Thanks Paul, I entered something similar but had a small syntax error. It's working for me now!
Erik Berndt / Systems Administrator 5551 Wellington Rd, Gainesville, VA 20155 703.631.0004 x520 (Phone) / 703.257.1725 (Fax) http://www.superiorpaving.net Need to open an IT support ticket? http://FixIT.superiorpaving.net/portal or [email protected] On Wed, Aug 9, 2017 at 3:08 PM, Paul Cantle <[email protected]> wrote: > Hi, > > > > On the original note, I understand you just want to restrict guacamole to > members of a certain group and while Nick’s filter should work fine, I’m > not sure there’s a need to overcomplicate it so much. > > > > I use a filter in a similar fashion and only specify the group. Like so: > > > > ldap-user-search-filter: (memberOf=CN= Accounting,ou=groups,OU=Superior > Paving Employees,DC=superiorpaving,DC=net) > > > > Also, I think there may be some confusion re the ports below. The GC port > is 3268, not 389 (non-GC port), not the other way round as mentioned below. > > > > I’m also querying the global catalogue port of 3268. This is only required > usually if your ldap-user-base-dn: is set at the root of the AD, if you’re > using an Org or container under the root then querying 389 should work fine. > > > > If ypou change the filter to the one above, does it give you the desired > results? > > > > Rgds > > > Paul > > > > *From: *Erik Berndt <[email protected]> > *Reply-To: *"[email protected]" < > [email protected]> > *Date: *Wednesday, 9 August 2017 at 19:42 > *To: *"[email protected]" <[email protected]. > apache.org> > *Subject: *Re: ldap-user-search-filter > > > > I tried port 3268 on the AD server, but the following errors return in the > Tomcat error logs. > > > > 14:39:28.097 [http-nio-8080-exec-4] ERROR > o.a.g.a.l.AuthenticationProviderService > - Cannot bind with LDAP server: Error while query user DNs. > > > Erik Berndt / Systems Administrator > 5551 Wellington Rd, Gainesville, VA 20155 > 703.631.0004 x520 (Phone) / 703.257.1725 (Fax) > http://www.superiorpaving.net > > Need to open an IT support ticket? > http://FixIT.superiorpaving.net/portal or [email protected] > > > > On Wed, Aug 9, 2017 at 2:31 PM, Nick Couchman <[email protected]> > wrote: > > Are you getting any errors in your Tomcat log files? > > > > Can you try pointing at port 3268 on your AD server, instead of the > default 389? There's an issue with querying the global catalog that is in > the process of being fixed (PR is open for it), and I think querying the > non-GC-port sometimes works. > > > > -Nick > > > > > > > > On Wednesday, August 9, 2017, 2:26:42 PM EDT, Erik Berndt < > [email protected]> wrote: > > > > > > Thanks Nick. I tweaked the search filter a little bit and am able to > return the group membership with ldapsearch, but when applying that same > filter to guacamole.properties, no users are able to authenticate. > > > > Is it possible there is an additional parameter that needs to be used in > conjunction with ldap-user-search-filter? > > > Erik Berndt / Systems Administrator > 5551 Wellington Rd, Gainesville, VA 20155 > 703.631.0004 x520 (Phone) / 703.257.1725 (Fax) > http://www.superiorpaving.net > > Need to open an IT support ticket? > http://FixIT.superiorpaving.net/portal or [email protected] > > > > On Wed, Aug 9, 2017 at 12:51 PM, Nick Couchman <[email protected]> > wrote: > > Not sure if this is a paste error or how you actually have it, but you > have an extra quotation mark: > > ldap-user-search-filter; "(&(objectCategory=Group)( > sAMAccountName=*)(memberOf=cn= Accounting,ou=groups,ou=" Superior Paving > Employees,dc=superiorpaving, dc=net))" > > There should not be a quote in front of "Superior" in the memberOf= part > of the filter - LDAP filters can deal fine with spaces in the components of > the filter, so your filter should look like this: > > > > ldap-user-search-filter: "(&(objectCategory=Group)( > sAMAccountName=*)(memberOf=cn= Accounting,ou=groups,ou= Superior Paving > Employees,dc=superiorpaving, dc=net))" > > > > Also, in the line you pasted in to the e-mail, you had a semicolon, > instead of a colon, at the end of ldap-user-search-filter. > > > > If it still doesn't work, try using that filter in an "ldapsearch" command > and make sure you get results back: > > > > ldapsearch -H ldap://ad.superiorpaving.net -D <YOUR BIND DN HERE> -W > '(&(objectCategory=Group)( sAMAccountName=*)(memberOf=cn= > Accounting,ou=groups,ou= Superior Paving Employees,dc=superiorpaving, > dc=net))' > > > > Should do the trick. If you get no results back or you get an error, fix > it and try, again. > > > > -Nick > > > > On Wednesday, August 9, 2017, 12:46:13 PM EDT, Erik Berndt < > [email protected] > wrote: > > > I'm attempting to filter AD groups permitted to login through Guacamole, > which is making use of the auth-mysql and auth-ldap extensions. Login works > fine for the users defined in the ldap-user-base-dn. > > When I define the ldap-user-search-filter and reset the servlet container, > all users are prevented from loggin in. > > This is my first time writing ldap filters, so it's very possible this is > a syntax issue. My search filter in guacamole.properties is as follows: > > ldap-user-search-filter; "(&(objectCategory=Group)( > sAMAccountName=*)(memberOf=cn= Accounting,ou=groups,ou=" Superior Paving > Employees,dc=superiorpaving, dc=net))" > > Can anyone assist me with this filter? > > I also have tried to restrict the ldap-user-base-dn to the specific group > I want to give access to, but am running into the same issue. > > Erik Berndt / Systems Administrator > > > > >
