I tried port 3268 on the AD server, but the following errors return in the
Tomcat error logs.

14:39:28.097 [http-nio-8080-exec-4] ERROR
o.a.g.a.l.AuthenticationProviderService - Cannot bind with LDAP server:
Error while query user DNs.

Erik Berndt / Systems Administrator
5551 Wellington Rd, Gainesville, VA 20155
703.631.0004 x520 (Phone) / 703.257.1725 (Fax)
http://www.superiorpaving.net

Need to open an IT support ticket?
http://FixIT.superiorpaving.net/portal or fi...@superiorpaving.net

On Wed, Aug 9, 2017 at 2:31 PM, Nick Couchman <nick.couch...@yahoo.com>
wrote:

> Are you getting any errors in your Tomcat log files?
>
> Can you try pointing at port 3268 on your AD server, instead of the
> default 389?  There's an issue with querying the global catalog that is in
> the process of being fixed (PR is open for it), and I think querying the
> non-GC-port sometimes works.
>
> -Nick
>
>
>
> On Wednesday, August 9, 2017, 2:26:42 PM EDT, Erik Berndt <
> erikber...@superiorpaving.net> wrote:
>
>
> Thanks Nick. I tweaked the search filter a little bit and am able to
> return the group membership with ldapsearch, but when applying that same
> filter to guacamole.properties, no users are able to authenticate.
>
> Is it possible there is an additional parameter that needs to be used in
> conjunction with ldap-user-search-filter?
>
> Erik Berndt / Systems Administrator
> 5551 Wellington Rd, Gainesville, VA 20155
> 703.631.0004 x520 (Phone) / 703.257.1725 (Fax)
> http://www.superiorpaving.net
>
> Need to open an IT support ticket?
> http://FixIT.superiorpaving.net/portal or fi...@superiorpaving.net
>
> On Wed, Aug 9, 2017 at 12:51 PM, Nick Couchman <nick.couch...@yahoo.com>
> wrote:
>
> Not sure if this is a paste error or how you actually have it, but you
> have an extra quotation mark:
>
> ldap-user-search-filter; "(&(objectCategory=Group)(
> sAMAccountName=*)(memberOf=cn= Accounting,ou=groups,ou=" Superior Paving
> Employees,dc=superiorpaving, dc=net))"
>
> There should not be a quote in front of "Superior" in the memberOf= part
> of the filter - LDAP filters can deal fine with spaces in the components of
> the filter, so your filter should look like this:
>
> ldap-user-search-filter: "(&(objectCategory=Group)(
> sAMAccountName=*)(memberOf=cn= Accounting,ou=groups,ou= Superior Paving
> Employees,dc=superiorpaving, dc=net))"
>
> Also, in the line you pasted in to the e-mail, you had a semicolon,
> instead of a colon, at the end of ldap-user-search-filter.
>
> If it still doesn't work, try using that filter in an "ldapsearch" command
> and make sure you get results back:
>
> ldapsearch -H ldap://ad.superiorpaving.net -D <YOUR BIND DN HERE> -W
> '(&(objectCategory=Group)( sAMAccountName=*)(memberOf=cn=
> Accounting,ou=groups,ou= Superior Paving Employees,dc=superiorpaving,
> dc=net))'
>
> Should do the trick.  If you get no results back or you get an error, fix
> it and try, again.
>
> -Nick
>
>
> On Wednesday, August 9, 2017, 12:46:13 PM EDT, Erik Berndt <
> erikber...@superiorpaving.net > wrote:
>
>
> I'm attempting to filter AD groups permitted to login through Guacamole,
> which is making use of the auth-mysql and auth-ldap extensions. Login works
> fine for the users defined in the ldap-user-base-dn.
>
> When I define the ldap-user-search-filter and reset the servlet container,
> all users are prevented from loggin in.
>
> This is my first time writing ldap filters, so it's very possible this is
> a syntax issue. My search filter in guacamole.properties is as follows:
>
> ldap-user-search-filter; "(&(objectCategory=Group)(
> sAMAccountName=*)(memberOf=cn= Accounting,ou=groups,ou=" Superior Paving
> Employees,dc=superiorpaving, dc=net))"
>
> Can anyone assist me with this filter?
>
> I also have tried to restrict the ldap-user-base-dn to the specific group
> I want to give access to, but am running into the same issue.
>
> Erik Berndt / Systems Administrator
>
>
>

Reply via email to