Thanks Paul, I entered something similar but had a small syntax error. It's
working for me now!


Erik Berndt / Systems Administrator
5551 Wellington Rd, Gainesville, VA 20155
703.631.0004 x520 (Phone) / 703.257.1725 (Fax)
http://www.superiorpaving.net

Need to open an IT support ticket?
http://FixIT.superiorpaving.net/portal or fi...@superiorpaving.net

On Wed, Aug 9, 2017 at 3:08 PM, Paul Cantle <p...@cantle.me> wrote:

> Hi,
>
>
>
> On the original note, I understand you just want to restrict guacamole to
> members of a certain group and while Nick’s filter should work fine, I’m
> not sure there’s a need to overcomplicate it so much.
>
>
>
> I use a filter in a similar fashion and only specify the group. Like so:
>
>
>
> ldap-user-search-filter: (memberOf=CN= Accounting,ou=groups,OU=Superior
> Paving Employees,DC=superiorpaving,DC=net)
>
>
>
> Also, I think there may be some confusion re the ports below. The GC port
> is 3268, not 389 (non-GC port), not the other way round as mentioned below.
>
>
>
> I’m also querying the global catalogue port of 3268. This is only required
> usually if your ldap-user-base-dn: is set at the root of the AD, if you’re
> using an Org or container under the root then querying 389 should work fine.
>
>
>
> If ypou change the filter to the one above, does it give you the desired
> results?
>
>
>
> Rgds
>
>
> Paul
>
>
>
> *From: *Erik Berndt <erikber...@superiorpaving.net>
> *Reply-To: *"user@guacamole.incubator.apache.org" <
> user@guacamole.incubator.apache.org>
> *Date: *Wednesday, 9 August 2017 at 19:42
> *To: *"user@guacamole.incubator.apache.org" <user@guacamole.incubator.
> apache.org>
> *Subject: *Re: ldap-user-search-filter
>
>
>
> I tried port 3268 on the AD server, but the following errors return in the
> Tomcat error logs.
>
>
>
> 14:39:28.097 [http-nio-8080-exec-4] ERROR 
> o.a.g.a.l.AuthenticationProviderService
> - Cannot bind with LDAP server: Error while query user DNs.
>
>
> Erik Berndt / Systems Administrator
> 5551 Wellington Rd, Gainesville, VA 20155
> 703.631.0004 x520 (Phone) / 703.257.1725 (Fax)
> http://www.superiorpaving.net
>
> Need to open an IT support ticket?
> http://FixIT.superiorpaving.net/portal or fi...@superiorpaving.net
>
>
>
> On Wed, Aug 9, 2017 at 2:31 PM, Nick Couchman <nick.couch...@yahoo.com>
> wrote:
>
> Are you getting any errors in your Tomcat log files?
>
>
>
> Can you try pointing at port 3268 on your AD server, instead of the
> default 389?  There's an issue with querying the global catalog that is in
> the process of being fixed (PR is open for it), and I think querying the
> non-GC-port sometimes works.
>
>
>
> -Nick
>
>
>
>
>
>
>
> On Wednesday, August 9, 2017, 2:26:42 PM EDT, Erik Berndt <
> erikber...@superiorpaving.net> wrote:
>
>
>
>
>
> Thanks Nick. I tweaked the search filter a little bit and am able to
> return the group membership with ldapsearch, but when applying that same
> filter to guacamole.properties, no users are able to authenticate.
>
>
>
> Is it possible there is an additional parameter that needs to be used in
> conjunction with ldap-user-search-filter?
>
>
> Erik Berndt / Systems Administrator
> 5551 Wellington Rd, Gainesville, VA 20155
> 703.631.0004 x520 (Phone) / 703.257.1725 (Fax)
> http://www.superiorpaving.net
>
> Need to open an IT support ticket?
> http://FixIT.superiorpaving.net/portal or fi...@superiorpaving.net
>
>
>
> On Wed, Aug 9, 2017 at 12:51 PM, Nick Couchman <nick.couch...@yahoo.com>
> wrote:
>
> Not sure if this is a paste error or how you actually have it, but you
> have an extra quotation mark:
>
> ldap-user-search-filter; "(&(objectCategory=Group)(
> sAMAccountName=*)(memberOf=cn= Accounting,ou=groups,ou=" Superior Paving
> Employees,dc=superiorpaving, dc=net))"
>
> There should not be a quote in front of "Superior" in the memberOf= part
> of the filter - LDAP filters can deal fine with spaces in the components of
> the filter, so your filter should look like this:
>
>
>
> ldap-user-search-filter: "(&(objectCategory=Group)(
> sAMAccountName=*)(memberOf=cn= Accounting,ou=groups,ou= Superior Paving
> Employees,dc=superiorpaving, dc=net))"
>
>
>
> Also, in the line you pasted in to the e-mail, you had a semicolon,
> instead of a colon, at the end of ldap-user-search-filter.
>
>
>
> If it still doesn't work, try using that filter in an "ldapsearch" command
> and make sure you get results back:
>
>
>
> ldapsearch -H ldap://ad.superiorpaving.net -D <YOUR BIND DN HERE> -W
> '(&(objectCategory=Group)( sAMAccountName=*)(memberOf=cn=
> Accounting,ou=groups,ou= Superior Paving Employees,dc=superiorpaving,
> dc=net))'
>
>
>
> Should do the trick.  If you get no results back or you get an error, fix
> it and try, again.
>
>
>
> -Nick
>
>
>
> On Wednesday, August 9, 2017, 12:46:13 PM EDT, Erik Berndt <
> erikber...@superiorpaving.net > wrote:
>
>
> I'm attempting to filter AD groups permitted to login through Guacamole,
> which is making use of the auth-mysql and auth-ldap extensions. Login works
> fine for the users defined in the ldap-user-base-dn.
>
> When I define the ldap-user-search-filter and reset the servlet container,
> all users are prevented from loggin in.
>
> This is my first time writing ldap filters, so it's very possible this is
> a syntax issue. My search filter in guacamole.properties is as follows:
>
> ldap-user-search-filter; "(&(objectCategory=Group)(
> sAMAccountName=*)(memberOf=cn= Accounting,ou=groups,ou=" Superior Paving
> Employees,dc=superiorpaving, dc=net))"
>
> Can anyone assist me with this filter?
>
> I also have tried to restrict the ldap-user-base-dn to the specific group
> I want to give access to, but am running into the same issue.
>
> Erik Berndt / Systems Administrator
>
>
>
>
>

Reply via email to