ldap-user-search-filter

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

ldap-user-search-filter

Erik Berndt
I'm attempting to filter AD groups permitted to login through Guacamole, which is making use of the auth-mysql and auth-ldap extensions. Login works fine for the users defined in the ldap-user-base-dn.

When I define the ldap-user-search-filter and reset the servlet container, all users are prevented from loggin in.

This is my first time writing ldap filters, so it's very possible this is a syntax issue. My search filter in guacamole.properties is as follows:

ldap-user-search-filter; "(&(objectCategory=Group)(sAMAccountName=*)(memberOf=cn=Accounting,ou=groups,ou="Superior Paving Employees,dc=superiorpaving,dc=net))"

Can anyone assist me with this filter? 

I also have tried to restrict the ldap-user-base-dn to the specific group I want to give access to, but am running into the same issue.

Erik Berndt / Systems Administrator
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: ldap-user-search-filter

Nick Couchman-2
Not sure if this is a paste error or how you actually have it, but you have an extra quotation mark:

ldap-user-search-filter; "(&(objectCategory=Group)(sAMAccountName=*)(memberOf=cn=Accounting,ou=groups,ou="Superior Paving Employees,dc=superiorpaving,dc=net))"

There should not be a quote in front of "Superior" in the memberOf= part of the filter - LDAP filters can deal fine with spaces in the components of the filter, so your filter should look like this:

ldap-user-search-filter: "(&(objectCategory=Group)(sAMAccountName=*)(memberOf=cn=Accounting,ou=groups,ou=Superior Paving Employees,dc=superiorpaving,dc=net))"

Also, in the line you pasted in to the e-mail, you had a semicolon, instead of a colon, at the end of ldap-user-search-filter.

If it still doesn't work, try using that filter in an "ldapsearch" command and make sure you get results back:

ldapsearch -H ldap://ad.superiorpaving.net -D <YOUR BIND DN HERE> -W '(&(objectCategory=Group)(sAMAccountName=*)(memberOf=cn=Accounting,ou=groups,ou=Superior Paving Employees,dc=superiorpaving,dc=net))'

Should do the trick.  If you get no results back or you get an error, fix it and try, again.

-Nick


On Wednesday, August 9, 2017, 12:46:13 PM EDT, Erik Berndt <[hidden email]> wrote:


I'm attempting to filter AD groups permitted to login through Guacamole, which is making use of the auth-mysql and auth-ldap extensions. Login works fine for the users defined in the ldap-user-base-dn.

When I define the ldap-user-search-filter and reset the servlet container, all users are prevented from loggin in.

This is my first time writing ldap filters, so it's very possible this is a syntax issue. My search filter in guacamole.properties is as follows:

ldap-user-search-filter; "(&(objectCategory=Group)(sAMAccountName=*)(memberOf=cn=Accounting,ou=groups,ou="Superior Paving Employees,dc=superiorpaving,dc=net))"

Can anyone assist me with this filter? 

I also have tried to restrict the ldap-user-base-dn to the specific group I want to give access to, but am running into the same issue.

Erik Berndt / Systems Administrator
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: ldap-user-search-filter

Erik Berndt
Thanks Nick. I tweaked the search filter a little bit and am able to return the group membership with ldapsearch, but when applying that same filter to guacamole.properties, no users are able to authenticate. 

Is it possible there is an additional parameter that needs to be used in conjunction with ldap-user-search-filter?

Erik Berndt / Systems Administrator
5551 Wellington Rd, Gainesville, VA 20155
703.631.0004 x520 (Phone) / 703.257.1725 (Fax)
http://www.superiorpaving.net

Need to open an IT support ticket?  
http://FixIT.superiorpaving.net/portal or [hidden email]

On Wed, Aug 9, 2017 at 12:51 PM, Nick Couchman <[hidden email]> wrote:
Not sure if this is a paste error or how you actually have it, but you have an extra quotation mark:

ldap-user-search-filter; "(&(objectCategory=Group)(sAMAccountName=*)(memberOf=cn=Accounting,ou=groups,ou="Superior Paving Employees,dc=superiorpaving,dc=net))"

There should not be a quote in front of "Superior" in the memberOf= part of the filter - LDAP filters can deal fine with spaces in the components of the filter, so your filter should look like this:

ldap-user-search-filter: "(&(objectCategory=Group)(sAMAccountName=*)(memberOf=cn=Accounting,ou=groups,ou=Superior Paving Employees,dc=superiorpaving,dc=net))"

Also, in the line you pasted in to the e-mail, you had a semicolon, instead of a colon, at the end of ldap-user-search-filter.

If it still doesn't work, try using that filter in an "ldapsearch" command and make sure you get results back:

ldapsearch -H ldap://ad.superiorpaving.net -D <YOUR BIND DN HERE> -W '(&(objectCategory=Group)(sAMAccountName=*)(memberOf=cn=Accounting,ou=groups,ou=Superior Paving Employees,dc=superiorpaving,dc=net))'

Should do the trick.  If you get no results back or you get an error, fix it and try, again.

-Nick


On Wednesday, August 9, 2017, 12:46:13 PM EDT, Erik Berndt <[hidden email]> wrote:


I'm attempting to filter AD groups permitted to login through Guacamole, which is making use of the auth-mysql and auth-ldap extensions. Login works fine for the users defined in the ldap-user-base-dn.

When I define the ldap-user-search-filter and reset the servlet container, all users are prevented from loggin in.

This is my first time writing ldap filters, so it's very possible this is a syntax issue. My search filter in guacamole.properties is as follows:

ldap-user-search-filter; "(&(objectCategory=Group)(sAMAccountName=*)(memberOf=cn=Accounting,ou=groups,ou="Superior Paving Employees,dc=superiorpaving,dc=net))"

Can anyone assist me with this filter? 

I also have tried to restrict the ldap-user-base-dn to the specific group I want to give access to, but am running into the same issue.

Erik Berndt / Systems Administrator

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: ldap-user-search-filter

Nick Couchman-2
Are you getting any errors in your Tomcat log files?

Can you try pointing at port 3268 on your AD server, instead of the default 389?  There's an issue with querying the global catalog that is in the process of being fixed (PR is open for it), and I think querying the non-GC-port sometimes works.

-Nick



On Wednesday, August 9, 2017, 2:26:42 PM EDT, Erik Berndt <[hidden email]> wrote:


Thanks Nick. I tweaked the search filter a little bit and am able to return the group membership with ldapsearch, but when applying that same filter to guacamole.properties, no users are able to authenticate. 

Is it possible there is an additional parameter that needs to be used in conjunction with ldap-user-search-filter?

Erik Berndt / Systems Administrator
5551 Wellington Rd, Gainesville, VA 20155
703.631.0004 x520 (Phone) / 703.257.1725 (Fax)
http://www.superiorpaving.net

Need to open an IT support ticket?  
http://FixIT.superiorpaving.net/portal or [hidden email]

On Wed, Aug 9, 2017 at 12:51 PM, Nick Couchman <[hidden email]> wrote:
Not sure if this is a paste error or how you actually have it, but you have an extra quotation mark:

ldap-user-search-filter; "(&(objectCategory=Group)( sAMAccountName=*)(memberOf=cn= Accounting,ou=groups,ou=" Superior Paving Employees,dc=superiorpaving, dc=net))"

There should not be a quote in front of "Superior" in the memberOf= part of the filter - LDAP filters can deal fine with spaces in the components of the filter, so your filter should look like this:

ldap-user-search-filter: "(&(objectCategory=Group)( sAMAccountName=*)(memberOf=cn= Accounting,ou=groups,ou= Superior Paving Employees,dc=superiorpaving, dc=net))"

Also, in the line you pasted in to the e-mail, you had a semicolon, instead of a colon, at the end of ldap-user-search-filter.

If it still doesn't work, try using that filter in an "ldapsearch" command and make sure you get results back:

ldapsearch -H ldap://ad.superiorpaving.net -D <YOUR BIND DN HERE> -W '(&(objectCategory=Group)( sAMAccountName=*)(memberOf=cn= Accounting,ou=groups,ou= Superior Paving Employees,dc=superiorpaving, dc=net))'

Should do the trick.  If you get no results back or you get an error, fix it and try, again.

-Nick


On Wednesday, August 9, 2017, 12:46:13 PM EDT, Erik Berndt <[hidden email] > wrote:


I'm attempting to filter AD groups permitted to login through Guacamole, which is making use of the auth-mysql and auth-ldap extensions. Login works fine for the users defined in the ldap-user-base-dn.

When I define the ldap-user-search-filter and reset the servlet container, all users are prevented from loggin in.

This is my first time writing ldap filters, so it's very possible this is a syntax issue. My search filter in guacamole.properties is as follows:

ldap-user-search-filter; "(&(objectCategory=Group)( sAMAccountName=*)(memberOf=cn= Accounting,ou=groups,ou=" Superior Paving Employees,dc=superiorpaving, dc=net))"

Can anyone assist me with this filter? 

I also have tried to restrict the ldap-user-base-dn to the specific group I want to give access to, but am running into the same issue.

Erik Berndt / Systems Administrator

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: ldap-user-search-filter

Erik Berndt
I tried port 3268 on the AD server, but the following errors return in the Tomcat error logs.

14:39:28.097 [http-nio-8080-exec-4] ERROR o.a.g.a.l.AuthenticationProviderService - Cannot bind with LDAP server: Error while query user DNs.

Erik Berndt / Systems Administrator
5551 Wellington Rd, Gainesville, VA 20155
703.631.0004 x520 (Phone) / 703.257.1725 (Fax)
http://www.superiorpaving.net

Need to open an IT support ticket?  
http://FixIT.superiorpaving.net/portal or [hidden email]

On Wed, Aug 9, 2017 at 2:31 PM, Nick Couchman <[hidden email]> wrote:
Are you getting any errors in your Tomcat log files?

Can you try pointing at port 3268 on your AD server, instead of the default 389?  There's an issue with querying the global catalog that is in the process of being fixed (PR is open for it), and I think querying the non-GC-port sometimes works.

-Nick



On Wednesday, August 9, 2017, 2:26:42 PM EDT, Erik Berndt <[hidden email]> wrote:


Thanks Nick. I tweaked the search filter a little bit and am able to return the group membership with ldapsearch, but when applying that same filter to guacamole.properties, no users are able to authenticate. 

Is it possible there is an additional parameter that needs to be used in conjunction with ldap-user-search-filter?

Erik Berndt / Systems Administrator
5551 Wellington Rd, Gainesville, VA 20155
703.631.0004 x520 (Phone) / 703.257.1725 (Fax)
http://www.superiorpaving.net

Need to open an IT support ticket?  
http://FixIT.superiorpaving.net/portal or [hidden email]

On Wed, Aug 9, 2017 at 12:51 PM, Nick Couchman <[hidden email]> wrote:
Not sure if this is a paste error or how you actually have it, but you have an extra quotation mark:

ldap-user-search-filter; "(&(objectCategory=Group)( sAMAccountName=*)(memberOf=cn= Accounting,ou=groups,ou=" Superior Paving Employees,dc=superiorpaving, dc=net))"

There should not be a quote in front of "Superior" in the memberOf= part of the filter - LDAP filters can deal fine with spaces in the components of the filter, so your filter should look like this:

ldap-user-search-filter: "(&(objectCategory=Group)( sAMAccountName=*)(memberOf=cn= Accounting,ou=groups,ou= Superior Paving Employees,dc=superiorpaving, dc=net))"

Also, in the line you pasted in to the e-mail, you had a semicolon, instead of a colon, at the end of ldap-user-search-filter.

If it still doesn't work, try using that filter in an "ldapsearch" command and make sure you get results back:

ldapsearch -H ldap://ad.superiorpaving.net -D <YOUR BIND DN HERE> -W '(&(objectCategory=Group)( sAMAccountName=*)(memberOf=cn= Accounting,ou=groups,ou= Superior Paving Employees,dc=superiorpaving, dc=net))'

Should do the trick.  If you get no results back or you get an error, fix it and try, again.

-Nick


On Wednesday, August 9, 2017, 12:46:13 PM EDT, Erik Berndt <[hidden email] > wrote:


I'm attempting to filter AD groups permitted to login through Guacamole, which is making use of the auth-mysql and auth-ldap extensions. Login works fine for the users defined in the ldap-user-base-dn.

When I define the ldap-user-search-filter and reset the servlet container, all users are prevented from loggin in.

This is my first time writing ldap filters, so it's very possible this is a syntax issue. My search filter in guacamole.properties is as follows:

ldap-user-search-filter; "(&(objectCategory=Group)( sAMAccountName=*)(memberOf=cn= Accounting,ou=groups,ou=" Superior Paving Employees,dc=superiorpaving, dc=net))"

Can anyone assist me with this filter? 

I also have tried to restrict the ldap-user-base-dn to the specific group I want to give access to, but am running into the same issue.

Erik Berndt / Systems Administrator


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: ldap-user-search-filter

Paul Cantle

Hi,

 

On the original note, I understand you just want to restrict guacamole to members of a certain group and while Nick’s filter should work fine, I’m not sure there’s a need to overcomplicate it so much.

 

I use a filter in a similar fashion and only specify the group. Like so:

 

ldap-user-search-filter: (memberOf=CN= Accounting,ou=groups,OU=Superior Paving Employees,DC=superiorpaving,DC=net)

 

Also, I think there may be some confusion re the ports below. The GC port is 3268, not 389 (non-GC port), not the other way round as mentioned below.

 

I’m also querying the global catalogue port of 3268. This is only required usually if your ldap-user-base-dn: is set at the root of the AD, if you’re using an Org or container under the root then querying 389 should work fine.

 

If ypou change the filter to the one above, does it give you the desired results?

 

Rgds


Paul

 

From: Erik Berndt <[hidden email]>
Reply-To: "[hidden email]" <[hidden email]>
Date: Wednesday, 9 August 2017 at 19:42
To: "[hidden email]" <[hidden email]>
Subject: Re: ldap-user-search-filter

 

I tried port 3268 on the AD server, but the following errors return in the Tomcat error logs.

 

14:39:28.097 [http-nio-8080-exec-4] ERROR o.a.g.a.l.AuthenticationProviderService - Cannot bind with LDAP server: Error while query user DNs.


Erik Berndt / Systems Administrator
5551 Wellington Rd, Gainesville, VA 20155
703.631.0004 x520 (Phone) / 703.257.1725 (Fax)
http://www.superiorpaving.net

Need to open an IT support ticket?  
http://FixIT.superiorpaving.net/portal or [hidden email]

 

On Wed, Aug 9, 2017 at 2:31 PM, Nick Couchman <[hidden email]> wrote:

Are you getting any errors in your Tomcat log files?

 

Can you try pointing at port 3268 on your AD server, instead of the default 389?  There's an issue with querying the global catalog that is in the process of being fixed (PR is open for it), and I think querying the non-GC-port sometimes works.

 

-Nick

 

 

 

On Wednesday, August 9, 2017, 2:26:42 PM EDT, Erik Berndt <[hidden email]> wrote:

 

 

Thanks Nick. I tweaked the search filter a little bit and am able to return the group membership with ldapsearch, but when applying that same filter to guacamole.properties, no users are able to authenticate. 

 

Is it possible there is an additional parameter that needs to be used in conjunction with ldap-user-search-filter?


Erik Berndt / Systems Administrator
5551 Wellington Rd, Gainesville, VA 20155
703.631.0004 x520 (Phone) / 703.257.1725 (Fax)
http://www.superiorpaving.net

Need to open an IT support ticket?  
http://FixIT.superiorpaving.net/portal or [hidden email]

 

On Wed, Aug 9, 2017 at 12:51 PM, Nick Couchman <[hidden email]> wrote:

Not sure if this is a paste error or how you actually have it, but you have an extra quotation mark:

ldap-user-search-filter; "(&(objectCategory=Group)( sAMAccountName=*)(memberOf=cn= Accounting,ou=groups,ou=" Superior Paving Employees,dc=superiorpaving, dc=net))"

There should not be a quote in front of "Superior" in the memberOf= part of the filter - LDAP filters can deal fine with spaces in the components of the filter, so your filter should look like this:

 

ldap-user-search-filter: "(&(objectCategory=Group)( sAMAccountName=*)(memberOf=cn= Accounting,ou=groups,ou= Superior Paving Employees,dc=superiorpaving, dc=net))"

 

Also, in the line you pasted in to the e-mail, you had a semicolon, instead of a colon, at the end of ldap-user-search-filter.

 

If it still doesn't work, try using that filter in an "ldapsearch" command and make sure you get results back:

 

ldapsearch -H ldap://ad.superiorpaving.net -D <YOUR BIND DN HERE> -W '(&(objectCategory=Group)( sAMAccountName=*)(memberOf=cn= Accounting,ou=groups,ou= Superior Paving Employees,dc=superiorpaving, dc=net))'

 

Should do the trick.  If you get no results back or you get an error, fix it and try, again.

 

-Nick



On Wednesday, August 9, 2017, 12:46:13 PM EDT, Erik Berndt <[hidden email] > wrote:


I'm attempting to filter AD groups permitted to login through Guacamole, which is making use of the auth-mysql and auth-ldap extensions. Login works fine for the users defined in the ldap-user-base-dn.

When I define the ldap-user-search-filter and reset the servlet container, all users are prevented from loggin in.

This is my first time writing ldap filters, so it's very possible this is a syntax issue. My search filter in guacamole.properties is as follows:

ldap-user-search-filter; "(&(objectCategory=Group)( sAMAccountName=*)(memberOf=cn= Accounting,ou=groups,ou=" Superior Paving Employees,dc=superiorpaving, dc=net))"

Can anyone assist me with this filter? 

I also have tried to restrict the ldap-user-base-dn to the specific group I want to give access to, but am running into the same issue.

Erik Berndt / Systems Administrator

 

 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: ldap-user-search-filter

Erik Berndt
Thanks Paul, I entered something similar but had a small syntax error. It's working for me now!


Erik Berndt / Systems Administrator
5551 Wellington Rd, Gainesville, VA 20155
703.631.0004 x520 (Phone) / 703.257.1725 (Fax)
http://www.superiorpaving.net

Need to open an IT support ticket?  
http://FixIT.superiorpaving.net/portal or [hidden email]

On Wed, Aug 9, 2017 at 3:08 PM, Paul Cantle <[hidden email]> wrote:

Hi,

 

On the original note, I understand you just want to restrict guacamole to members of a certain group and while Nick’s filter should work fine, I’m not sure there’s a need to overcomplicate it so much.

 

I use a filter in a similar fashion and only specify the group. Like so:

 

ldap-user-search-filter: (memberOf=CN= Accounting,ou=groups,OU=Superior Paving Employees,DC=superiorpaving,DC=net)

 

Also, I think there may be some confusion re the ports below. The GC port is 3268, not 389 (non-GC port), not the other way round as mentioned below.

 

I’m also querying the global catalogue port of 3268. This is only required usually if your ldap-user-base-dn: is set at the root of the AD, if you’re using an Org or container under the root then querying 389 should work fine.

 

If ypou change the filter to the one above, does it give you the desired results?

 

Rgds


Paul

 

From: Erik Berndt <[hidden email]>
Reply-To: "[hidden email]" <[hidden email]>
Date: Wednesday, 9 August 2017 at 19:42
To: "[hidden email]" <[hidden email]>
Subject: Re: ldap-user-search-filter

 

I tried port 3268 on the AD server, but the following errors return in the Tomcat error logs.

 

14:39:28.097 [http-nio-8080-exec-4] ERROR o.a.g.a.l.AuthenticationProviderService - Cannot bind with LDAP server: Error while query user DNs.


Erik Berndt / Systems Administrator
5551 Wellington Rd, Gainesville, VA 20155
703.631.0004 x520 (Phone) / 703.257.1725 (Fax)
http://www.superiorpaving.net

Need to open an IT support ticket?  
http://FixIT.superiorpaving.net/portal or [hidden email]

 

On Wed, Aug 9, 2017 at 2:31 PM, Nick Couchman <[hidden email]> wrote:

Are you getting any errors in your Tomcat log files?

 

Can you try pointing at port 3268 on your AD server, instead of the default 389?  There's an issue with querying the global catalog that is in the process of being fixed (PR is open for it), and I think querying the non-GC-port sometimes works.

 

-Nick

 

 

 

On Wednesday, August 9, 2017, 2:26:42 PM EDT, Erik Berndt <[hidden email]> wrote:

 

 

Thanks Nick. I tweaked the search filter a little bit and am able to return the group membership with ldapsearch, but when applying that same filter to guacamole.properties, no users are able to authenticate. 

 

Is it possible there is an additional parameter that needs to be used in conjunction with ldap-user-search-filter?


Erik Berndt / Systems Administrator
5551 Wellington Rd, Gainesville, VA 20155
703.631.0004 x520 (Phone) / 703.257.1725 (Fax)
http://www.superiorpaving.net

Need to open an IT support ticket?  
http://FixIT.superiorpaving.net/portal or [hidden email]

 

On Wed, Aug 9, 2017 at 12:51 PM, Nick Couchman <[hidden email]> wrote:

Not sure if this is a paste error or how you actually have it, but you have an extra quotation mark:

ldap-user-search-filter; "(&(objectCategory=Group)( sAMAccountName=*)(memberOf=cn= Accounting,ou=groups,ou=" Superior Paving Employees,dc=superiorpaving, dc=net))"

There should not be a quote in front of "Superior" in the memberOf= part of the filter - LDAP filters can deal fine with spaces in the components of the filter, so your filter should look like this:

 

ldap-user-search-filter: "(&(objectCategory=Group)( sAMAccountName=*)(memberOf=cn= Accounting,ou=groups,ou= Superior Paving Employees,dc=superiorpaving, dc=net))"

 

Also, in the line you pasted in to the e-mail, you had a semicolon, instead of a colon, at the end of ldap-user-search-filter.

 

If it still doesn't work, try using that filter in an "ldapsearch" command and make sure you get results back:

 

ldapsearch -H ldap://ad.superiorpaving.net -D <YOUR BIND DN HERE> -W '(&(objectCategory=Group)( sAMAccountName=*)(memberOf=cn= Accounting,ou=groups,ou= Superior Paving Employees,dc=superiorpaving, dc=net))'

 

Should do the trick.  If you get no results back or you get an error, fix it and try, again.

 

-Nick



On Wednesday, August 9, 2017, 12:46:13 PM EDT, Erik Berndt <[hidden email] > wrote:


I'm attempting to filter AD groups permitted to login through Guacamole, which is making use of the auth-mysql and auth-ldap extensions. Login works fine for the users defined in the ldap-user-base-dn.

When I define the ldap-user-search-filter and reset the servlet container, all users are prevented from loggin in.

This is my first time writing ldap filters, so it's very possible this is a syntax issue. My search filter in guacamole.properties is as follows:

ldap-user-search-filter; "(&(objectCategory=Group)( sAMAccountName=*)(memberOf=cn= Accounting,ou=groups,ou=" Superior Paving Employees,dc=superiorpaving, dc=net))"

Can anyone assist me with this filter? 

I also have tried to restrict the ldap-user-base-dn to the specific group I want to give access to, but am running into the same issue.

Erik Berndt / Systems Administrator

 

 


Loading...