LDAP_USER_BASE_DN pointing to an AD Security Group

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

LDAP_USER_BASE_DN pointing to an AD Security Group

Andy Pattrick

Hi,

 

I have LDAP authentication working using a BASE_DN pointing to an OU in my Active Directory. However I would like to point the BASE_DN at a security group so that I can simply add users to the group if I want to allow them to access Guacamole without moving them to a different OU.

 

When I try this I find it doesn't work. I suspect this is because CN's are not supported in LDAP_USER_BASE_DN. Can anyone confirm if they have managed to do this?

 

In summary:

 

This works -

LDAP_USER_BASE_DN="OU=MyUsers,OU=Users,OU=MyBusiness,DC=mycompany,DC=com"

 

This does not work -

LDAP_USER_BASE_DN="CN=GUACAMOLE Group,OU=Security Groups,OU=MyBusiness,DC=mycompany,DC=com"

 

Many thanks, Andy.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: LDAP_USER_BASE_DN pointing to an AD Security Group

Der PCFreak

Hi Andy,


maybe you just have to escape the spaces? Like shown here: http://www.linuxquestions.org/questions/linux-general-1/how-to-specify-space-in-ou-name-in-ldap-search-835175/


e.g.

LDAP_USER_BASE_DN="CN=GUACAMOLE\ Group,OU=Security\ Groups,OU=MyBusiness,DC=mycompany,DC=com"


Cheers


Peter


On 06.06.2017 15:58, Andy Pattrick wrote:

Hi,

 

I have LDAP authentication working using a BASE_DN pointing to an OU in my Active Directory. However I would like to point the BASE_DN at a security group so that I can simply add users to the group if I want to allow them to access Guacamole without moving them to a different OU.

 

When I try this I find it doesn't work. I suspect this is because CN's are not supported in LDAP_USER_BASE_DN. Can anyone confirm if they have managed to do this?

 

In summary:

 

This works -

LDAP_USER_BASE_DN="OU=MyUsers,OU=Users,OU=MyBusiness,DC=mycompany,DC=com"

 

This does not work -

LDAP_USER_BASE_DN="CN=GUACAMOLE Group,OU=Security Groups,OU=MyBusiness,DC=mycompany,DC=com"

 

Many thanks, Andy.


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: LDAP_USER_BASE_DN pointing to an AD Security Group

Andy Pattrick

Hi,

 

Good idea, but unfortunately that's not it. I discovered that if I'm specifying an OU with spaces, escaping is not necessary i.e.

 

this works...

 

LDAP_USER_BASE_DN="OU=External Demo Users,OU=Users,OU=MyBusiness,DC=MyCompany,DC=com" 

 

...but if a CN (security group) is specified it doesn't work, with or without escaped spaces.

 

Cheers Andy.

 


From: Der PCFreak [[hidden email]]
Sent: 07 June 2017 06:23
To: [hidden email]
Subject: Re: LDAP_USER_BASE_DN pointing to an AD Security Group

Hi Andy,


maybe you just have to escape the spaces? Like shown here: http://www.linuxquestions.org/questions/linux-general-1/how-to-specify-space-in-ou-name-in-ldap-search-835175/


e.g.

LDAP_USER_BASE_DN="CN=GUACAMOLE\ Group,OU=Security\ Groups,OU=MyBusiness,DC=mycompany,DC=com"


Cheers


Peter


On 06.06.2017 15:58, Andy Pattrick wrote:

Hi,

 

I have LDAP authentication working using a BASE_DN pointing to an OU in my Active Directory. However I would like to point the BASE_DN at a security group so that I can simply add users to the group if I want to allow them to access Guacamole without moving them to a different OU.

 

When I try this I find it doesn't work. I suspect this is because CN's are not supported in LDAP_USER_BASE_DN. Can anyone confirm if they have managed to do this?

 

In summary:

 

This works -

LDAP_USER_BASE_DN="OU=MyUsers,OU=Users,OU=MyBusiness,DC=mycompany,DC=com"

 

This does not work -

LDAP_USER_BASE_DN="CN=GUACAMOLE Group,OU=Security Groups,OU=MyBusiness,DC=mycompany,DC=com"

 

Many thanks, Andy.




Click here to report this email as spam.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: LDAP_USER_BASE_DN pointing to an AD Security Group

Marco Casavecchia Morganti
Hello,
I developed a small patch for the guacamole-auth-ldap extension that allows you to specify in the guacamole.properties a new property: ldap-users-filter.

Basically if you apply the patch, you can add an LDAP condition that must be satisfied by the users to become guacamole users. So if you set it as something like this: 
ldap-users-filter: memberOf=CN=Guacamole,OU=Service Gropus,OU=Domain,DC=my,DC=lan 
only the users that belongs to the specified group will be listed in the guacamole interface and will be allowed to access Guacamole.

At that time I tried to submit the patch to the developers but I wasn’t able to set up the whole environment needed to do that, so I gave up, hoping that my patch would be added by someone else sooner or later.

The patch is very simple and you can find it attached to this mail.
I applied it successfully to the latest incubating releases (0.9.11 and 0.9.12), I hope it will be helpful.

Best Regards

MCM


ldap-users-filter.patch (6K) Download Attachment
ATT00001.htm (9K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: LDAP_USER_BASE_DN pointing to an AD Security Group

Andy Pattrick

Hi Marco,

 

Thanks for your reply. That's exactly what I would like to do but unfortunately I am running guacamole in docker so I'm not sure I can use this patch very easily. Hopefully this will find it's way into the official docker image.

 

Cheers Andy

 


From: Marco Casavecchia Morganti [[hidden email]]
Sent: 07 June 2017 10:37
To: [hidden email]
Subject: Re: LDAP_USER_BASE_DN pointing to an AD Security Group

Hello,
I developed a small patch for the guacamole-auth-ldap extension that allows you to specify in the guacamole.properties a new property: ldap-users-filter.

Basically if you apply the patch, you can add an LDAP condition that must be satisfied by the users to become guacamole users. So if you set it as something like this: 
ldap-users-filter: memberOf=CN=Guacamole,OU=Service Gropus,OU=Domain,DC=my,DC=lan 
only the users that belongs to the specified group will be listed in the guacamole interface and will be allowed to access Guacamole.

At that time I tried to submit the patch to the developers but I wasn’t able to set up the whole environment needed to do that, so I gave up, hoping that my patch would be added by someone else sooner or later.

The patch is very simple and you can find it attached to this mail.
I applied it successfully to the latest incubating releases (0.9.11 and 0.9.12), I hope it will be helpful.

Best Regards

MCM



Click here to report this email as spam.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: LDAP_USER_BASE_DN pointing to an AD Security Group

Marco Casavecchia Morganti
Hi Andy,

I see, I installed it from sources instead.
Maybe I could send you the compiled jar, that should be easier for you.

MCM

On 7 Jun 2017, at 12:54, Andy Pattrick <[hidden email]> wrote:

Hi Marco, 

 

Thanks for your reply. That's exactly what I would like to do but unfortunately I am running guacamole in docker so I'm not sure I can use this patch very easily. Hopefully this will find it's way into the official docker image.

 

Cheers Andy

 


From: Marco Casavecchia Morganti [[hidden email]]
Sent: 07 June 2017 10:37
To: [hidden email]
Subject: Re: LDAP_USER_BASE_DN pointing to an AD Security Group

Hello,
I developed a small patch for the guacamole-auth-ldap extension that allows you to specify in the guacamole.properties a new property: ldap-users-filter.

Basically if you apply the patch, you can add an LDAP condition that must be satisfied by the users to become guacamole users. So if you set it as something like this: 
ldap-users-filter: memberOf=CN=Guacamole,OU=Service Gropus,OU=Domain,DC=my,DC=lan 
only the users that belongs to the specified group will be listed in the guacamole interface and will be allowed to access Guacamole.

At that time I tried to submit the patch to the developers but I wasn’t able to set up the whole environment needed to do that, so I gave up, hoping that my patch would be added by someone else sooner or later.

The patch is very simple and you can find it attached to this mail.
I applied it successfully to the latest incubating releases (0.9.11 and 0.9.12), I hope it will be helpful.

Best Regards

MCM



Click here to report this email as spam.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: LDAP_USER_BASE_DN pointing to an AD Security Group

tecnodata
This post has NOT been accepted by the mailing list yet.
Hi Marco,
I installed your patch on guacamole 0.9.12 an now only members to the group I specified on ldap-user-filter can access to guacamole, but this is true only if users are in the OU configured on ldap-user-base-dn.
What can I do to enable users in different OU?

This is my configuration on guacamole.properties:

ldap-hostname: dc.test.local
ldap-port: 389
ldap-users-filter: memberOf=CN=guacgroup,DC=test,DC=local
ldap-user-base-dn: OU=guacamoleou,DC=test,DC=local
ldap-search-bind-dn: CN=guacamole,OU=guacamoleou,DC=test,DC=local
ldap-search-bind-password: mypass
ldap-username-attribute: sAMAccountName


Thanks
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: LDAP_USER_BASE_DN pointing to an AD Security Group

tecnodata
In reply to this post by Andy Pattrick
Hi Marco,
I installed your patch on guacamole 0.9.12 and now only members to the group I specified on ldap-user-filter can access to guacamole, but this is true
only if users are in the OU configured on ldap-user-base-dn.
What can I do to enable users in different OU?

This is my configuration on guacamole.properties:

ldap-hostname: dc.test.local
ldap-port: 389
ldap-users-filter: memberOf=CN=guacgroup,DC=test,DC=local
ldap-user-base-dn: OU=guacamoleou,DC=test,DC=local
ldap-search-bind-dn: CN=guacamole,OU=guacamoleou,DC=test,DC=local
ldap-search-bind-password: mypass
ldap-username-attribute: sAMAccountName


Thanks



Di Girolamo Mariano
cell. <a href="callto:+39 360 959573" style="color: #336699; text-decoration: none; cursor: pointer;" data-mce-href="callto:+39 360 959573" data-mce-style="color: #336699; text-decoration: none; cursor: pointer;">+39 329 0552286
tel. <a href="callto:+39 0735 7626267" style="color: #336699; text-decoration: none; cursor: pointer;" data-mce-href="callto:+39 0735 7626267" data-mce-style="color: #336699; text-decoration: none; cursor: pointer;">+39 0735 7626263
Tecnodata s.r.l. - Via Val Tiberina, 23A - 63074 San Benedetto del Tronto (AP) Italy
tel. <a href="callto:+39 0735 7626261" style="color: #336699; text-decoration: none; cursor: pointer;" data-mce-href="callto:+39 0735 7626261" data-mce-style="color: #336699; text-decoration: none; cursor: pointer;">+39 0735 7626261 - www.tecnodata-srl.it
Il contenuto di questa e-mail e degli eventuali allegati, è strettamente confidenziale, non producibile in giudizio e destinato alla/e persona/e a cui è indirizzato. Se avete ricevuto per errore questa e-mail, Vi preghiamo di segnalarcelo immediatamente e di cancellarla dal vostro computer. E' fatto divieto di copiare e divulgare il contenuto di questa e-mail. Ogni utilizzo abusivo delle informazioni qui contenute da parte di persone terze o comunque non indicate nella presente e-mail, potrà essere perseguito ai sensi di legge.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: LDAP_USER_BASE_DN pointing to an AD Security Group

Nick Couchman-2
In order to accomplish what you're trying to do, you need to change your base DN to a higher-level.  So, the following line:

ldap-user-base-dn: OU=guacamoleou,DC=test,DC=local

would need to be changed to:

ldap-user-base-dn: DC=test,DC=local

Another option is to leave the base DN as you have it, enable Alias Dereferencing (see the manual) and then link any additional users into the guacamoleou OU object.

Finally, there is a JIRA issue out there for changing LDAP behavior such that you can put multiple OUs in, but I don't think it has been implemented, yet.

-Nick


On Friday, July 28, 2017, 4:15:10 AM EDT, Mariano Di Girolamo <[hidden email]> wrote:


Hi Marco,
I installed your patch on guacamole 0.9.12 and now only members to the group I specified on ldap-user-filter can access to guacamole, but this is true
only if users are in the OU configured on ldap-user-base-dn.
What can I do to enable users in different OU?

This is my configuration on guacamole.properties:

ldap-hostname: dc.test.local
ldap-port: 389
ldap-users-filter: memberOf=CN=guacgroup,DC=test,DC=local
ldap-user-base-dn: OU=guacamoleou,DC=test,DC=local
ldap-search-bind-dn: CN=guacamole,OU=guacamoleou,DC=test,DC=local
ldap-search-bind-password: mypass
ldap-username-attribute: sAMAccountName


Thanks



Di Girolamo Mariano
cell. <a href="callto:+39 360 959573" style="color:#336699;text-decoration:none;cursor:pointer;" rel="nofollow" target="_blank">+39 329 0552286
tel. <a href="callto:+39 0735 7626267" style="color:#336699;text-decoration:none;cursor:pointer;" rel="nofollow" target="_blank">+39 0735 7626263
Tecnodata s.r.l. - Via Val Tiberina, 23A - 63074 San Benedetto del Tronto (AP) Italy
tel. <a href="callto:+39 0735 7626261" style="color:#336699;text-decoration:none;cursor:pointer;" rel="nofollow" target="_blank">+39 0735 7626261 - www.tecnodata-srl.it
Il contenuto di questa e-mail e degli eventuali allegati, è strettamente confidenziale, non producibile in giudizio e destinato alla/e persona/e a cui è indirizzato. Se avete ricevuto per errore questa e-mail, Vi preghiamo di segnalarcelo immediatamente e di cancellarla dal vostro computer. E' fatto divieto di copiare e divulgare il contenuto di questa e-mail. Ogni utilizzo abusivo delle informazioni qui contenute da parte di persone terze o comunque non indicate nella presente e-mail, potrà essere perseguito ai sensi di legge.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: LDAP_USER_BASE_DN pointing to an AD Security Group

tecnodata
Hi Nick,
thanks for your reply.
I  changed the ldap-user-base-dn like your suggestion (DC=test,DC=local), but now nobody can access to guacamole.
I don't use LDAP but samba4 domain controller.



Di Girolamo Mariano
cell. <a href="callto:+39 360 959573" style="color: #336699; text-decoration: none; cursor: pointer;" data-mce-href="callto:+39 360 959573" data-mce-style="color: #336699; text-decoration: none; cursor: pointer;">+39 329 0552286
tel. <a href="callto:+39 0735 7626267" style="color: #336699; text-decoration: none; cursor: pointer;" data-mce-href="callto:+39 0735 7626267" data-mce-style="color: #336699; text-decoration: none; cursor: pointer;">+39 0735 7626263
Tecnodata s.r.l. - Via Val Tiberina, 23A - 63074 San Benedetto del Tronto (AP) Italy
tel. <a href="callto:+39 0735 7626261" style="color: #336699; text-decoration: none; cursor: pointer;" data-mce-href="callto:+39 0735 7626261" data-mce-style="color: #336699; text-decoration: none; cursor: pointer;">+39 0735 7626261 - www.tecnodata-srl.it
Il contenuto di questa e-mail e degli eventuali allegati, è strettamente confidenziale, non producibile in giudizio e destinato alla/e persona/e a cui è indirizzato. Se avete ricevuto per errore questa e-mail, Vi preghiamo di segnalarcelo immediatamente e di cancellarla dal vostro computer. E' fatto divieto di copiare e divulgare il contenuto di questa e-mail. Ogni utilizzo abusivo delle informazioni qui contenute da parte di persone terze o comunque non indicate nella presente e-mail, potrà essere perseguito ai sensi di legge.


Da: "Nick Couchman" <[hidden email]>
A: "user" <[hidden email]>
Inviato: Venerdì, 28 luglio 2017 23:11:39
Oggetto: Re: LDAP_USER_BASE_DN pointing to an AD Security Group

In order to accomplish what you're trying to do, you need to change your base DN to a higher-level.  So, the following line:

ldap-user-base-dn: OU=guacamoleou,DC=test,DC=local

would need to be changed to:

ldap-user-base-dn: DC=test,DC=local

Another option is to leave the base DN as you have it, enable Alias Dereferencing (see the manual) and then link any additional users into the guacamoleou OU object.

Finally, there is a JIRA issue out there for changing LDAP behavior such that you can put multiple OUs in, but I don't think it has been implemented, yet.

-Nick


On Friday, July 28, 2017, 4:15:10 AM EDT, Mariano Di Girolamo <[hidden email]> wrote:


Hi Marco,
I installed your patch on guacamole 0.9.12 and now only members to the group I specified on ldap-user-filter can access to guacamole, but this is true
only if users are in the OU configured on ldap-user-base-dn.
What can I do to enable users in different OU?

This is my configuration on guacamole.properties:

ldap-hostname: dc.test.local
ldap-port: 389
ldap-users-filter: memberOf=CN=guacgroup,DC=test,DC=local
ldap-user-base-dn: OU=guacamoleou,DC=test,DC=local
ldap-search-bind-dn: CN=guacamole,OU=guacamoleou,DC=test,DC=local
ldap-search-bind-password: mypass
ldap-username-attribute: sAMAccountName


Thanks



Di Girolamo Mariano
cell. <a href="callto:+39 360 959573" style="color: #336699; text-decoration: none; cursor: pointer;" rel="nofollow" target="_blank" data-mce-href="callto:+39 360 959573" data-mce-style="color: #336699; text-decoration: none; cursor: pointer;">+39 329 0552286
tel. <a href="callto:+39 0735 7626267" style="color: #336699; text-decoration: none; cursor: pointer;" rel="nofollow" target="_blank" data-mce-href="callto:+39 0735 7626267" data-mce-style="color: #336699; text-decoration: none; cursor: pointer;">+39 0735 7626263
Tecnodata s.r.l. - Via Val Tiberina, 23A - 63074 San Benedetto del Tronto (AP) Italy
tel. <a href="callto:+39 0735 7626261" style="color: #336699; text-decoration: none; cursor: pointer;" rel="nofollow" target="_blank" data-mce-href="callto:+39 0735 7626261" data-mce-style="color: #336699; text-decoration: none; cursor: pointer;">+39 0735 7626261 - www.tecnodata-srl.it
Il contenuto di questa e-mail e degli eventuali allegati, è strettamente confidenziale, non producibile in giudizio e destinato alla/e persona/e a cui è indirizzato. Se avete ricevuto per errore questa e-mail, Vi preghiamo di segnalarcelo immediatamente e di cancellarla dal vostro computer. E' fatto divieto di copiare e divulgare il contenuto di questa e-mail. Ogni utilizzo abusivo delle informazioni qui contenute da parte di persone terze o comunque non indicate nella presente e-mail, potrà essere perseguito ai sensi di legge.

--
Questo messaggio e' stato analizzato ed e' risultato non infetto.
This message was scanned and is believed to be clean.


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: LDAP_USER_BASE_DN pointing to an AD Security Group

Nick Couchman-2
Hmmm...that's not very useful.  Does the user account you're using to bind for the search have access to the other OUs?  Generally they do, unless you've specifically locked down that users permissions.

Any error messages in the log file for your application server (Tomcat, JBoss - whatever you're using)?

-Nick

== He has shown you, O man, what is good; And what does the LORD require of you But to do justly, To love mercy, And to walk humbly with your God? --Micah 6:8-- ==



On Monday, July 31, 2017, 3:29:36 AM EDT, Mariano Di Girolamo <[hidden email]> wrote:


Hi Nick,
thanks for your reply.
I  changed the ldap-user-base-dn like your suggestion (DC=test,DC=local), but now nobody can access to guacamole.
I don't use LDAP but samba4 domain controller.



Di Girolamo Mariano
cell. <a rel="nofollow" shape="rect" target="_blank" href="callto:+39 360 959573" style="color:#336699;text-decoration:none;cursor:pointer;">+39 329 0552286
tel. <a rel="nofollow" shape="rect" target="_blank" href="callto:+39 0735 7626267" style="color:#336699;text-decoration:none;cursor:pointer;">+39 0735 7626263
Tecnodata s.r.l. - Via Val Tiberina, 23A - 63074 San Benedetto del Tronto (AP) Italy
tel. <a rel="nofollow" shape="rect" target="_blank" href="callto:+39 0735 7626261" style="color:#336699;text-decoration:none;cursor:pointer;">+39 0735 7626261 - www.tecnodata-srl.it
Il contenuto di questa e-mail e degli eventuali allegati, è strettamente confidenziale, non producibile in giudizio e destinato alla/e persona/e a cui è indirizzato. Se avete ricevuto per errore questa e-mail, Vi preghiamo di segnalarcelo immediatamente e di cancellarla dal vostro computer. E' fatto divieto di copiare e divulgare il contenuto di questa e-mail. Ogni utilizzo abusivo delle informazioni qui contenute da parte di persone terze o comunque non indicate nella presente e-mail, potrà essere perseguito ai sensi di legge.


Da: "Nick Couchman" <[hidden email]>
A: "user" <[hidden email]>
Inviato: Venerdì, 28 luglio 2017 23:11:39
Oggetto: Re: LDAP_USER_BASE_DN pointing to an AD Security Group

In order to accomplish what you're trying to do, you need to change your base DN to a higher-level.  So, the following line:

ldap-user-base-dn: OU=guacamoleou,DC=test,DC=local

would need to be changed to:

ldap-user-base-dn: DC=test,DC=local

Another option is to leave the base DN as you have it, enable Alias Dereferencing (see the manual) and then link any additional users into the guacamoleou OU object.

Finally, there is a JIRA issue out there for changing LDAP behavior such that you can put multiple OUs in, but I don't think it has been implemented, yet.

-Nick


On Friday, July 28, 2017, 4:15:10 AM EDT, Mariano Di Girolamo <[hidden email]> wrote:


Hi Marco,
I installed your patch on guacamole 0.9.12 and now only members to the group I specified on ldap-user-filter can access to guacamole, but this is true
only if users are in the OU configured on ldap-user-base-dn.
What can I do to enable users in different OU?

This is my configuration on guacamole.properties:

ldap-hostname: dc.test.local
ldap-port: 389
ldap-users-filter: memberOf=CN=guacgroup,DC=test,DC=local
ldap-user-base-dn: OU=guacamoleou,DC=test,DC=local
ldap-search-bind-dn: CN=guacamole,OU=guacamoleou,DC=test,DC=local
ldap-search-bind-password: mypass
ldap-username-attribute: sAMAccountName


Thanks



Di Girolamo Mariano
cell. <a rel="nofollow" shape="rect" target="_blank" href="callto:+39 360 959573" style="color:#336699;text-decoration:none;cursor:pointer;">+39 329 0552286
tel. <a rel="nofollow" shape="rect" target="_blank" href="callto:+39 0735 7626267" style="color:#336699;text-decoration:none;cursor:pointer;">+39 0735 7626263
Tecnodata s.r.l. - Via Val Tiberina, 23A - 63074 San Benedetto del Tronto (AP) Italy
tel. <a rel="nofollow" shape="rect" target="_blank" href="callto:+39 0735 7626261" style="color:#336699;text-decoration:none;cursor:pointer;">+39 0735 7626261 - www.tecnodata-srl.it
Il contenuto di questa e-mail e degli eventuali allegati, è strettamente confidenziale, non producibile in giudizio e destinato alla/e persona/e a cui è indirizzato. Se avete ricevuto per errore questa e-mail, Vi preghiamo di segnalarcelo immediatamente e di cancellarla dal vostro computer. E' fatto divieto di copiare e divulgare il contenuto di questa e-mail. Ogni utilizzo abusivo delle informazioni qui contenute da parte di persone terze o comunque non indicate nella presente e-mail, potrà essere perseguito ai sensi di legge.

--
Questo messaggio e' stato analizzato ed e' risultato non infetto.
This message was scanned and is believed to be clean.


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: LDAP_USER_BASE_DN pointing to an AD Security Group

tecnodata
The user used in bind is member of administrator.
I installed the new version of guacamole (0.9.13) but I have the same problem.
If I configure the base-dn like "DC=test,DC=local" I have this error on catalina.out

ERROR o.a.g.a.l.AuthenticationProviderService - Cannot bind with LDAP server: Error while query user DNs.




Di Girolamo Mariano
cell. <a href="callto:+39 360 959573" style="color: #336699; text-decoration: none; cursor: pointer;" data-mce-href="callto:+39 360 959573" data-mce-style="color: #336699; text-decoration: none; cursor: pointer;">+39 329 0552286
tel. <a href="callto:+39 0735 7626267" style="color: #336699; text-decoration: none; cursor: pointer;" data-mce-href="callto:+39 0735 7626267" data-mce-style="color: #336699; text-decoration: none; cursor: pointer;">+39 0735 7626263
Tecnodata s.r.l. - Via Val Tiberina, 23A - 63074 San Benedetto del Tronto (AP) Italy
tel. <a href="callto:+39 0735 7626261" style="color: #336699; text-decoration: none; cursor: pointer;" data-mce-href="callto:+39 0735 7626261" data-mce-style="color: #336699; text-decoration: none; cursor: pointer;">+39 0735 7626261 - www.tecnodata-srl.it
Il contenuto di questa e-mail e degli eventuali allegati, è strettamente confidenziale, non producibile in giudizio e destinato alla/e persona/e a cui è indirizzato. Se avete ricevuto per errore questa e-mail, Vi preghiamo di segnalarcelo immediatamente e di cancellarla dal vostro computer. E' fatto divieto di copiare e divulgare il contenuto di questa e-mail. Ogni utilizzo abusivo delle informazioni qui contenute da parte di persone terze o comunque non indicate nella presente e-mail, potrà essere perseguito ai sensi di legge.


Da: "Nick Couchman" <[hidden email]>
A: "user" <[hidden email]>
Inviato: Lunedì, 31 luglio 2017 15:24:06
Oggetto: Re: LDAP_USER_BASE_DN pointing to an AD Security Group

Hmmm...that's not very useful.  Does the user account you're using to bind for the search have access to the other OUs?  Generally they do, unless you've specifically locked down that users permissions.

Any error messages in the log file for your application server (Tomcat, JBoss - whatever you're using)?

-Nick

== He has shown you, O man, what is good; And what does the LORD require of you But to do justly, To love mercy, And to walk humbly with your God? --Micah 6:8-- ==



On Monday, July 31, 2017, 3:29:36 AM EDT, Mariano Di Girolamo <[hidden email]> wrote:


Hi Nick,
thanks for your reply.
I  changed the ldap-user-base-dn like your suggestion (DC=test,DC=local), but now nobody can access to guacamole.
I don't use LDAP but samba4 domain controller.



Di Girolamo Mariano
cell. <a rel="nofollow" shape="rect" target="_blank" href="callto:+39 360 959573" style="color: #336699; text-decoration: none; cursor: pointer;" data-mce-href="callto:+39 360 959573" data-mce-style="color: #336699; text-decoration: none; cursor: pointer;">+39 329 0552286
tel. <a rel="nofollow" shape="rect" target="_blank" href="callto:+39 0735 7626267" style="color: #336699; text-decoration: none; cursor: pointer;" data-mce-href="callto:+39 0735 7626267" data-mce-style="color: #336699; text-decoration: none; cursor: pointer;">+39 0735 7626263
Tecnodata s.r.l. - Via Val Tiberina, 23A - 63074 San Benedetto del Tronto (AP) Italy
tel. <a rel="nofollow" shape="rect" target="_blank" href="callto:+39 0735 7626261" style="color: #336699; text-decoration: none; cursor: pointer;" data-mce-href="callto:+39 0735 7626261" data-mce-style="color: #336699; text-decoration: none; cursor: pointer;">+39 0735 7626261 - www.tecnodata-srl.it
Il contenuto di questa e-mail e degli eventuali allegati, è strettamente confidenziale, non producibile in giudizio e destinato alla/e persona/e a cui è indirizzato. Se avete ricevuto per errore questa e-mail, Vi preghiamo di segnalarcelo immediatamente e di cancellarla dal vostro computer. E' fatto divieto di copiare e divulgare il contenuto di questa e-mail. Ogni utilizzo abusivo delle informazioni qui contenute da parte di persone terze o comunque non indicate nella presente e-mail, potrà essere perseguito ai sensi di legge.


Da: "Nick Couchman" <[hidden email]>
A: "user" <[hidden email]>
Inviato: Venerdì, 28 luglio 2017 23:11:39
Oggetto: Re: LDAP_USER_BASE_DN pointing to an AD Security Group

In order to accomplish what you're trying to do, you need to change your base DN to a higher-level.  So, the following line:

ldap-user-base-dn: OU=guacamoleou,DC=test,DC=local

would need to be changed to:

ldap-user-base-dn: DC=test,DC=local

Another option is to leave the base DN as you have it, enable Alias Dereferencing (see the manual) and then link any additional users into the guacamoleou OU object.

Finally, there is a JIRA issue out there for changing LDAP behavior such that you can put multiple OUs in, but I don't think it has been implemented, yet.

-Nick


On Friday, July 28, 2017, 4:15:10 AM EDT, Mariano Di Girolamo <[hidden email]> wrote:


Hi Marco,
I installed your patch on guacamole 0.9.12 and now only members to the group I specified on ldap-user-filter can access to guacamole, but this is true
only if users are in the OU configured on ldap-user-base-dn.
What can I do to enable users in different OU?

This is my configuration on guacamole.properties:

ldap-hostname: dc.test.local
ldap-port: 389
ldap-users-filter: memberOf=CN=guacgroup,DC=test,DC=local
ldap-user-base-dn: OU=guacamoleou,DC=test,DC=local
ldap-search-bind-dn: CN=guacamole,OU=guacamoleou,DC=test,DC=local
ldap-search-bind-password: mypass
ldap-username-attribute: sAMAccountName


Thanks



Di Girolamo Mariano
cell. <a rel="nofollow" shape="rect" target="_blank" href="callto:+39 360 959573" style="color: #336699; text-decoration: none; cursor: pointer;" data-mce-href="callto:+39 360 959573" data-mce-style="color: #336699; text-decoration: none; cursor: pointer;">+39 329 0552286
tel. <a rel="nofollow" shape="rect" target="_blank" href="callto:+39 0735 7626267" style="color: #336699; text-decoration: none; cursor: pointer;" data-mce-href="callto:+39 0735 7626267" data-mce-style="color: #336699; text-decoration: none; cursor: pointer;">+39 0735 7626263
Tecnodata s.r.l. - Via Val Tiberina, 23A - 63074 San Benedetto del Tronto (AP) Italy
tel. <a rel="nofollow" shape="rect" target="_blank" href="callto:+39 0735 7626261" style="color: #336699; text-decoration: none; cursor: pointer;" data-mce-href="callto:+39 0735 7626261" data-mce-style="color: #336699; text-decoration: none; cursor: pointer;">+39 0735 7626261 - www.tecnodata-srl.it
Il contenuto di questa e-mail e degli eventuali allegati, è strettamente confidenziale, non producibile in giudizio e destinato alla/e persona/e a cui è indirizzato. Se avete ricevuto per errore questa e-mail, Vi preghiamo di segnalarcelo immediatamente e di cancellarla dal vostro computer. E' fatto divieto di copiare e divulgare il contenuto di questa e-mail. Ogni utilizzo abusivo delle informazioni qui contenute da parte di persone terze o comunque non indicate nella presente e-mail, potrà essere perseguito ai sensi di legge.

--
Questo messaggio e' stato analizzato ed e' risultato non infetto.
This message was scanned and is believed to be clean.


--
Questo messaggio e' stato analizzato ed e' risultato non infetto.
This message was scanned and is believed to be clean.


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: LDAP_USER_BASE_DN pointing to an AD Security Group

James Fraser

Hi All

 

I am currently experiencing the same issue here, if targeting a specific OU in Active Directory it works as required however I am now implementing Guac for another client and require targeting multiple OU’s and using the BASE OU and a few groups was the idea but if I don’t specify the OU that the users live in then I can not seem to get it to work and get the same

 

ERROR o.a.g.a.l.AuthenticationProviderService - Cannot bind with LDAP server: Error while query user DNs.

 

 

James Fraser • Microsoft Systems Engineer

 

From: Mariano Di Girolamo [mailto:[hidden email]]
Sent: Thursday, 3 August 2017 12:46 AM
To: user <[hidden email]>
Subject: Re: LDAP_USER_BASE_DN pointing to an AD Security Group

 

The user used in bind is member of administrator.

I installed the new version of guacamole (0.9.13) but I have the same problem.

If I configure the base-dn like "DC=test,DC=local" I have this error on catalina.out

 

ERROR o.a.g.a.l.AuthenticationProviderService - Cannot bind with LDAP server: Error while query user DNs.

 

 

 

 

Di Girolamo Mariano
cell. 
<a href="callto:&#43;39%20360%20959573">+39 329 0552286
tel. 
<a href="callto:&#43;39%200735%207626267">+39 0735 7626263

Tecnodata s.r.l. - Via Val Tiberina, 23A - 63074 San Benedetto del Tronto (AP) Italy

tel. <a href="callto:&#43;39%200735%207626261">+39 0735 7626261 - www.tecnodata-srl.it

Il contenuto di questa e-mail e degli eventuali allegati, è strettamente confidenziale, non producibile in giudizio e destinato alla/e persona/e a cui è indirizzato. Se avete ricevuto per errore questa e-mail, Vi preghiamo di segnalarcelo immediatamente e di cancellarla dal vostro computer. E' fatto divieto di copiare e divulgare il contenuto di questa e-mail. Ogni utilizzo abusivo delle informazioni qui contenute da parte di persone terze o comunque non indicate nella presente e-mail, potrà essere perseguito ai sensi di legge.

 


Da: "Nick Couchman" <[hidden email]>
A: "user" <[hidden email]>
Inviato: Lunedì, 31 luglio 2017 15:24:06
Oggetto: Re: LDAP_USER_BASE_DN pointing to an AD Security Group

 

Hmmm...that's not very useful.  Does the user account you're using to bind for the search have access to the other OUs?  Generally they do, unless you've specifically locked down that users permissions.

 

Any error messages in the log file for your application server (Tomcat, JBoss - whatever you're using)?

 

-Nick

 

== He has shown you, O man, what is good; And what does the LORD require of you But to do justly, To love mercy, And to walk humbly with your God? --Micah 6:8-- ==

 

 

On Monday, July 31, 2017, 3:29:36 AM EDT, Mariano Di Girolamo <[hidden email]> wrote:

 

Hi Nick,

thanks for your reply.

I  changed the ldap-user-base-dn like your suggestion (DC=test,DC=local), but now nobody can access to guacamole.

I don't use LDAP but samba4 domain controller.

 

 

 

Di Girolamo Mariano
cell. 
<a href="callto:&#43;39%20360%20959573" target="_blank">+39 329 0552286
tel. 
<a href="callto:&#43;39%200735%207626267" target="_blank">+39 0735 7626263

Tecnodata s.r.l. - Via Val Tiberina, 23A - 63074 San Benedetto del Tronto (AP) Italy

tel. <a href="callto:&#43;39%200735%207626261" target="_blank">+39 0735 7626261 - www.tecnodata-srl.it

Il contenuto di questa e-mail e degli eventuali allegati, è strettamente confidenziale, non producibile in giudizio e destinato alla/e persona/e a cui è indirizzato. Se avete ricevuto per errore questa e-mail, Vi preghiamo di segnalarcelo immediatamente e di cancellarla dal vostro computer. E' fatto divieto di copiare e divulgare il contenuto di questa e-mail. Ogni utilizzo abusivo delle informazioni qui contenute da parte di persone terze o comunque non indicate nella presente e-mail, potrà essere perseguito ai sensi di legge.

 


Da: "Nick Couchman" <[hidden email]>
A: "user" <[hidden email]>
Inviato: Venerdì, 28 luglio 2017 23:11:39
Oggetto: Re: LDAP_USER_BASE_DN pointing to an AD Security Group

 

In order to accomplish what you're trying to do, you need to change your base DN to a higher-level.  So, the following line:

 

ldap-user-base-dn: OU=guacamoleou,DC=test,DC=local



would need to be changed to:



ldap-user-base-dn: DC=test,DC=local



Another option is to leave the base DN as you have it, enable Alias Dereferencing (see the manual) and then link any additional users into the guacamoleou OU object.



Finally, there is a JIRA issue out there for changing LDAP behavior such that you can put multiple OUs in, but I don't think it has been implemented, yet.



-Nick

 

On Friday, July 28, 2017, 4:15:10 AM EDT, Mariano Di Girolamo <[hidden email]> wrote:

 

Hi Marco,
I installed your patch on guacamole 0.9.12 and now only members to the group I specified on ldap-user-filter can access to guacamole, but this is true
only if users are in the OU configured on ldap-user-base-dn.
What can I do to enable users in different OU?

This is my configuration on guacamole.properties:

ldap-hostname: dc.test.local
ldap-port: 389
ldap-users-filter: memberOf=CN=guacgroup,DC=test,DC=local
ldap-user-base-dn: OU=guacamoleou,DC=test,DC=local
ldap-search-bind-dn: CN=guacamole,OU=guacamoleou,DC=test,DC=local
ldap-search-bind-password: mypass
ldap-username-attribute: sAMAccountName


Thanks



Di Girolamo Mariano
cell. 
<a href="callto:&#43;39%20360%20959573" target="_blank">+39 329 0552286
tel. 
<a href="callto:&#43;39%200735%207626267" target="_blank">+39 0735 7626263

Tecnodata s.r.l. - Via Val Tiberina, 23A - 63074 San Benedetto del Tronto (AP) Italy

tel. <a href="callto:&#43;39%200735%207626261" target="_blank">+39 0735 7626261 - www.tecnodata-srl.it

Il contenuto di questa e-mail e degli eventuali allegati, è strettamente confidenziale, non producibile in giudizio e destinato alla/e persona/e a cui è indirizzato. Se avete ricevuto per errore questa e-mail, Vi preghiamo di segnalarcelo immediatamente e di cancellarla dal vostro computer. E' fatto divieto di copiare e divulgare il contenuto di questa e-mail. Ogni utilizzo abusivo delle informazioni qui contenute da parte di persone terze o comunque non indicate nella presente e-mail, potrà essere perseguito ai sensi di legge.

--
Questo messaggio e' stato analizzato ed e' risultato non infetto.
This message was scanned and is believed to be clean.

 

--
Questo messaggio e' stato analizzato ed e' risultato non infetto.
This message was scanned and is believed to be clean.

 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: LDAP_USER_BASE_DN pointing to an AD Security Group

James Fraser

Hi

 

I resolved this issue from another ticket comment from Nick

 

On Wed, Aug 9, 2017 at 2:31 PM, Nick Couchman <[hidden email]> wrote:

Are you getting any errors in your Tomcat log files?

 

Can you try pointing at port 3268 on your AD server, instead of the default 389?  There's an issue with querying the global catalog that is in the process of being fixed (PR is open for it), and I think querying the non-GC-port sometimes works.

 

-Nick

 

 

Changing to 3268 seems to have resolved my issue.

Cheers

 

James Fraser • Microsoft Systems Engineer

 

From: James Fraser [mailto:[hidden email]]
Sent: Monday, 14 August 2017 11:31 AM
To: [hidden email]
Subject: RE: LDAP_USER_BASE_DN pointing to an AD Security Group

 

Hi All

 

I am currently experiencing the same issue here, if targeting a specific OU in Active Directory it works as required however I am now implementing Guac for another client and require targeting multiple OU’s and using the BASE OU and a few groups was the idea but if I don’t specify the OU that the users live in then I can not seem to get it to work and get the same

 

ERROR o.a.g.a.l.AuthenticationProviderService - Cannot bind with LDAP server: Error while query user DNs.

 

 

James Fraser • Microsoft Systems Engineer

 

From: Mariano Di Girolamo [[hidden email]]
Sent: Thursday, 3 August 2017 12:46 AM
To: user <[hidden email]>
Subject: Re: LDAP_USER_BASE_DN pointing to an AD Security Group

 

The user used in bind is member of administrator.

I installed the new version of guacamole (0.9.13) but I have the same problem.

If I configure the base-dn like "DC=test,DC=local" I have this error on catalina.out

 

ERROR o.a.g.a.l.AuthenticationProviderService - Cannot bind with LDAP server: Error while query user DNs.

 

 

 

 

Di Girolamo Mariano
cell. 
<a href="callto:&#43;39%20360%20959573">+39 329 0552286
tel. 
<a href="callto:&#43;39%200735%207626267">+39 0735 7626263

Tecnodata s.r.l. - Via Val Tiberina, 23A - 63074 San Benedetto del Tronto (AP) Italy

tel. <a href="callto:&#43;39%200735%207626261">+39 0735 7626261 - www.tecnodata-srl.it

Il contenuto di questa e-mail e degli eventuali allegati, è strettamente confidenziale, non producibile in giudizio e destinato alla/e persona/e a cui è indirizzato. Se avete ricevuto per errore questa e-mail, Vi preghiamo di segnalarcelo immediatamente e di cancellarla dal vostro computer. E' fatto divieto di copiare e divulgare il contenuto di questa e-mail. Ogni utilizzo abusivo delle informazioni qui contenute da parte di persone terze o comunque non indicate nella presente e-mail, potrà essere perseguito ai sensi di legge.

 


Da: "Nick Couchman" <[hidden email]>
A: "user" <[hidden email]>
Inviato: Lunedì, 31 luglio 2017 15:24:06
Oggetto: Re: LDAP_USER_BASE_DN pointing to an AD Security Group

 

Hmmm...that's not very useful.  Does the user account you're using to bind for the search have access to the other OUs?  Generally they do, unless you've specifically locked down that users permissions.

 

Any error messages in the log file for your application server (Tomcat, JBoss - whatever you're using)?

 

-Nick

 

== He has shown you, O man, what is good; And what does the LORD require of you But to do justly, To love mercy, And to walk humbly with your God? --Micah 6:8-- ==

 

 

On Monday, July 31, 2017, 3:29:36 AM EDT, Mariano Di Girolamo <[hidden email]> wrote:

 

Hi Nick,

thanks for your reply.

I  changed the ldap-user-base-dn like your suggestion (DC=test,DC=local), but now nobody can access to guacamole.

I don't use LDAP but samba4 domain controller.

 

 

 

Di Girolamo Mariano
cell. 
<a href="callto:&#43;39%20360%20959573" target="_blank">+39 329 0552286
tel. 
<a href="callto:&#43;39%200735%207626267" target="_blank">+39 0735 7626263

Tecnodata s.r.l. - Via Val Tiberina, 23A - 63074 San Benedetto del Tronto (AP) Italy

tel. <a href="callto:&#43;39%200735%207626261" target="_blank">+39 0735 7626261 - www.tecnodata-srl.it

Il contenuto di questa e-mail e degli eventuali allegati, è strettamente confidenziale, non producibile in giudizio e destinato alla/e persona/e a cui è indirizzato. Se avete ricevuto per errore questa e-mail, Vi preghiamo di segnalarcelo immediatamente e di cancellarla dal vostro computer. E' fatto divieto di copiare e divulgare il contenuto di questa e-mail. Ogni utilizzo abusivo delle informazioni qui contenute da parte di persone terze o comunque non indicate nella presente e-mail, potrà essere perseguito ai sensi di legge.

 


Da: "Nick Couchman" <[hidden email]>
A: "user" <[hidden email]>
Inviato: Venerdì, 28 luglio 2017 23:11:39
Oggetto: Re: LDAP_USER_BASE_DN pointing to an AD Security Group

 

In order to accomplish what you're trying to do, you need to change your base DN to a higher-level.  So, the following line:

 

ldap-user-base-dn: OU=guacamoleou,DC=test,DC=local

 

would need to be changed to:

 

ldap-user-base-dn: DC=test,DC=local

 

Another option is to leave the base DN as you have it, enable Alias Dereferencing (see the manual) and then link any additional users into the guacamoleou OU object.

 

Finally, there is a JIRA issue out there for changing LDAP behavior such that you can put multiple OUs in, but I don't think it has been implemented, yet.

 

-Nick

 

On Friday, July 28, 2017, 4:15:10 AM EDT, Mariano Di Girolamo <[hidden email]> wrote:

 

Hi Marco,
I installed your patch on guacamole 0.9.12 and now only members to the group I specified on ldap-user-filter can access to guacamole, but this is true
only if users are in the OU configured on ldap-user-base-dn.
What can I do to enable users in different OU?

This is my configuration on guacamole.properties:

ldap-hostname: dc.test.local
ldap-port: 389
ldap-users-filter: memberOf=CN=guacgroup,DC=test,DC=local
ldap-user-base-dn: OU=guacamoleou,DC=test,DC=local
ldap-search-bind-dn: CN=guacamole,OU=guacamoleou,DC=test,DC=local
ldap-search-bind-password: mypass
ldap-username-attribute: sAMAccountName


Thanks

 

Di Girolamo Mariano
cell. 
<a href="callto:&#43;39%20360%20959573" target="_blank">+39 329 0552286
tel. 
<a href="callto:&#43;39%200735%207626267" target="_blank">+39 0735 7626263

Tecnodata s.r.l. - Via Val Tiberina, 23A - 63074 San Benedetto del Tronto (AP) Italy

tel. <a href="callto:&#43;39%200735%207626261" target="_blank">+39 0735 7626261 - www.tecnodata-srl.it

Il contenuto di questa e-mail e degli eventuali allegati, è strettamente confidenziale, non producibile in giudizio e destinato alla/e persona/e a cui è indirizzato. Se avete ricevuto per errore questa e-mail, Vi preghiamo di segnalarcelo immediatamente e di cancellarla dal vostro computer. E' fatto divieto di copiare e divulgare il contenuto di questa e-mail. Ogni utilizzo abusivo delle informazioni qui contenute da parte di persone terze o comunque non indicate nella presente e-mail, potrà essere perseguito ai sensi di legge.

--
Questo messaggio e' stato analizzato ed e' risultato non infetto.
This message was scanned and is believed to be clean.

 

--
Questo messaggio e' stato analizzato ed e' risultato non infetto.
This message was scanned and is believed to be clean.

 

Loading...