You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by "Fertig, Brian" <br...@philips.com> on 2019/03/19 15:42:02 UTC
LDAP Questions
Greetings!
I just setup ldap integration with Guac.. I try to login and it keeps telling me it can't bind. The configuration I am using is below. This is against Active Directory.
ldap-user-base-dn: OU=Users,OU=code2,DC=code2,DC=philips,DC=com
ldap-username-attribute: sAMAccountName
I notice it's trying to bind with the DN of sAMAccountName=XX, OU=Users,OU=code2,DC=code2,DC=philips,DC=com From what I can tell reading up on how binding to ldap you need to use a DN of a user which this isn't. What am I doing wrong?
Brian Fertig
MATC Tools Solutions Design Architect
Tools Program and Innovations
Monitoring Analytics & Therapeutic Care
Customer Service Operations
________________________________
The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.
Re: LDAP Questions
Posted by Nick Couchman <vn...@apache.org>.
On Tue, Mar 19, 2019 at 8:45 PM Fertig, Brian <br...@philips.com>
wrote:
> Thanks Nick. I ended up creating a service account and letting it roll.
> I vaguely remember this config a year ago when I set it up before. I’ve
> got TOTP, MySQL, and LDAP setup. Its humming. Thanks!
>
>
>
Yeah, service account is what I do, as well. In the future it'd be nice to
be able to do the <username>@<domain> authentication model, but service
account does the job, for now.
-Nick
RE: LDAP Questions
Posted by "Fertig, Brian" <br...@philips.com>.
Thanks Nick. I ended up creating a service account and letting it roll. I vaguely remember this config a year ago when I set it up before. I’ve got TOTP, MySQL, and LDAP setup. Its humming. Thanks!
Brian
From: Nick Couchman <vn...@apache.org>
Sent: Tuesday, March 19, 2019 6:22 PM
To: user@guacamole.apache.org
Subject: Re: LDAP Questions
On Tue, Mar 19, 2019 at 12:01 PM Fertig, Brian <br...@philips.com>> wrote:
Nico,
I am trying to latter. When a user is trying to log into Guac I want that users credentials presented to AD to see if they can. If they can then allow them to login. At least based on the documentation I assume this is how I have it setup.
Part of the issue you're running into is that the LDAP authentication module is a bit limited. There's actually a JIRA issue already out there that seeks to loosen up the restrictions a bit, but it hasn't been worked, yet:
https://issues.apache.org/jira/browse/GUACAMOLE-536<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FGUACAMOLE-536&data=02%7C01%7C%7Cf70d7bab004e4d0d9d1b08d6acb961c5%7C1a407a2d76754d178692b3ac285306e4%7C0%7C0%7C636886309537718346&sdata=27qF9b94LLN9%2FtNftHq%2BHKgwD79g0drLatFWtZzBi44%3D&reserved=0>
Basically, right now there are two modes of authentication:
- Search & Bind: You specify a bind DN for an account to search the directory, Guacamole searches LDAP for the user that tries to bind as the user that has been located within the tree. So, if you specify, in your guacamole.properties file, ldap-search-bind-dn of "cn=search,ou=accounts,dc=example,dc=com", and you try to log in as "testuser", Guacamole will first bind as the cn=search user, search for "testuser", assuming testuser is found (say, cn=testuser,ou=users,dc=example,dc=com), Guacamole will re-bind as the cn=testuser account using the password specified.
- Derive DN: You don't specify the ldap-search-bind-dn, but you do specify ldap-user-base-dn as "ou=users,dc=example,dc=com", then Guacamole derives the DN as cn=<username>,ou=users,dc=example,dc=com and attempts to bind with that password. Using the "testuser" account from before, Guacamole would derive the DN to cn=testuser,ou=users,dc=example,dc=com, and then use the provided password to bind. This mode is really only useful in the situation where you have a flat directory tree where all users (or at least all users that are going to be logging in to Guacamole) are found in the same OU. You can simulate this within your LDAP tree by creating account aliases within a particular OU (ou=Guacamole_Users,dc=example,dc=com) and allowing the Guacamole module to dereference aliases.
The JIRA issue above deals specifically with Active Directory-style authentication, where the directory allows you to bind with <username>@<domain> (e.g. testuser@example.com<ma...@example.com>). Hopefully that'll get added at some point, when we have time to work on it.
Hopefully this helps.
-Nick
________________________________
The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.
Re: LDAP Questions
Posted by Nick Couchman <vn...@apache.org>.
On Tue, Mar 19, 2019 at 12:01 PM Fertig, Brian <br...@philips.com>
wrote:
> Nico,
>
> I am trying to latter. When a user is trying to log into Guac I want that
> users credentials presented to AD to see if they can. If they can then
> allow them to login. At least based on the documentation I assume this is
> how I have it setup.
>
>
Part of the issue you're running into is that the LDAP authentication
module is a bit limited. There's actually a JIRA issue already out there
that seeks to loosen up the restrictions a bit, but it hasn't been worked,
yet:
https://issues.apache.org/jira/browse/GUACAMOLE-536
Basically, right now there are two modes of authentication:
- Search & Bind: You specify a bind DN for an account to search the
directory, Guacamole searches LDAP for the user that tries to bind as the
user that has been located within the tree. So, if you specify, in your
guacamole.properties file, ldap-search-bind-dn of
"cn=search,ou=accounts,dc=example,dc=com", and you try to log in as
"testuser", Guacamole will first bind as the cn=search user, search for
"testuser", assuming testuser is found (say,
cn=testuser,ou=users,dc=example,dc=com), Guacamole will re-bind as the
cn=testuser account using the password specified.
- Derive DN: You don't specify the ldap-search-bind-dn, but you do specify
ldap-user-base-dn as "ou=users,dc=example,dc=com", then Guacamole derives
the DN as cn=<username>,ou=users,dc=example,dc=com and attempts to bind
with that password. Using the "testuser" account from before, Guacamole
would derive the DN to cn=testuser,ou=users,dc=example,dc=com, and then use
the provided password to bind. This mode is really only useful in the
situation where you have a flat directory tree where all users (or at least
all users that are going to be logging in to Guacamole) are found in the
same OU. You can simulate this within your LDAP tree by creating account
aliases within a particular OU (ou=Guacamole_Users,dc=example,dc=com) and
allowing the Guacamole module to dereference aliases.
The JIRA issue above deals specifically with Active Directory-style
authentication, where the directory allows you to bind with
<username>@<domain> (e.g. testuser@example.com). Hopefully that'll get
added at some point, when we have time to work on it.
Hopefully this helps.
-Nick
RE: LDAP Questions
Posted by "Fertig, Brian" <br...@philips.com>.
Nico,
I am trying to latter. When a user is trying to log into Guac I want that users credentials presented to AD to see if they can. If they can then allow them to login. At least based on the documentation I assume this is how I have it setup.
Brian
-----Original Message-----
From: Nico Schottelius <ni...@ungleich.ch>
Sent: Tuesday, March 19, 2019 11:57 AM
To: user@guacamole.apache.org
Cc: Fertig, Brian <br...@philips.com>
Subject: Re: LDAP Questions
Hey Brion,
you usually have two different methods for LDAP authentication:
- binding with a specfic system user
- binding (login) with the user that wants to login
I am not fluent on how AD works, but in case of OpenLDAP, you will need to grant the binding access to the user(s) that you want to be able to bind (just being a user that can "login" to other apps is not enough).
HTH,
Nico
Fertig, Brian <br...@philips.com> writes:
> Greetings!
>
> I just setup ldap integration with Guac.. I try to login and it keeps telling me it can't bind. The configuration I am using is below. This is against Active Directory.
>
> ldap-user-base-dn: OU=Users,OU=code2,DC=code2,DC=philips,DC=com
> ldap-username-attribute: sAMAccountName
>
> I notice it's trying to bind with the DN of sAMAccountName=XX, OU=Users,OU=code2,DC=code2,DC=philips,DC=com From what I can tell reading up on how binding to ldap you need to use a DN of a user which this isn't. What am I doing wrong?
>
> Brian Fertig
> MATC Tools Solutions Design Architect
> Tools Program and Innovations
> Monitoring Analytics & Therapeutic Care Customer Service Operations
>
>
> ________________________________
> The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.
--
Your Swiss, Open Source and IPv6 Virtual Machine. Now on https://eur01.safelinks.protection.outlook.com/?url=www.datacenterlight.ch&data=02%7C01%7C%7Cd65da866866e401d2c1608d6ac837948%7C1a407a2d76754d178692b3ac285306e4%7C0%7C1%7C636886078023933150&sdata=k7dv3L4ktn6EqyrO%2F%2FEbicHZezRCok2HT%2FRIBt1QZgc%3D&reserved=0.
Re: LDAP Questions
Posted by Nico Schottelius <ni...@ungleich.ch>.
Hey Brion,
you usually have two different methods for LDAP authentication:
- binding with a specfic system user
- binding (login) with the user that wants to login
I am not fluent on how AD works, but in case of OpenLDAP, you will need
to grant the binding access to the user(s) that you want to be able to
bind (just being a user that can "login" to other apps is not enough).
HTH,
Nico
Fertig, Brian <br...@philips.com> writes:
> Greetings!
>
> I just setup ldap integration with Guac.. I try to login and it keeps telling me it can't bind. The configuration I am using is below. This is against Active Directory.
>
> ldap-user-base-dn: OU=Users,OU=code2,DC=code2,DC=philips,DC=com
> ldap-username-attribute: sAMAccountName
>
> I notice it's trying to bind with the DN of sAMAccountName=XX, OU=Users,OU=code2,DC=code2,DC=philips,DC=com From what I can tell reading up on how binding to ldap you need to use a DN of a user which this isn't. What am I doing wrong?
>
> Brian Fertig
> MATC Tools Solutions Design Architect
> Tools Program and Innovations
> Monitoring Analytics & Therapeutic Care
> Customer Service Operations
>
>
> ________________________________
> The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.
--
Your Swiss, Open Source and IPv6 Virtual Machine. Now on www.datacenterlight.ch.