server: Error while query user DNs. Erik Berndt / Systems Administrator 5551 Wellington Rd, Gainesville, VA 20155 703.631.0004 x520 (Phone) / 703.257.1725 (Fax) http://www.superiorpaving.net Need to open an IT support ticket? http://FixIT.superiorpaving.net/portal or fi...@superiorpaving.net On Wed, Aug 9, 2017 at 2:31 PM, Nick Couchman <nick.couch...@yahoo.com> wrote: > Are you getting any errors in your Tomcat log files? > > Can you try pointing at port 3268 on your AD server, instead of the > default 389? There's an issue with querying the global catalog that is in > the process of being fixed (PR is open for it), and I think querying the > non-GC-port sometimes works. > > -Nick > > > > On Wednesday, August 9, 2017, 2:26:42 PM EDT, Erik Berndt < > erikber...@superiorpaving.net> wrote: > > > Thanks Nick. I tweaked the search filter a little bit and am able to > return the group membership with ldapsearch, but when applying that same > filter to guacamole.properties, no users are able to authenticate. > > Is it possible there is an additional parameter that needs to be used in > conjunction with ldap-user-search-filter? > > Erik Berndt / Systems Administrator > 5551 Wellington Rd, Gainesville, VA 20155 > 703.631.0004 x520 (Phone) / 703.257.1725 (Fax) > http://www.superiorpaving.net > > Need to open an IT support ticket? > http://FixIT.superiorpaving.net/portal or fi...@superiorpaving.net > > On Wed, Aug 9, 2017 at 12:51 PM, Nick Couchman <nick.couch...@yahoo.com> > wrote: > > Not sure if this is a paste error or how you actually have it, but you > have an extra quotation mark: > > ldap-user-search-filter; "(&(objectCategory=Group)( > sAMAccountName=*)(memberOf=cn= Accounting,ou=groups,ou=" Superior Paving > Employees,dc=superiorpaving, dc=net))" > > There should not be a quote in front of "Superior" in the memberOf= part > of the filter - LDAP filters can deal fine with spaces in the components of > the filter, so your filter should look like this: > > ldap-user-search-filter: "(&(objectCategory=Group)( > sAMAccountName=*)(memberOf=cn= Accounting,ou=groups,ou= Superior Paving > Employees,dc=superiorpaving, dc=net))" > > Also, in the line you pasted in to the e-mail, you had a semicolon, > instead of a colon, at the end of ldap-user-search-filter. > > If it still doesn't work, try using that filter in an "ldapsearch" command > and make sure you get results back: > > ldapsearch -H ldap://ad.superiorpaving.net -D <YOUR BIND DN HERE> -W > '(&(objectCategory=Group)( sAMAccountName=*)(memberOf=cn= > Accounting,ou=groups,ou= Superior Paving Employees,dc=superiorpaving, > dc=net))' > > Should do the trick. If you get no results back or you get an error, fix > it and try, again. > > -Nick > > > On Wednesday, August 9, 2017, 12:46:13 PM EDT, Erik Berndt < > erikber...@superiorpaving.net > wrote: > > > I'm attempting to filter AD groups permitted to login through Guacamole, > which is making use of the auth-mysql and auth-ldap extensions. Login works > fine for the users defined in the ldap-user-base-dn. > > When I define the ldap-user-search-filter and reset the servlet container, > all users are prevented from loggin in. > > This is my first time writing ldap filters, so it's very possible this is > a syntax issue. My search filter in guacamole.properties is as follows: > > ldap-user-search-filter; "(&(objectCategory=Group)( > sAMAccountName=*)(memberOf=cn= Accounting,ou=groups,ou=" Superior Paving > Employees,dc=superiorpaving, dc=net))" > > Can anyone assist me with this filter? > > I also have tried to restrict the ldap-user-base-dn to the specific group > I want to give access to, but am running into the same issue. > > Erik Berndt / Systems Administrator > > >
