You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Fabio Corsi <fa...@gmail.com> on 2020/02/25 03:52:06 UTC
ldap-user-search-filter problem
Hi,
I’ve a fresh install of Guacamole 1.1.0 on Ubuntu 18.0.4 Server.
I have the LDAP extension installed (along with the MySQL one) and I’ve defined connections directly into LDAP.
Everything works just fine, users are authenticated and are allowed the proper connections, however I would like to allow only users MemberOf a one LDAP group (e.g. guacusers) to login to my Guacamole site.
I’m using ldap-user-search-filter, but it does not seem to work. As of now any active users in my LDAP directory can login into the Guacamole site.
No connections are displayed for the users that I would like to disallow, but nevertheless they can still login...
This is the LDAP configuration in my guacamole.properties
# LDAP properties
ldap-hostname: configserver.my.domain
ldap-port: 389
ldap-user-base-dn: ou=users,dc=my,dc=domain
ldap-username-attribute: uid
ldap-user-search-filter: (memberof=cn=guacusers,ou=users,dc=my,dc=domain)
ldap-config-base-dn: ou=guac_config,dc=my,dc=domain
ldap-group-base-dn: ou=groups,dc=my,dc=domain
And I have previously used this same configuration some time back when I was testing version 0.9.14 and it seemed to be working...
Note that if I run the same filter on my LDAP server, e.g.:
ldapsearch -x -LLL -H ldap:/// -b "ou=users,dc=my,dc=domain" -s sub "(memberof=cn=guacusers,ou=groups,dc=my,dc=domain)”
I get the expected result….
I’ve also tried adding other specifiers to the filter, like
&(objectClass=person)(memberof=cn=guacusers,ou=groups,dc=my,dc=domain))
they all work when I query the LDAP server with ldapsearch, but don’t seem to have any effect when I use them in Guacamole.
Thanks for your help,
Fabio
Re[2]: How many users can use Guacamole simultaneously?
Posted by Stewart Alexander <st...@alamancecc.edu>.
Hi Adrian et. al ...
Thank you, as sort of expected the bottlenecks are hardware specs, and
user use type.
Does Apache Guacamole have the capability to throttle users to allow for
more connections?
Best Regards,
Stewart
------ Original Message ------
From: "Adrian Owen" <ad...@eesm.com>
To: "user@guacamole.apache.org" <us...@guacamole.apache.org>; "Stewart
Alexander" <st...@alamancecc.edu>
Sent: 3/3/2020 11:36:27 AM
Subject: RE: How many users can use Guacamole simultaneously?
>CAUTION: This email originated from outside your organization. Exercise
>caution when opening attachments or clicking links, especially from
>unknown senders.
>
>
>
>https://sourceforge.net/p/guacamole/discussion/1110834/thread/666f7a9f/
>
>
>
>From: Stewart Alexander [mailto:stewart.alexander@alamancecc.edu]
>Sent: 03 March 2020 12:47
>To:user@guacamole.apache.org
>Subject: How many users can use Guacamole simultaneously?
>
>
>
>Hi all,
>
>
>
>Does anyone know how many users can login through Guacamole
>simultaneously?
>
>
>
>What are the bottlenecks?
>
>
>
>Thank you,
>
>Stewart Alexander
>
>
>
>
>
>------ Original Message ------
>
>From: "Fabio Corsi" <fa...@gmail.com>
>
>To: user@guacamole.apache.org <ma...@guacamole.apache.org>
>
>Sent: 3/2/2020 5:01:07 PM
>
>Subject: Re: ldap-user-search-filter problem
>
>
>
>>CAUTION: This email originated from outside your organization.
>>Exercise caution when opening attachments or clicking links,
>>especially from unknown senders.
>>
>>Hi,
>>
>>
>>
>>I was wondering if anyone could provide some insight on this issue.
>>
>>
>>
>>To recap my previous message I have a ldap-user-search-filter set to
>>
>>
>>(&(objectClass=person)(memberof=cn=guacusers,ou=groups,dc=asrc,dc=crossroads))
>>
>>however any valid LDAP user is allowed to login on the Guacamole web
>>page.
>>
>>My configuration: Guacamole 1.1.0, Ubuntu 18.04, openLDAP
>>(libldap-2.4-2:amd64) on a separate Ubuntu 18.04 VM.
>>
>>
>>
>>since my first message I’ve done some additional investigation into
>>the problem.
>>
>>By looking at the logs on my LDAP server I can see that the filters
>>are passed on to the LDAP server and they do return the correct number
>>of entries.
>>
>>
>>
>>There are a couple of things that seem strange to me:
>>
>>Not sure why the "(|(uid=*)) clause is added to the main group filter
>>defined in my configurationFor the user in the guacusers group the
>>SeeAlso seems to expand to all the object of class groupOfNames in my
>>directory
>>
>>
>>Here are the log entries for the user that is in the guacusers group:
>>
>>>slapd[904]: conn=9470 fd=48 ACCEPT from IP=10.16.33.12:52422
>>>(IP=0.0.0.0:389)
>>>slapd[904]: conn=9470 op=0 BIND
>>>dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" method=128
>>>slapd[904]: conn=9470 op=0 BIND
>>>dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE ssf=0
>>>slapd[904]: conn=9470 op=0 RESULT tag=97 err=0 text=
>>>slapd[904]: conn=9470 op=1 SRCH base="ou=groups,dc=my,dc=domain"
>>>scope=2 deref=0
>>>filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_in_guacusers,ou=users,dc=my,dc=domain)))"
>>>slapd[904]: conn=9470 op=1 SEARCH RESULT tag=101 err=0 nentries=5
>>>text=
>>>slapd[904]: conn=9470 fd=48 closed (connection lost)
>>>slapd[904]: conn=9471 fd=48 ACCEPT from IP=10.16.33.12:52424
>>>(IP=0.0.0.0:389)
>>>slapd[904]: conn=9471 op=0 BIND
>>>dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" method=128
>>>slapd[904]: conn=9471 op=0 BIND
>>>dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE ssf=0
>>>slapd[904]: conn=9471 op=0 RESULT tag=97 err=0 text=
>>>slapd[904]: conn=9471 op=1 SRCH base="ou=users,dc=my,dc=domain"
>>>scope=2 deref=0
>>>filter="(&(&(objectClass=person)(memberOf=cn=guacusers,ou=groups,dc=my,dc=domain))(|(uid=*)))"
>>>slapd[904]: conn=9471 op=1 SEARCH RESULT tag=101 err=0 nentries=6
>>>text=
>>>slapd[904]: conn=9471 op=2 SRCH base="ou=groups,dc=my,dc=domain"
>>>scope=2 deref=0 filter="(&(!(objectClass=guacConfigGroup))(|(cn=*)))"
>>>slapd[904]: conn=9471 op=2 SEARCH RESULT tag=101 err=0 nentries=46
>>>text=
>>>slapd[904]: conn=9471 op=3 SRCH base="ou=groups,dc=my,dc=domain"
>>>scope=2 deref=0
>>>filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_in_guacusers,ou=users,dc=my,dc=domain)))"
>>>slapd[904]: conn=9471 op=3 SEARCH RESULT tag=101 err=0 nentries=5
>>>text=
>>>slapd[904]: conn=9471 op=4 SRCH base="ou=guac_config,dc=my,dc=domain"
>>>scope=2 deref=0
>>>filter="(&(objectClass=guacConfigGroup)(|(member=uid=user_in_guacusers,ou=users,dc=my,dc=domain)(seeAlso=cn=group1,ou=groups,dc=my,dc=domain)(seeAlso=cn=group2,ou=groups,dc=my,dc=domain)(seeAlso=cn=group3,ou=groups,dc=my,dc=domain)(seeAlso=cn=group4,ou=groups,dc=my,dc=domain)(seeAlso=cn=guacusers,ou=groups,dc=my,dc=domain)))"
>>>slapd[904]: conn=9471 op=4 SEARCH RESULT tag=101 err=0 nentries=1
>>>text=
>>>
>>
>>
>>And for the user that is not in the guacusers group:
>>
>>>slapd[904]: conn=9478 fd=88 ACCEPT from IP=10.16.33.12:52430
>>>(IP=0.0.0.0:389)
>>>
>>>slapd[904]: conn=9478 op=0 BIND
>>>dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" method=128
>>>
>>>slapd[904]: conn=9478 op=0 BIND
>>>dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE
>>>ssf=0
>>>
>>>slapd[904]: conn=9478 op=0 RESULT tag=97 err=0 text=
>>>
>>>slapd[904]: conn=9478 op=1 SRCH base="ou=groups,dc=my,dc=domain"
>>>scope=2 deref=0
>>>filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_not_in_guacusers,ou=users,dc=my,dc=domain)))"
>>>
>>>slapd[904]: conn=9478 op=1 SEARCH RESULT tag=101 err=0 nentries=0
>>>text=
>>>
>>>slapd[904]: conn=9478 fd=88 closed (connection lost)
>>>
>>>slapd[904]: conn=9479 fd=88 ACCEPT from IP=10.16.33.12:52432
>>>(IP=0.0.0.0:389)
>>>
>>>slapd[904]: conn=9479 op=0 BIND
>>>dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" method=128
>>>
>>>slapd[904]: conn=9479 op=0 BIND
>>>dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE
>>>ssf=0
>>>
>>>slapd[904]: conn=9479 op=0 RESULT tag=97 err=0 text=
>>>
>>>slapd[904]: conn=9479 op=1 SRCH base="ou=users,dc=my,dc=domain"
>>>scope=2 deref=0
>>>filter="(&(&(objectClass=person)(memberOf=cn=guacusers,ou=groups,dc=my,dc=domain))(|(uid=*)))"
>>>
>>>slapd[904]: conn=9479 op=1 SEARCH RESULT tag=101 err=0 nentries=6
>>>text=
>>>
>>>slapd[904]: conn=9479 op=2 SRCH base="ou=groups,dc=my,dc=domain"
>>>scope=2 deref=0 filter="(&(!(objectClass=guacConfigGroup))(|(cn=*)))"
>>>
>>>slapd[904]: conn=9479 op=2 SEARCH RESULT tag=101 err=0 nentries=46
>>>text=
>>>
>>>slapd[904]: conn=9479 op=3 SRCH base="ou=groups,dc=my,dc=domain"
>>>scope=2 deref=0
>>>filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_not_in_guacusers,ou=users,dc=my,dc=domain)))"
>>>
>>>slapd[904]: conn=9479 op=3 SEARCH RESULT tag=101 err=0 nentries=0
>>>text=
>>>
>>>slapd[904]: conn=9479 op=4 SRCH base="ou=guac_config,dc=my,dc=domain"
>>>scope=2 deref=0
>>>filter="(&(objectClass=guacConfigGroup)(|(member=uid=user_not_in_guacusers,ou=users,dc=my,dc=domain)))"
>>>
>>>slapd[904]: conn=9479 op=4 SEARCH RESULT tag=101 err=0 nentries=0
>>>text=
>>>
>>>
>>>
>>And this is my full configuration file:
>>
>>># Hostname and port of guacamole proxy
>>>guacd-hostname: localhost
>>>guacd-port: 4822
>>>
>>>#skip-if-unavailable: mysql, ldap
>>>api-session-timeout: 15
>>>
>>># LDAP properties
>>>ldap-hostname: configserver.my.domain
>>>ldap-port: 389
>>>ldap-user-base-dn: ou=users,dc=my,dc=domain
>>>ldap-username-attribute: uid
>>>ldap-user-search-filter:
>>>(&(objectClass=person)(memberof=cn=guacusers,ou=groups,dc=my,dc=domain))
>>>ldap-config-base-dn: ou=guac_config,dc=my,dc=domain
>>>ldap-group-base-dn: ou=groups,dc=my,dc=domain
>>>
>>># MySQL properties
>>>mysql-hostname: localhost
>>>mysql-port: 3306
>>>mysql-database: guacamole_db
>>>mysql-username: guacamole_user
>>>mysql-password: MySecret
>>>
>>
>>
>>Thanks,
>>
>>Fabio
>>
>>
>>
>>
>>>On Feb 25, 2020, at 10:46, Fabio Corsi
>>><fa...@gmail.com> wrote:
>>>
>>>
>>>
>>>We're using openLDAP (libldap-2.4-2:amd64) on a separate Ubuntu 18.04
>>>installation.
>>>
>>>
>>>
>>>Many thanks,
>>>
>>>Fabio
>>>
>>>
>>>
>>>
>>>>On Feb 24, 2020, at 22:57, Mike Jumper <mj...@apache.org> wrote:
>>>>
>>>>
>>>>
>>>>On Mon, Feb 24, 2020, 19:52 Fabio Corsi
>>>><fa...@gmail.com> wrote:
>>>>
>>>>>Hi,
>>>>>
>>>>>
>>>>>
>>>>>I’ve a fresh install of Guacamole 1.1.0 on Ubuntu 18.0.4 Server.
>>>>>
>>>>>
>>>>>
>>>>>I have the LDAP extension installed (along with the MySQL one) and
>>>>>I’ve defined connections directly into LDAP.
>>>>>
>>>>>Everything works just fine, users are authenticated and are allowed
>>>>>the proper connections, however I would like to allow only users
>>>>>MemberOf a one LDAP group (e.g. guacusers) to login to my Guacamole
>>>>>site.
>>>>>
>>>>>I’m using ldap-user-search-filter, but it does not seem to work. As
>>>>>of now any active users in my LDAP directory can login into the
>>>>>Guacamole site.
>>>>>
>>>>>No connections are displayed for the users that I would like to
>>>>>disallow, but nevertheless they can still login...
>>>>>
>>>>>
>>>>>
>>>>>This is the LDAP configuration in my guacamole.properties
>>>>><https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fguacamole.properties&c=E,1,E8cBBI4_vdYlMnL8xX-O_ehFfvRAlR9c2oz1h0iY4s3lZ_2UFsjyvQ1hDs_Pk46WxCb8Ahl2ZPjzLWyNQTjO8Ct18O1NBHKGKM6iMBOV8ksJlE5VdPND&typo=1>
>>>>>
>>>>>
>>>>>
>>>>>># LDAP properties
>>>>>>
>>>>>>ldap-hostname: configserver.my.domain
>>>>>>
>>>>>>ldap-port: 389
>>>>>>
>>>>>>ldap-user-base-dn: ou=users,dc=my,dc=domain
>>>>>>
>>>>>>ldap-username-attribute: uid
>>>>>>
>>>>>>ldap-user-search-filter:
>>>>>>(&(objectClass=person)(memberof=cn=guacusers,ou=groups,dc=asrc,dc=crossroads))
>>>>>>
>>>>>>ldap-config-base-dn: ou=guac_config,dc=my,dc=domain
>>>>>>
>>>>>>ldap-group-base-dn: ou=groups,dc=my,dc=domain
>>>>>>
>>>>>
>>>>>
>>>>>And I have previously used this same configuration some time back
>>>>>when I was testing version 0.9.14 and it seemed to be working...
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>Note that if I run the same filter on my LDAP server, e.g.:
>>>>>
>>>>>>ldapsearch -x -LLL -H ldap:/// -b "ou=users,dc=my,dc=domain" -s
>>>>>>sub "(memberof=cn=guacusers,ou=groups,dc=my,dc=domain)”
>>>>>>
>>>>>I get the expected result….
>>>>>
>>>>>
>>>>>
>>>>>I’ve also tried adding other specifiers to the filter, like
>>>>>
>>>>>>(memberof=cn=guacusers,ou=groups,dc=my,dc=domain)
>>>>>>
>>>>>
>>>>>
>>>>>they all work when I query the LDAP server with ldapsearch, but
>>>>>don’t seem to have any effect when I use them in Guacamole.
>>>>>
>>>>
>>>>
>>>>What LDAP server is being used?
>>>>
>>>>
>>>>
>>>>- Mike
>>>>
>>>
>>>
>>
>>
Re: How many users can use Guacamole simultaneously?
Posted by ivanmarcus <iv...@yahoo.com.INVALID>.
There have been several similar queries in the past and Mike has
suggested you "generally need 1 core and 2 GB for every 25 concurrent
users at peak".
In a more recent discussion he's pointed to the following two threads
that give more information:
https://mail-archives.apache.org/mod_mbox/guacamole-user/201803.mbox/%3CCALKeL-Oc6xnj99D9G9mE3aAS1Bj6xL%3DRnCM%3D052VCeMn%3DdBs9g%40mail.gmail.com%3E
https://mail-archives.apache.org/mod_mbox/guacamole-user/201906.mbox/%3CCALKeL-PXE%2BfwgQ8TzTN51hMKHJ4LJUh0gvBj0t_oxJqANtek3w%40mail.gmail.com%3E
FWIW these were referenced in
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/concurrent-performance-of-Guacamole-td6923.html#a6956
On 4/03/2020 8:42 a.m., Newman, Dennis wrote:
>
> That link is for a 2013 discussion, is there any more current discussion.
>
> We are currently running Guac v1.0.0 on a Cent OS 7 Virtual machine
> (ESXI6.7) with 4 processors 8 Gig ram and a 100 gb hard drive.
>
> We currently have 32 simultaneous users (Just checked “currently
> logged on”) our resources are sitting at 940MHz CPU – 409 MB memory
> and 50.8 GB hard drive.
>
> Our current system consists of the Guac system and 30 installed and
> running Win 7 desktops on one server and a “sister” server that holds
> about 40 more virtual Win 7 desktops.
>
> Along with the virtual users, who connect from all over the world, we
> have about 30 “potential” users that occasionally connect through
> Guacamole to their physical Windows 10 systems here in the local office.
>
> All of our users log into their virtual desktops to run an IBM ACS
> green screen emulator for data entry into an IBM Power system.
>
> As well as running Chrome on their virtual desktops for data lookup.
>
> We have been asked to increase our setup by “up to” 100 more users. I
> am hoping that we can get away with just adding drive space and memory
> to the “sister” server. As the OP was wondering how many simultaneous
> users you can run, I also would like to know if we will need to set up
> a second Guac server to accomplish our required task.
>
> *From:*Adrian Owen <ad...@eesm.com>
> *Sent:* Tuesday, March 3, 2020 10:36 AM
> *To:* user@guacamole.apache.org; Stewart Alexander
> <st...@alamancecc.edu>
> *Subject:* RE: How many users can use Guacamole simultaneously?
>
> https://sourceforge.net/p/guacamole/discussion/1110834/thread/666f7a9f/
>
> *From:*Stewart Alexander [mailto:stewart.alexander@alamancecc.edu]
> *Sent:* 03 March 2020 12:47
> *To:* user@guacamole.apache.org <ma...@guacamole.apache.org>
> *Subject:* How many users can use Guacamole simultaneously?
>
> Hi all,
>
> Does anyone know how many users can login through Guacamole
> simultaneously?
>
> What are the bottlenecks?
>
> Thank you,
>
> Stewart Alexander
>
> ------ Original Message ------
>
> From: "Fabio Corsi" <fabio1299.discussionlists@gmail.com
> <ma...@gmail.com>>
>
> To: user@guacamole.apache.org <ma...@guacamole.apache.org>
>
> Sent: 3/2/2020 5:01:07 PM
>
> Subject: Re: ldap-user-search-filter problem
>
> CAUTION: This email originated from outside your organization.
> Exercise caution when opening attachments or clicking links,
> especially from unknown senders.
>
> Hi,
>
> I was wondering if anyone could provide some insight on this issue.
>
> To recap my previous message I have a ldap-user-search-filter set to
>
> (&(objectClass=person)(memberof=cn=guacusers,ou=groups,dc=asrc,dc=crossroads))
>
> however any valid LDAP user is allowed to login on the Guacamole
> web page.
>
> My configuration: Guacamole 1.1.0, Ubuntu 18.04, openLDAP
> (libldap-2.4-2:amd64) on a separate Ubuntu 18.04 VM.
>
> since my first message I’ve done some additional investigation
> into the problem.
>
> By looking at the logs on my LDAP server I can see that the
> filters are passed on to the LDAP server and they do return the
> correct number of entries.
>
> There are a couple of things that seem strange to me:
>
> * Not sure why the "(|(uid=*)) clause is added to the main group
> filter defined in my configuration
> * For the user in the guacusers group the SeeAlso seems to
> expand to all the object of class groupOfNames in my directory
>
> Here are the log entries for the user that is in the guacusers group:
>
> slapd[904]: conn=9470 fd=48 ACCEPT from IP=10.16.33.12:52422
> (IP=0.0.0.0:389)
> slapd[904]: conn=9470 op=0 BIND
> dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" method=128
> slapd[904]: conn=9470 op=0 BIND
> dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain"
> mech=SIMPLE ssf=0
> slapd[904]: conn=9470 op=0 RESULT tag=97 err=0 text=
> slapd[904]: conn=9470 op=1 SRCH
> base="ou=groups,dc=my,dc=domain" scope=2 deref=0
> filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_in_guacusers,ou=users,dc=my,dc=domain)))"
> slapd[904]: conn=9470 op=1 SEARCH RESULT tag=101 err=0
> nentries=5 text=
> slapd[904]: conn=9470 fd=48 closed (connection lost)
> slapd[904]: conn=9471 fd=48 ACCEPT from IP=10.16.33.12:52424
> (IP=0.0.0.0:389)
> slapd[904]: conn=9471 op=0 BIND
> dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" method=128
> slapd[904]: conn=9471 op=0 BIND
> dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain"
> mech=SIMPLE ssf=0
> slapd[904]: conn=9471 op=0 RESULT tag=97 err=0 text=
> slapd[904]: conn=9471 op=1 SRCH
> base="ou=users,dc=my,dc=domain" scope=2 deref=0
> filter="(&(&(objectClass=person)(memberOf=cn=guacusers,ou=groups,dc=my,dc=domain))(|(uid=*)))"
> slapd[904]: conn=9471 op=1 SEARCH RESULT tag=101 err=0
> nentries=6 text=
> slapd[904]: conn=9471 op=2 SRCH
> base="ou=groups,dc=my,dc=domain" scope=2 deref=0
> filter="(&(!(objectClass=guacConfigGroup))(|(cn=*)))"
> slapd[904]: conn=9471 op=2 SEARCH RESULT tag=101 err=0
> nentries=46 text=
> slapd[904]: conn=9471 op=3 SRCH
> base="ou=groups,dc=my,dc=domain" scope=2 deref=0
> filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_in_guacusers,ou=users,dc=my,dc=domain)))"
> slapd[904]: conn=9471 op=3 SEARCH RESULT tag=101 err=0
> nentries=5 text=
> slapd[904]: conn=9471 op=4 SRCH
> base="ou=guac_config,dc=my,dc=domain" scope=2 deref=0
> filter="(&(objectClass=guacConfigGroup)(|(member=uid=user_in_guacusers,ou=users,dc=my,dc=domain)(seeAlso=cn=group1,ou=groups,dc=my,dc=domain)(seeAlso=cn=group2,ou=groups,dc=my,dc=domain)(seeAlso=cn=group3,ou=groups,dc=my,dc=domain)(seeAlso=cn=group4,ou=groups,dc=my,dc=domain)(seeAlso=cn=guacusers,ou=groups,dc=my,dc=domain)))"
> slapd[904]: conn=9471 op=4 SEARCH RESULT tag=101 err=0
> nentries=1 text=
>
> And for the user that is not in the guacusers group:
>
> slapd[904]: conn=9478 fd=88 ACCEPT from IP=10.16.33.12:52430
> (IP=0.0.0.0:389)
>
> slapd[904]: conn=9478 op=0 BIND
> dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" method=128
>
> slapd[904]: conn=9478 op=0 BIND
> dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain"
> mech=SIMPLE ssf=0
>
> slapd[904]: conn=9478 op=0 RESULT tag=97 err=0 text=
>
> slapd[904]: conn=9478 op=1 SRCH
> base="ou=groups,dc=my,dc=domain" scope=2 deref=0
> filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_not_in_guacusers,ou=users,dc=my,dc=domain)))"
>
> slapd[904]: conn=9478 op=1 SEARCH RESULT tag=101 err=0
> nentries=0 text=
>
> slapd[904]: conn=9478 fd=88 closed (connection lost)
>
> slapd[904]: conn=9479 fd=88 ACCEPT from IP=10.16.33.12:52432
> (IP=0.0.0.0:389)
>
> slapd[904]: conn=9479 op=0 BIND
> dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" method=128
>
> slapd[904]: conn=9479 op=0 BIND
> dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain"
> mech=SIMPLE ssf=0
>
> slapd[904]: conn=9479 op=0 RESULT tag=97 err=0 text=
>
> slapd[904]: conn=9479 op=1 SRCH
> base="ou=users,dc=my,dc=domain" scope=2 deref=0
> filter="(&(&(objectClass=person)(memberOf=cn=guacusers,ou=groups,dc=my,dc=domain))(|(uid=*)))"
>
> slapd[904]: conn=9479 op=1 SEARCH RESULT tag=101 err=0
> nentries=6 text=
>
> slapd[904]: conn=9479 op=2 SRCH
> base="ou=groups,dc=my,dc=domain" scope=2 deref=0
> filter="(&(!(objectClass=guacConfigGroup))(|(cn=*)))"
>
> slapd[904]: conn=9479 op=2 SEARCH RESULT tag=101 err=0
> nentries=46 text=
>
> slapd[904]: conn=9479 op=3 SRCH
> base="ou=groups,dc=my,dc=domain" scope=2 deref=0
> filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_not_in_guacusers,ou=users,dc=my,dc=domain)))"
>
> slapd[904]: conn=9479 op=3 SEARCH RESULT tag=101 err=0
> nentries=0 text=
>
> slapd[904]: conn=9479 op=4 SRCH
> base="ou=guac_config,dc=my,dc=domain" scope=2 deref=0
> filter="(&(objectClass=guacConfigGroup)(|(member=uid=user_not_in_guacusers,ou=users,dc=my,dc=domain)))"
>
> slapd[904]: conn=9479 op=4 SEARCH RESULT tag=101 err=0
> nentries=0 text=
>
> And this is my full configuration file:
>
> # Hostname and port of guacamole proxy
> guacd-hostname: localhost
> guacd-port: 4822
>
> #skip-if-unavailable: mysql, ldap
> api-session-timeout: 15
>
> # LDAP properties
> ldap-hostname: configserver.my.domain
> ldap-port: 389
> ldap-user-base-dn: ou=users,dc=my,dc=domain
> ldap-username-attribute: uid
> ldap-user-search-filter: (&(objectClass=person)(memberof=cn=guacusers,ou=groups,dc=my,dc=domain))
> ldap-config-base-dn: ou=guac_config,dc=my,dc=domain
> ldap-group-base-dn: ou=groups,dc=my,dc=domain
>
> # MySQL properties
> mysql-hostname: localhost
> mysql-port: 3306
> mysql-database: guacamole_db
> mysql-username: guacamole_user
> mysql-password: MySecret
>
> Thanks,
>
> Fabio
>
> On Feb 25, 2020, at 10:46, Fabio Corsi
> <fabio1299.discussionlists@gmail.com
> <ma...@gmail.com>> wrote:
>
> We're using openLDAP (libldap-2.4-2:amd64) on a separate
> Ubuntu 18.04 installation.
>
> Many thanks,
>
> Fabio
>
> On Feb 24, 2020, at 22:57, Mike Jumper <mjumper@apache.org
> <ma...@apache.org>> wrote:
>
> On Mon, Feb 24, 2020, 19:52 Fabio Corsi
> <fabio1299.discussionlists@gmail.com
> <ma...@gmail.com>> wrote:
>
> Hi,
>
> I’ve a fresh install of Guacamole 1.1.0 on Ubuntu
> 18.0.4 Server.
>
> I have the LDAP extension installed (along with the
> MySQL one) and I’ve defined connections directly into
> LDAP.
>
> Everything works just fine, users are authenticated
> and are allowed the proper connections, however I
> would like to allow only users MemberOf a one LDAP
> group (e.g. guacusers) to login to my Guacamole site.
>
> I’m using ldap-user-search-filter, but it does not
> seem to work. As of now any active users in my LDAP
> directory can login into the Guacamole site.
>
> No connections are displayed for the users that I
> would like to disallow, but nevertheless they can
> still login...
>
> This is the LDAP configuration in my
> guacamole.properties
> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fguacamole.properties&c=E,1,E8cBBI4_vdYlMnL8xX-O_ehFfvRAlR9c2oz1h0iY4s3lZ_2UFsjyvQ1hDs_Pk46WxCb8Ahl2ZPjzLWyNQTjO8Ct18O1NBHKGKM6iMBOV8ksJlE5VdPND&typo=1>
>
>
> # LDAP properties
>
> ldap-hostname: configserver.my.domain
>
> ldap-port: 389
>
> ldap-user-base-dn: ou=users,dc=my,dc=domain
>
> ldap-username-attribute: uid
>
> ldap-user-search-filter:
> (&(objectClass=person)(memberof=cn=guacusers,ou=groups,dc=asrc,dc=crossroads))
>
> ldap-config-base-dn: ou=guac_config,dc=my,dc=domain
>
> ldap-group-base-dn: ou=groups,dc=my,dc=domain
>
> And I have previously used this same configuration
> some time back when I was testing version 0.9.14 and
> it seemed to be working...
>
> Note that if I run the same filter on my LDAP server,
> e.g.:
>
> ldapsearch -x -LLL -Hldap:///-b
> "ou=users,dc=my,dc=domain" -s sub
> "(memberof=cn=guacusers,ou=groups,dc=my,dc=domain)”
>
> I get the expected result….
>
> I’ve also tried adding other specifiers to the filter,
> like
>
> (memberof=cn=guacusers,ou=groups,dc=my,dc=domain)
>
> they all work when I query the LDAP server
> with ldapsearch, but don’t seem to have any effect
> when I use them in Guacamole.
>
> What LDAP server is being used?
>
> - Mike
>
>
> ------------------------------------------------------------------------
>
> The information contained in this message is intended only for the
> recipient, and may be a confidential attorney-client communication or
> may otherwise be privileged and confidential and protected from
> disclosure. If the reader of this message is not the intended
> recipient, or an employee or agent responsible for delivering this
> message to the intended recipient, please be aware that any
> dissemination or copying of this communication is strictly prohibited.
> If you have received this communication in error, please immediately
> notify us by replying to the message and deleting it from your
> computer. S&P Global Inc. reserves the right, subject to applicable
> local law, to monitor, review and process the content of any
> electronic message or information sent to or from S&P Global Inc.
> e-mail addresses without informing the sender or recipient of the
> message. By sending electronic message or information to S&P Global
> Inc. e-mail addresses you, as the sender, are consenting to S&P Global
> Inc. processing any of your personal data therein.
RE: How many users can use Guacamole simultaneously?
Posted by "Newman, Dennis" <de...@spglobal.com>.
That link is for a 2013 discussion, is there any more current discussion.
We are currently running Guac v1.0.0 on a Cent OS 7 Virtual machine (ESXI6.7) with 4 processors 8 Gig ram and a 100 gb hard drive.
We currently have 32 simultaneous users (Just checked “currently logged on”) our resources are sitting at 940MHz CPU – 409 MB memory and 50.8 GB hard drive.
Our current system consists of the Guac system and 30 installed and running Win 7 desktops on one server and a “sister” server that holds about 40 more virtual Win 7 desktops.
Along with the virtual users, who connect from all over the world, we have about 30 “potential” users that occasionally connect through Guacamole to their physical Windows 10 systems here in the local office.
All of our users log into their virtual desktops to run an IBM ACS green screen emulator for data entry into an IBM Power system.
As well as running Chrome on their virtual desktops for data lookup.
We have been asked to increase our setup by “up to” 100 more users. I am hoping that we can get away with just adding drive space and memory to the “sister” server. As the OP was wondering how many simultaneous users you can run, I also would like to know if we will need to set up a second Guac server to accomplish our required task.
From: Adrian Owen <ad...@eesm.com>
Sent: Tuesday, March 3, 2020 10:36 AM
To: user@guacamole.apache.org; Stewart Alexander <st...@alamancecc.edu>
Subject: RE: How many users can use Guacamole simultaneously?
https://sourceforge.net/p/guacamole/discussion/1110834/thread/666f7a9f/
From: Stewart Alexander [mailto:stewart.alexander@alamancecc.edu]
Sent: 03 March 2020 12:47
To: user@guacamole.apache.org<ma...@guacamole.apache.org>
Subject: How many users can use Guacamole simultaneously?
Hi all,
Does anyone know how many users can login through Guacamole simultaneously?
What are the bottlenecks?
Thank you,
Stewart Alexander
------ Original Message ------
From: "Fabio Corsi" <fa...@gmail.com>>
To: user@guacamole.apache.org<ma...@guacamole.apache.org>
Sent: 3/2/2020 5:01:07 PM
Subject: Re: ldap-user-search-filter problem
CAUTION: This email originated from outside your organization. Exercise caution when opening attachments or clicking links, especially from unknown senders.
Hi,
I was wondering if anyone could provide some insight on this issue.
To recap my previous message I have a ldap-user-search-filter set to
(&(objectClass=person)(memberof=cn=guacusers,ou=groups,dc=asrc,dc=crossroads))
however any valid LDAP user is allowed to login on the Guacamole web page.
My configuration: Guacamole 1.1.0, Ubuntu 18.04, openLDAP (libldap-2.4-2:amd64) on a separate Ubuntu 18.04 VM.
since my first message I’ve done some additional investigation into the problem.
By looking at the logs on my LDAP server I can see that the filters are passed on to the LDAP server and they do return the correct number of entries.
There are a couple of things that seem strange to me:
* Not sure why the "(|(uid=*)) clause is added to the main group filter defined in my configuration
* For the user in the guacusers group the SeeAlso seems to expand to all the object of class groupOfNames in my directory
Here are the log entries for the user that is in the guacusers group:
slapd[904]: conn=9470 fd=48 ACCEPT from IP=10.16.33.12:52422 (IP=0.0.0.0:389)
slapd[904]: conn=9470 op=0 BIND dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" method=128
slapd[904]: conn=9470 op=0 BIND dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE ssf=0
slapd[904]: conn=9470 op=0 RESULT tag=97 err=0 text=
slapd[904]: conn=9470 op=1 SRCH base="ou=groups,dc=my,dc=domain" scope=2 deref=0 filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_in_guacusers,ou=users,dc=my,dc=domain)))"
slapd[904]: conn=9470 op=1 SEARCH RESULT tag=101 err=0 nentries=5 text=
slapd[904]: conn=9470 fd=48 closed (connection lost)
slapd[904]: conn=9471 fd=48 ACCEPT from IP=10.16.33.12:52424 (IP=0.0.0.0:389)
slapd[904]: conn=9471 op=0 BIND dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" method=128
slapd[904]: conn=9471 op=0 BIND dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE ssf=0
slapd[904]: conn=9471 op=0 RESULT tag=97 err=0 text=
slapd[904]: conn=9471 op=1 SRCH base="ou=users,dc=my,dc=domain" scope=2 deref=0 filter="(&(&(objectClass=person)(memberOf=cn=guacusers,ou=groups,dc=my,dc=domain))(|(uid=*)))"
slapd[904]: conn=9471 op=1 SEARCH RESULT tag=101 err=0 nentries=6 text=
slapd[904]: conn=9471 op=2 SRCH base="ou=groups,dc=my,dc=domain" scope=2 deref=0 filter="(&(!(objectClass=guacConfigGroup))(|(cn=*)))"
slapd[904]: conn=9471 op=2 SEARCH RESULT tag=101 err=0 nentries=46 text=
slapd[904]: conn=9471 op=3 SRCH base="ou=groups,dc=my,dc=domain" scope=2 deref=0 filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_in_guacusers,ou=users,dc=my,dc=domain)))"
slapd[904]: conn=9471 op=3 SEARCH RESULT tag=101 err=0 nentries=5 text=
slapd[904]: conn=9471 op=4 SRCH base="ou=guac_config,dc=my,dc=domain" scope=2 deref=0 filter="(&(objectClass=guacConfigGroup)(|(member=uid=user_in_guacusers,ou=users,dc=my,dc=domain)(seeAlso=cn=group1,ou=groups,dc=my,dc=domain)(seeAlso=cn=group2,ou=groups,dc=my,dc=domain)(seeAlso=cn=group3,ou=groups,dc=my,dc=domain)(seeAlso=cn=group4,ou=groups,dc=my,dc=domain)(seeAlso=cn=guacusers,ou=groups,dc=my,dc=domain)))"
slapd[904]: conn=9471 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=
And for the user that is not in the guacusers group:
slapd[904]: conn=9478 fd=88 ACCEPT from IP=10.16.33.12:52430 (IP=0.0.0.0:389)
slapd[904]: conn=9478 op=0 BIND dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" method=128
slapd[904]: conn=9478 op=0 BIND dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE ssf=0
slapd[904]: conn=9478 op=0 RESULT tag=97 err=0 text=
slapd[904]: conn=9478 op=1 SRCH base="ou=groups,dc=my,dc=domain" scope=2 deref=0 filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_not_in_guacusers,ou=users,dc=my,dc=domain)))"
slapd[904]: conn=9478 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
slapd[904]: conn=9478 fd=88 closed (connection lost)
slapd[904]: conn=9479 fd=88 ACCEPT from IP=10.16.33.12:52432 (IP=0.0.0.0:389)
slapd[904]: conn=9479 op=0 BIND dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" method=128
slapd[904]: conn=9479 op=0 BIND dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE ssf=0
slapd[904]: conn=9479 op=0 RESULT tag=97 err=0 text=
slapd[904]: conn=9479 op=1 SRCH base="ou=users,dc=my,dc=domain" scope=2 deref=0 filter="(&(&(objectClass=person)(memberOf=cn=guacusers,ou=groups,dc=my,dc=domain))(|(uid=*)))"
slapd[904]: conn=9479 op=1 SEARCH RESULT tag=101 err=0 nentries=6 text=
slapd[904]: conn=9479 op=2 SRCH base="ou=groups,dc=my,dc=domain" scope=2 deref=0 filter="(&(!(objectClass=guacConfigGroup))(|(cn=*)))"
slapd[904]: conn=9479 op=2 SEARCH RESULT tag=101 err=0 nentries=46 text=
slapd[904]: conn=9479 op=3 SRCH base="ou=groups,dc=my,dc=domain" scope=2 deref=0 filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_not_in_guacusers,ou=users,dc=my,dc=domain)))"
slapd[904]: conn=9479 op=3 SEARCH RESULT tag=101 err=0 nentries=0 text=
slapd[904]: conn=9479 op=4 SRCH base="ou=guac_config,dc=my,dc=domain" scope=2 deref=0 filter="(&(objectClass=guacConfigGroup)(|(member=uid=user_not_in_guacusers,ou=users,dc=my,dc=domain)))"
slapd[904]: conn=9479 op=4 SEARCH RESULT tag=101 err=0 nentries=0 text=
And this is my full configuration file:
# Hostname and port of guacamole proxy
guacd-hostname: localhost
guacd-port: 4822
#skip-if-unavailable: mysql, ldap
api-session-timeout: 15
# LDAP properties
ldap-hostname: configserver.my.domain
ldap-port: 389
ldap-user-base-dn: ou=users,dc=my,dc=domain
ldap-username-attribute: uid
ldap-user-search-filter: (&(objectClass=person)(memberof=cn=guacusers,ou=groups,dc=my,dc=domain))
ldap-config-base-dn: ou=guac_config,dc=my,dc=domain
ldap-group-base-dn: ou=groups,dc=my,dc=domain
# MySQL properties
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
mysql-password: MySecret
Thanks,
Fabio
On Feb 25, 2020, at 10:46, Fabio Corsi <fa...@gmail.com>> wrote:
We're using openLDAP (libldap-2.4-2:amd64) on a separate Ubuntu 18.04 installation.
Many thanks,
Fabio
On Feb 24, 2020, at 22:57, Mike Jumper <mj...@apache.org>> wrote:
On Mon, Feb 24, 2020, 19:52 Fabio Corsi <fa...@gmail.com>> wrote:
Hi,
I’ve a fresh install of Guacamole 1.1.0 on Ubuntu 18.0.4 Server.
I have the LDAP extension installed (along with the MySQL one) and I’ve defined connections directly into LDAP.
Everything works just fine, users are authenticated and are allowed the proper connections, however I would like to allow only users MemberOf a one LDAP group (e.g. guacusers) to login to my Guacamole site.
I’m using ldap-user-search-filter, but it does not seem to work. As of now any active users in my LDAP directory can login into the Guacamole site.
No connections are displayed for the users that I would like to disallow, but nevertheless they can still login...
This is the LDAP configuration in my guacamole.properties<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fguacamole.properties&c=E,1,E8cBBI4_vdYlMnL8xX-O_ehFfvRAlR9c2oz1h0iY4s3lZ_2UFsjyvQ1hDs_Pk46WxCb8Ahl2ZPjzLWyNQTjO8Ct18O1NBHKGKM6iMBOV8ksJlE5VdPND&typo=1>
# LDAP properties
ldap-hostname: configserver.my.domain
ldap-port: 389
ldap-user-base-dn: ou=users,dc=my,dc=domain
ldap-username-attribute: uid
ldap-user-search-filter: (&(objectClass=person)(memberof=cn=guacusers,ou=groups,dc=asrc,dc=crossroads))
ldap-config-base-dn: ou=guac_config,dc=my,dc=domain
ldap-group-base-dn: ou=groups,dc=my,dc=domain
And I have previously used this same configuration some time back when I was testing version 0.9.14 and it seemed to be working...
Note that if I run the same filter on my LDAP server, e.g.:
ldapsearch -x -LLL -H ldap:/// -b "ou=users,dc=my,dc=domain" -s sub "(memberof=cn=guacusers,ou=groups,dc=my,dc=domain)”
I get the expected result….
I’ve also tried adding other specifiers to the filter, like
(memberof=cn=guacusers,ou=groups,dc=my,dc=domain)
they all work when I query the LDAP server with ldapsearch, but don’t seem to have any effect when I use them in Guacamole.
What LDAP server is being used?
- Mike
________________________________
The information contained in this message is intended only for the recipient, and may be a confidential attorney-client communication or may otherwise be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, please be aware that any dissemination or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by replying to the message and deleting it from your computer. S&P Global Inc. reserves the right, subject to applicable local law, to monitor, review and process the content of any electronic message or information sent to or from S&P Global Inc. e-mail addresses without informing the sender or recipient of the message. By sending electronic message or information to S&P Global Inc. e-mail addresses you, as the sender, are consenting to S&P Global Inc. processing any of your personal data therein.
RE: How many users can use Guacamole simultaneously?
Posted by Adrian Owen <ad...@eesm.com>.
https://sourceforge.net/p/guacamole/discussion/1110834/thread/666f7a9f/
From: Stewart Alexander [mailto:stewart.alexander@alamancecc.edu]
Sent: 03 March 2020 12:47
To: user@guacamole.apache.org
Subject: How many users can use Guacamole simultaneously?
Hi all,
Does anyone know how many users can login through Guacamole simultaneously?
What are the bottlenecks?
Thank you,
Stewart Alexander
------ Original Message ------
From: "Fabio Corsi" <fa...@gmail.com>>
To: user@guacamole.apache.org<ma...@guacamole.apache.org>
Sent: 3/2/2020 5:01:07 PM
Subject: Re: ldap-user-search-filter problem
CAUTION: This email originated from outside your organization. Exercise caution when opening attachments or clicking links, especially from unknown senders.
Hi,
I was wondering if anyone could provide some insight on this issue.
To recap my previous message I have a ldap-user-search-filter set to
(&(objectClass=person)(memberof=cn=guacusers,ou=groups,dc=asrc,dc=crossroads))
however any valid LDAP user is allowed to login on the Guacamole web page.
My configuration: Guacamole 1.1.0, Ubuntu 18.04, openLDAP (libldap-2.4-2:amd64) on a separate Ubuntu 18.04 VM.
since my first message I’ve done some additional investigation into the problem.
By looking at the logs on my LDAP server I can see that the filters are passed on to the LDAP server and they do return the correct number of entries.
There are a couple of things that seem strange to me:
* Not sure why the "(|(uid=*)) clause is added to the main group filter defined in my configuration
* For the user in the guacusers group the SeeAlso seems to expand to all the object of class groupOfNames in my directory
Here are the log entries for the user that is in the guacusers group:
slapd[904]: conn=9470 fd=48 ACCEPT from IP=10.16.33.12:52422 (IP=0.0.0.0:389)
slapd[904]: conn=9470 op=0 BIND dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" method=128
slapd[904]: conn=9470 op=0 BIND dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE ssf=0
slapd[904]: conn=9470 op=0 RESULT tag=97 err=0 text=
slapd[904]: conn=9470 op=1 SRCH base="ou=groups,dc=my,dc=domain" scope=2 deref=0 filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_in_guacusers,ou=users,dc=my,dc=domain)))"
slapd[904]: conn=9470 op=1 SEARCH RESULT tag=101 err=0 nentries=5 text=
slapd[904]: conn=9470 fd=48 closed (connection lost)
slapd[904]: conn=9471 fd=48 ACCEPT from IP=10.16.33.12:52424 (IP=0.0.0.0:389)
slapd[904]: conn=9471 op=0 BIND dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" method=128
slapd[904]: conn=9471 op=0 BIND dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE ssf=0
slapd[904]: conn=9471 op=0 RESULT tag=97 err=0 text=
slapd[904]: conn=9471 op=1 SRCH base="ou=users,dc=my,dc=domain" scope=2 deref=0 filter="(&(&(objectClass=person)(memberOf=cn=guacusers,ou=groups,dc=my,dc=domain))(|(uid=*)))"
slapd[904]: conn=9471 op=1 SEARCH RESULT tag=101 err=0 nentries=6 text=
slapd[904]: conn=9471 op=2 SRCH base="ou=groups,dc=my,dc=domain" scope=2 deref=0 filter="(&(!(objectClass=guacConfigGroup))(|(cn=*)))"
slapd[904]: conn=9471 op=2 SEARCH RESULT tag=101 err=0 nentries=46 text=
slapd[904]: conn=9471 op=3 SRCH base="ou=groups,dc=my,dc=domain" scope=2 deref=0 filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_in_guacusers,ou=users,dc=my,dc=domain)))"
slapd[904]: conn=9471 op=3 SEARCH RESULT tag=101 err=0 nentries=5 text=
slapd[904]: conn=9471 op=4 SRCH base="ou=guac_config,dc=my,dc=domain" scope=2 deref=0 filter="(&(objectClass=guacConfigGroup)(|(member=uid=user_in_guacusers,ou=users,dc=my,dc=domain)(seeAlso=cn=group1,ou=groups,dc=my,dc=domain)(seeAlso=cn=group2,ou=groups,dc=my,dc=domain)(seeAlso=cn=group3,ou=groups,dc=my,dc=domain)(seeAlso=cn=group4,ou=groups,dc=my,dc=domain)(seeAlso=cn=guacusers,ou=groups,dc=my,dc=domain)))"
slapd[904]: conn=9471 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=
And for the user that is not in the guacusers group:
slapd[904]: conn=9478 fd=88 ACCEPT from IP=10.16.33.12:52430 (IP=0.0.0.0:389)
slapd[904]: conn=9478 op=0 BIND dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" method=128
slapd[904]: conn=9478 op=0 BIND dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE ssf=0
slapd[904]: conn=9478 op=0 RESULT tag=97 err=0 text=
slapd[904]: conn=9478 op=1 SRCH base="ou=groups,dc=my,dc=domain" scope=2 deref=0 filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_not_in_guacusers,ou=users,dc=my,dc=domain)))"
slapd[904]: conn=9478 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
slapd[904]: conn=9478 fd=88 closed (connection lost)
slapd[904]: conn=9479 fd=88 ACCEPT from IP=10.16.33.12:52432 (IP=0.0.0.0:389)
slapd[904]: conn=9479 op=0 BIND dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" method=128
slapd[904]: conn=9479 op=0 BIND dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE ssf=0
slapd[904]: conn=9479 op=0 RESULT tag=97 err=0 text=
slapd[904]: conn=9479 op=1 SRCH base="ou=users,dc=my,dc=domain" scope=2 deref=0 filter="(&(&(objectClass=person)(memberOf=cn=guacusers,ou=groups,dc=my,dc=domain))(|(uid=*)))"
slapd[904]: conn=9479 op=1 SEARCH RESULT tag=101 err=0 nentries=6 text=
slapd[904]: conn=9479 op=2 SRCH base="ou=groups,dc=my,dc=domain" scope=2 deref=0 filter="(&(!(objectClass=guacConfigGroup))(|(cn=*)))"
slapd[904]: conn=9479 op=2 SEARCH RESULT tag=101 err=0 nentries=46 text=
slapd[904]: conn=9479 op=3 SRCH base="ou=groups,dc=my,dc=domain" scope=2 deref=0 filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_not_in_guacusers,ou=users,dc=my,dc=domain)))"
slapd[904]: conn=9479 op=3 SEARCH RESULT tag=101 err=0 nentries=0 text=
slapd[904]: conn=9479 op=4 SRCH base="ou=guac_config,dc=my,dc=domain" scope=2 deref=0 filter="(&(objectClass=guacConfigGroup)(|(member=uid=user_not_in_guacusers,ou=users,dc=my,dc=domain)))"
slapd[904]: conn=9479 op=4 SEARCH RESULT tag=101 err=0 nentries=0 text=
And this is my full configuration file:
# Hostname and port of guacamole proxy
guacd-hostname: localhost
guacd-port: 4822
#skip-if-unavailable: mysql, ldap
api-session-timeout: 15
# LDAP properties
ldap-hostname: configserver.my.domain
ldap-port: 389
ldap-user-base-dn: ou=users,dc=my,dc=domain
ldap-username-attribute: uid
ldap-user-search-filter: (&(objectClass=person)(memberof=cn=guacusers,ou=groups,dc=my,dc=domain))
ldap-config-base-dn: ou=guac_config,dc=my,dc=domain
ldap-group-base-dn: ou=groups,dc=my,dc=domain
# MySQL properties
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
mysql-password: MySecret
Thanks,
Fabio
On Feb 25, 2020, at 10:46, Fabio Corsi <fa...@gmail.com>> wrote:
We're using openLDAP (libldap-2.4-2:amd64) on a separate Ubuntu 18.04 installation.
Many thanks,
Fabio
On Feb 24, 2020, at 22:57, Mike Jumper <mj...@apache.org>> wrote:
On Mon, Feb 24, 2020, 19:52 Fabio Corsi <fa...@gmail.com>> wrote:
Hi,
I’ve a fresh install of Guacamole 1.1.0 on Ubuntu 18.0.4 Server.
I have the LDAP extension installed (along with the MySQL one) and I’ve defined connections directly into LDAP.
Everything works just fine, users are authenticated and are allowed the proper connections, however I would like to allow only users MemberOf a one LDAP group (e.g. guacusers) to login to my Guacamole site.
I’m using ldap-user-search-filter, but it does not seem to work. As of now any active users in my LDAP directory can login into the Guacamole site.
No connections are displayed for the users that I would like to disallow, but nevertheless they can still login...
This is the LDAP configuration in my guacamole.properties<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fguacamole.properties&c=E,1,E8cBBI4_vdYlMnL8xX-O_ehFfvRAlR9c2oz1h0iY4s3lZ_2UFsjyvQ1hDs_Pk46WxCb8Ahl2ZPjzLWyNQTjO8Ct18O1NBHKGKM6iMBOV8ksJlE5VdPND&typo=1>
# LDAP properties
ldap-hostname: configserver.my.domain
ldap-port: 389
ldap-user-base-dn: ou=users,dc=my,dc=domain
ldap-username-attribute: uid
ldap-user-search-filter: (&(objectClass=person)(memberof=cn=guacusers,ou=groups,dc=asrc,dc=crossroads))
ldap-config-base-dn: ou=guac_config,dc=my,dc=domain
ldap-group-base-dn: ou=groups,dc=my,dc=domain
And I have previously used this same configuration some time back when I was testing version 0.9.14 and it seemed to be working...
Note that if I run the same filter on my LDAP server, e.g.:
ldapsearch -x -LLL -H ldap:/// -b "ou=users,dc=my,dc=domain" -s sub "(memberof=cn=guacusers,ou=groups,dc=my,dc=domain)”
I get the expected result….
I’ve also tried adding other specifiers to the filter, like
(memberof=cn=guacusers,ou=groups,dc=my,dc=domain)
they all work when I query the LDAP server with ldapsearch, but don’t seem to have any effect when I use them in Guacamole.
What LDAP server is being used?
- Mike
How many users can use Guacamole simultaneously?
Posted by Stewart Alexander <st...@alamancecc.edu>.
Hi all,
Does anyone know how many users can login through Guacamole
simultaneously?
What are the bottlenecks?
Thank you,
Stewart Alexander
------ Original Message ------
From: "Fabio Corsi" <fa...@gmail.com>
To: user@guacamole.apache.org
Sent: 3/2/2020 5:01:07 PM
Subject: Re: ldap-user-search-filter problem
>CAUTION: This email originated from outside your organization. Exercise
>caution when opening attachments or clicking links, especially from
>unknown senders.
>
>Hi,
>
>I was wondering if anyone could provide some insight on this issue.
>
>To recap my previous message I have a ldap-user-search-filter set to
>(&(objectClass=person)(memberof=cn=guacusers,ou=groups,dc=asrc,dc=crossroads))
>however any valid LDAP user is allowed to login on the Guacamole web
>page.
>My configuration: Guacamole 1.1.0, Ubuntu 18.04, openLDAP
>(libldap-2.4-2:amd64) on a separate Ubuntu 18.04 VM.
>
>since my first message I’ve done some additional investigation into the
>problem.
>By looking at the logs on my LDAP server I can see that the filters are
>passed on to the LDAP server and they do return the correct number of
>entries.
>
>There are a couple of things that seem strange to me:
>Not sure why the "(|(uid=*)) clause is added to the main group filter
>defined in my configurationFor the user in the guacusers group the
>SeeAlso seems to expand to all the object of class groupOfNames in my
>directory
>
>Here are the log entries for the user that is in the guacusers group:
>>slapd[904]: conn=9470 fd=48 ACCEPT from IP=10.16.33.12:52422
>>(IP=0.0.0.0:389)
>>slapd[904]: conn=9470 op=0 BIND
>>dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" method=128
>>slapd[904]: conn=9470 op=0 BIND
>>dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE ssf=0
>>slapd[904]: conn=9470 op=0 RESULT tag=97 err=0 text=
>>slapd[904]: conn=9470 op=1 SRCH base="ou=groups,dc=my,dc=domain"
>>scope=2 deref=0
>>filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_in_guacusers,ou=users,dc=my,dc=domain)))"
>>slapd[904]: conn=9470 op=1 SEARCH RESULT tag=101 err=0 nentries=5
>>text=
>>slapd[904]: conn=9470 fd=48 closed (connection lost)
>>slapd[904]: conn=9471 fd=48 ACCEPT from IP=10.16.33.12:52424
>>(IP=0.0.0.0:389)
>>slapd[904]: conn=9471 op=0 BIND
>>dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" method=128
>>slapd[904]: conn=9471 op=0 BIND
>>dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE ssf=0
>>slapd[904]: conn=9471 op=0 RESULT tag=97 err=0 text=
>>slapd[904]: conn=9471 op=1 SRCH base="ou=users,dc=my,dc=domain"
>>scope=2 deref=0
>>filter="(&(&(objectClass=person)(memberOf=cn=guacusers,ou=groups,dc=my,dc=domain))(|(uid=*)))"
>>slapd[904]: conn=9471 op=1 SEARCH RESULT tag=101 err=0 nentries=6
>>text=
>>slapd[904]: conn=9471 op=2 SRCH base="ou=groups,dc=my,dc=domain"
>>scope=2 deref=0 filter="(&(!(objectClass=guacConfigGroup))(|(cn=*)))"
>>slapd[904]: conn=9471 op=2 SEARCH RESULT tag=101 err=0 nentries=46
>>text=
>>slapd[904]: conn=9471 op=3 SRCH base="ou=groups,dc=my,dc=domain"
>>scope=2 deref=0
>>filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_in_guacusers,ou=users,dc=my,dc=domain)))"
>>slapd[904]: conn=9471 op=3 SEARCH RESULT tag=101 err=0 nentries=5
>>text=
>>slapd[904]: conn=9471 op=4 SRCH base="ou=guac_config,dc=my,dc=domain"
>>scope=2 deref=0
>>filter="(&(objectClass=guacConfigGroup)(|(member=uid=user_in_guacusers,ou=users,dc=my,dc=domain)(seeAlso=cn=group1,ou=groups,dc=my,dc=domain)(seeAlso=cn=group2,ou=groups,dc=my,dc=domain)(seeAlso=cn=group3,ou=groups,dc=my,dc=domain)(seeAlso=cn=group4,ou=groups,dc=my,dc=domain)(seeAlso=cn=guacusers,ou=groups,dc=my,dc=domain)))"
>>slapd[904]: conn=9471 op=4 SEARCH RESULT tag=101 err=0 nentries=1
>>text=
>
>And for the user that is not in the guacusers group:
>>slapd[904]: conn=9478 fd=88 ACCEPT from IP=10.16.33.12:52430
>>(IP=0.0.0.0:389)
>>slapd[904]: conn=9478 op=0 BIND
>>dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" method=128
>>slapd[904]: conn=9478 op=0 BIND
>>dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE
>>ssf=0
>>slapd[904]: conn=9478 op=0 RESULT tag=97 err=0 text=
>>slapd[904]: conn=9478 op=1 SRCH base="ou=groups,dc=my,dc=domain"
>>scope=2 deref=0
>>filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_not_in_guacusers,ou=users,dc=my,dc=domain)))"
>>slapd[904]: conn=9478 op=1 SEARCH RESULT tag=101 err=0 nentries=0
>>text=
>>slapd[904]: conn=9478 fd=88 closed (connection lost)
>>slapd[904]: conn=9479 fd=88 ACCEPT from IP=10.16.33.12:52432
>>(IP=0.0.0.0:389)
>>slapd[904]: conn=9479 op=0 BIND
>>dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" method=128
>>slapd[904]: conn=9479 op=0 BIND
>>dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE
>>ssf=0
>>slapd[904]: conn=9479 op=0 RESULT tag=97 err=0 text=
>>slapd[904]: conn=9479 op=1 SRCH base="ou=users,dc=my,dc=domain"
>>scope=2 deref=0
>>filter="(&(&(objectClass=person)(memberOf=cn=guacusers,ou=groups,dc=my,dc=domain))(|(uid=*)))"
>>slapd[904]: conn=9479 op=1 SEARCH RESULT tag=101 err=0 nentries=6
>>text=
>>slapd[904]: conn=9479 op=2 SRCH base="ou=groups,dc=my,dc=domain"
>>scope=2 deref=0 filter="(&(!(objectClass=guacConfigGroup))(|(cn=*)))"
>>slapd[904]: conn=9479 op=2 SEARCH RESULT tag=101 err=0 nentries=46
>>text=
>>slapd[904]: conn=9479 op=3 SRCH base="ou=groups,dc=my,dc=domain"
>>scope=2 deref=0
>>filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_not_in_guacusers,ou=users,dc=my,dc=domain)))"
>>slapd[904]: conn=9479 op=3 SEARCH RESULT tag=101 err=0 nentries=0
>>text=
>>slapd[904]: conn=9479 op=4 SRCH base="ou=guac_config,dc=my,dc=domain"
>>scope=2 deref=0
>>filter="(&(objectClass=guacConfigGroup)(|(member=uid=user_not_in_guacusers,ou=users,dc=my,dc=domain)))"
>>slapd[904]: conn=9479 op=4 SEARCH RESULT tag=101 err=0 nentries=0
>>text=
>>
>And this is my full configuration file:
>># Hostname and port of guacamole proxy
>>guacd-hostname: localhost
>>guacd-port: 4822
>>
>>#skip-if-unavailable: mysql, ldap
>>api-session-timeout: 15
>>
>># LDAP properties
>>ldap-hostname: configserver.my.domain
>>ldap-port: 389
>>ldap-user-base-dn: ou=users,dc=my,dc=domain
>>ldap-username-attribute: uid
>>ldap-user-search-filter:
>>(&(objectClass=person)(memberof=cn=guacusers,ou=groups,dc=my,dc=domain))
>>ldap-config-base-dn: ou=guac_config,dc=my,dc=domain
>>ldap-group-base-dn: ou=groups,dc=my,dc=domain
>>
>># MySQL properties
>>mysql-hostname: localhost
>>mysql-port: 3306
>>mysql-database: guacamole_db
>>mysql-username: guacamole_user
>>mysql-password: MySecret
>
>Thanks,
>Fabio
>
>>On Feb 25, 2020, at 10:46, Fabio Corsi
>><fa...@gmail.com> wrote:
>>
>>We're using openLDAP (libldap-2.4-2:amd64) on a separate Ubuntu 18.04
>>installation.
>>
>>Many thanks,
>>Fabio
>>
>>>On Feb 24, 2020, at 22:57, Mike Jumper <mj...@apache.org> wrote:
>>>
>>>On Mon, Feb 24, 2020, 19:52 Fabio Corsi
>>><fa...@gmail.com> wrote:
>>>>Hi,
>>>>
>>>>I’ve a fresh install of Guacamole 1.1.0 on Ubuntu 18.0.4 Server.
>>>>
>>>>I have the LDAP extension installed (along with the MySQL one) and
>>>>I’ve defined connections directly into LDAP.
>>>>Everything works just fine, users are authenticated and are allowed
>>>>the proper connections, however I would like to allow only users
>>>>MemberOf a one LDAP group (e.g. guacusers) to login to my Guacamole
>>>>site.
>>>>I’m using ldap-user-search-filter, but it does not seem to work. As
>>>>of now any active users in my LDAP directory can login into the
>>>>Guacamole site.
>>>>No connections are displayed for the users that I would like to
>>>>disallow, but nevertheless they can still login...
>>>>
>>>>This is the LDAP configuration in my guacamole.properties
>>>><https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fguacamole.properties&c=E,1,E8cBBI4_vdYlMnL8xX-O_ehFfvRAlR9c2oz1h0iY4s3lZ_2UFsjyvQ1hDs_Pk46WxCb8Ahl2ZPjzLWyNQTjO8Ct18O1NBHKGKM6iMBOV8ksJlE5VdPND&typo=1>
>>>>
>>>>># LDAP properties
>>>>>ldap-hostname: configserver.my.domain
>>>>>ldap-port: 389
>>>>>ldap-user-base-dn: ou=users,dc=my,dc=domain
>>>>>ldap-username-attribute: uid
>>>>>ldap-user-search-filter:
>>>>>(&(objectClass=person)(memberof=cn=guacusers,ou=groups,dc=asrc,dc=crossroads))
>>>>>ldap-config-base-dn: ou=guac_config,dc=my,dc=domain
>>>>>ldap-group-base-dn: ou=groups,dc=my,dc=domain
>>>>
>>>>And I have previously used this same configuration some time back
>>>>when I was testing version 0.9.14 and it seemed to be working...
>>>>
>>>>
>>>>Note that if I run the same filter on my LDAP server, e.g.:
>>>>>ldapsearch -x -LLL -H ldap:/// -b "ou=users,dc=my,dc=domain" -s sub
>>>>>"(memberof=cn=guacusers,ou=groups,dc=my,dc=domain)”
>>>>I get the expected result….
>>>>
>>>>I’ve also tried adding other specifiers to the filter, like
>>>>>(memberof=cn=guacusers,ou=groups,dc=my,dc=domain)
>>>>
>>>>they all work when I query the LDAP server with ldapsearch, but
>>>>don’t seem to have any effect when I use them in Guacamole.
>>>
>>>What LDAP server is being used?
>>>
>>>- Mike
>>
>
Re: ldap-user-search-filter problem
Posted by Nick Couchman <vn...@apache.org>.
On Sun, May 3, 2020 at 9:49 AM Fabio Corsi <
fabio1299.discussionlists@gmail.com> wrote:
> Thanks Nick.
>
> Not sure what *above* would be in my case.
> Can you suggest what kind of information should I be looking for in my log
> file?
>
>
Sorry, after looking at this, again, I see what the issue is. In your
guacamole.properties, you are not specifying the ldap-search-bind-dn and
ldap-search-bind-password parameters. This means that Guacamole is not
actually searching for the user that is attempting to log in, it is just
computing the DN of the username by taking the username attribute (uid),
the username (user_not_in_guacusers) and the ldap-user-base-dn
(ou=users,dc=my,dc=domain) and putting together a user DN
(uid=user_not_in_guacusers,ou=users,dc=my,dc=domain) and then attempting to
bind with that account - and succeeding.
If you want successful LDAP logins to actually be limited to the items
in ldap-user-search-filter, you'll need to specify a LDAP account that
Guacamole will use to search the tree ahead of time and find the users, and
then that filter will not only apply to the users that are enumerated
within the admin interface, but also to the users trying to log in.
-Nick
Re: ldap-user-search-filter problem
Posted by Fabio Corsi <fa...@gmail.com>.
Thanks Nick.
Not sure what *above* would be in my case.
Can you suggest what kind of information should I be looking for in my log file?
The two groups of entries I posted are consecutive in the log file and there are no entries in between the two sets. I only split them for clarity...
Thanks,
Fabio
> On May 3, 2020, at 8:41 AM, Nick Couchman <vn...@apache.org> wrote:
>
>
> See responses inline...
>
>> On Wed, Apr 29, 2020 at 8:55 AM Fabio Corsi <fa...@gmail.com> wrote:
>> Hi Nick,
>>
>> Sorry for my previous emails that kept sending before I was done… didn’t have access to my computer yesterday.
>>
>> My configuration is a bit different as I’m using openLDAP (libldap-2.4-2:amd64) on Ubuntu 18.04.
>>
>> My LDAP configuration in my guacamole.properties is:
>>
>> # LDAP properties
>> ldap-hostname: configserver.my.domain
>> ldap-port: 389
>> ldap-user-base-dn: ou=users,dc=my,dc=domain
>> ldap-username-attribute: uid
>> ldap-user-search-filter: (&(objectClass=person)(memberof=cn=guacusers,ou=groups,dc=my,dc=domain))
>> ldap-config-base-dn: ou=guac_config,dc=my,dc=domain
>> ldap-group-base-dn: ou=groups,dc=my,dc=domain
>>
>> Which I’m expecting to allow login only to members of the group “guacusers”.
>> However what I'm experience is that every user on my LDAP server is allowed to login, whether they are members of the guacusers group or not.
>>
>> I have previously used this same configuration when I was testing version 0.9.14 and it seemed to be working...
>>
>> I can use the same filter directly querying my LDAP server, e.g.:
>> ldapsearch -x -LLL -H ldap:/// -b "ou=users,dc=my,dc=domain" -s sub "(memberof=cn=guacusers,ou=groups,dc=my,dc=domain)”
>> And I get the expected result….
>>
>> I’ve also tried adding other specifiers to the filter, like
>> (memberof=cn=guacusers,ou=users,dc=my,dc=domain)
>>
>> they all work when I query the LDAP server with ldapsearch, but don’t seem to have any effect when I use them in Guacamole.
>>
>> Here are the log entries on my LDAP server for a Guacamole access for a user (“user_in_guacusers”) that is in the guacusers group:
>> slapd[904]: conn=9470 fd=48 ACCEPT from IP=10.16.33.12:52422 (IP=0.0.0.0:389)
>> slapd[904]: conn=9470 op=0 BIND dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" method=128
>> slapd[904]: conn=9470 op=0 BIND dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE ssf=0
>
> I think the relevant entries might actually be *above* this, because at this point it is already accepting the bind as the user, which means it has already bound as the search user, done the search for the user who is logging in, and successfully located the entry.
>
>> slapd[904]: conn=9470 op=0 RESULT tag=97 err=0 text=
>> slapd[904]: conn=9470 op=1 SRCH base="ou=groups,dc=my,dc=domain" scope=2 deref=0 filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_in_guacusers,ou=users,dc=my,dc=domain)))"
>> slapd[904]: conn=9470 op=1 SEARCH RESULT tag=101 err=0 nentries=5 text=
>> slapd[904]: conn=9470 fd=48 closed (connection lost)
>> slapd[904]: conn=9471 fd=48 ACCEPT from IP=10.16.33.12:52424 (IP=0.0.0.0:389)
>> slapd[904]: conn=9471 op=0 BIND dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" method=128
>> slapd[904]: conn=9471 op=0 BIND dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE ssf=0
>> slapd[904]: conn=9471 op=0 RESULT tag=97 err=0 text=
>> slapd[904]: conn=9471 op=1 SRCH base="ou=users,dc=my,dc=domain" scope=2 deref=0 filter="(&(&(objectClass=person)(memberOf=cn=guacusers,ou=groups,dc=my,dc=domain))(|(uid=*)))"
>> slapd[904]: conn=9471 op=1 SEARCH RESULT tag=101 err=0 nentries=6 text=
>> slapd[904]: conn=9471 op=2 SRCH base="ou=groups,dc=my,dc=domain" scope=2 deref=0 filter="(&(!(objectClass=guacConfigGroup))(|(cn=*)))"
>> slapd[904]: conn=9471 op=2 SEARCH RESULT tag=101 err=0 nentries=46 text=
>> slapd[904]: conn=9471 op=3 SRCH base="ou=groups,dc=my,dc=domain" scope=2 deref=0 filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_in_guacusers,ou=users,dc=my,dc=domain)))"
>> slapd[904]: conn=9471 op=3 SEARCH RESULT tag=101 err=0 nentries=5 text=
>> slapd[904]: conn=9471 op=4 SRCH base="ou=guac_config,dc=my,dc=domain" scope=2 deref=0 filter="(&(objectClass=guacConfigGroup)(|(member=uid=user_in_guacusers,ou=users,dc=my,dc=domain)(seeAlso=cn=group1,ou=groups,dc=my,dc=domain)(seeAlso=cn=group2,ou=groups,dc=my,dc=domain)(seeAlso=cn=group3,ou=groups,dc=my,dc=domain)(seeAlso=cn=group4,ou=groups,dc=my,dc=domain)(seeAlso=cn=guacusers,ou=groups,dc=my,dc=domain)))"
>> slapd[904]: conn=9471 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=
>>
>> …and for the user (“user_not_in_guacusers”) that is not in the guacusers group:
>> slapd[904]: conn=9478 fd=88 ACCEPT from IP=10.16.33.12:52430 (IP=0.0.0.0:389)
>> slapd[904]: conn=9478 op=0 BIND dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" method=128
>> slapd[904]: conn=9478 op=0 BIND dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE ssf=0
>
> Again, I think you need the log entries from slapd *above* this, because the search has already succeeded, determined the user is okay, and is now re-binding as that user.
>
> -Nick
Re: ldap-user-search-filter problem
Posted by Nick Couchman <vn...@apache.org>.
See responses inline...
On Wed, Apr 29, 2020 at 8:55 AM Fabio Corsi <
fabio1299.discussionlists@gmail.com> wrote:
> Hi Nick,
>
> Sorry for my previous emails that kept sending before I was done… didn’t
> have access to my computer yesterday.
>
> My configuration is a bit different as I’m using openLDAP (libldap-2.4-2:amd64)
> on Ubuntu 18.04.
>
> My LDAP configuration in my guacamole.properties is:
>
> # LDAP properties
> ldap-hostname: configserver.my.domain
> ldap-port: 389
> ldap-user-base-dn: ou=users,dc=my,dc=domain
> ldap-username-attribute: uid
> ldap-user-search-filter:
> (&(objectClass=person)(memberof=cn=guacusers,ou=groups,dc=my,dc=domain))
> ldap-config-base-dn: ou=guac_config,dc=my,dc=domain
> ldap-group-base-dn: ou=groups,dc=my,dc=domain
>
>
> Which I’m expecting to allow login only to members of the group
> “guacusers”.
> However what I'm experience is that every user on my LDAP server is
> allowed to login, whether they are members of the guacusers group or not.
>
> I have previously used this same configuration when I was testing version
> 0.9.14 and it seemed to be working...
>
> I can use the same filter directly querying my LDAP server, e.g.:
>
> ldapsearch -x -LLL -H ldap:/// -b "ou=users,dc=my,dc=domain" -s sub
> "(memberof=cn=guacusers,ou=groups,dc=my,dc=domain)”
>
> And I get the expected result….
>
> I’ve also tried adding other specifiers to the filter, like
>
> (memberof=cn=guacusers,ou=users,dc=my,dc=domain)
>
>
> they all work when I query the LDAP server with ldapsearch, but don’t
> seem to have any effect when I use them in Guacamole.
>
> Here are the log entries on my LDAP server for a Guacamole access for a
> user (“user_in_guacusers”) that is in the guacusers group:
>
> slapd[904]: conn=9470 fd=48 ACCEPT from IP=10.16.33.12:52422 (IP=
> 0.0.0.0:389)
> slapd[904]: conn=9470 op=0 BIND
> dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" method=128
> slapd[904]: conn=9470 op=0 BIND
> dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE ssf=0
>
>
I think the relevant entries might actually be *above* this, because at
this point it is already accepting the bind as the user, which means it has
already bound as the search user, done the search for the user who is
logging in, and successfully located the entry.
> slapd[904]: conn=9470 op=0 RESULT tag=97 err=0 text=
> slapd[904]: conn=9470 op=1 SRCH base="ou=groups,dc=my,dc=domain" scope=2
> deref=0
> filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_in_guacusers,ou=users,dc=my,dc=domain)))"
> slapd[904]: conn=9470 op=1 SEARCH RESULT tag=101 err=0 nentries=5 text=
> slapd[904]: conn=9470 fd=48 closed (connection lost)
> slapd[904]: conn=9471 fd=48 ACCEPT from IP=10.16.33.12:52424 (IP=
> 0.0.0.0:389)
> slapd[904]: conn=9471 op=0 BIND
> dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" method=128
> slapd[904]: conn=9471 op=0 BIND
> dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE ssf=0
> slapd[904]: conn=9471 op=0 RESULT tag=97 err=0 text=
> slapd[904]: conn=9471 op=1 SRCH base="ou=users,dc=my,dc=domain" scope=2
> deref=0
> filter="(&(&(objectClass=person)(memberOf=cn=guacusers,ou=groups,dc=my,dc=domain))(|(uid=*)))"
> slapd[904]: conn=9471 op=1 SEARCH RESULT tag=101 err=0 nentries=6 text=
> slapd[904]: conn=9471 op=2 SRCH base="ou=groups,dc=my,dc=domain" scope=2
> deref=0 filter="(&(!(objectClass=guacConfigGroup))(|(cn=*)))"
> slapd[904]: conn=9471 op=2 SEARCH RESULT tag=101 err=0 nentries=46 text=
> slapd[904]: conn=9471 op=3 SRCH base="ou=groups,dc=my,dc=domain" scope=2
> deref=0
> filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_in_guacusers,ou=users,dc=my,dc=domain)))"
> slapd[904]: conn=9471 op=3 SEARCH RESULT tag=101 err=0 nentries=5 text=
> slapd[904]: conn=9471 op=4 SRCH base="ou=guac_config,dc=my,dc=domain"
> scope=2 deref=0
> filter="(&(objectClass=guacConfigGroup)(|(member=uid=user_in_guacusers,ou=users,dc=my,dc=domain)(seeAlso=cn=
> group1,ou=groups,dc=my,dc=domain)(seeAlso=cn=group2
> ,ou=groups,dc=my,dc=domain)(seeAlso=cn=group3
> ,ou=groups,dc=my,dc=domain)(seeAlso=cn=group4
> ,ou=groups,dc=my,dc=domain)(seeAlso=cn=guacusers,ou=groups,dc=my,dc=domain)))"
> slapd[904]: conn=9471 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=
>
>
> …and for the user (“user_not_in_guacusers”) that is not in the guacusers
> group:
>
> slapd[904]: conn=9478 fd=88 ACCEPT from IP=10.16.33.12:52430 (IP=
> 0.0.0.0:389)
> slapd[904]: conn=9478 op=0 BIND
> dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" method=128
> slapd[904]: conn=9478 op=0 BIND
> dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE ssf=0
>
>
Again, I think you need the log entries from slapd *above* this, because
the search has already succeeded, determined the user is okay, and is now
re-binding as that user.
-Nick
Re: ldap-user-search-filter problem
Posted by Fabio Corsi <fa...@gmail.com>.
Hi Nick,
Sorry for my previous emails that kept sending before I was done… didn’t have access to my computer yesterday.
My configuration is a bit different as I’m using openLDAP (libldap-2.4-2:amd64) on Ubuntu 18.04.
My LDAP configuration in my guacamole.properties is:
# LDAP properties
ldap-hostname: configserver.my.domain
ldap-port: 389
ldap-user-base-dn: ou=users,dc=my,dc=domain
ldap-username-attribute: uid
ldap-user-search-filter: (&(objectClass=person)(memberof=cn=guacusers,ou=groups,dc=my,dc=domain))
ldap-config-base-dn: ou=guac_config,dc=my,dc=domain
ldap-group-base-dn: ou=groups,dc=my,dc=domain
Which I’m expecting to allow login only to members of the group “guacusers”.
However what I'm experience is that every user on my LDAP server is allowed to login, whether they are members of the guacusers group or not.
I have previously used this same configuration when I was testing version 0.9.14 and it seemed to be working...
I can use the same filter directly querying my LDAP server, e.g.:
ldapsearch -x -LLL -H ldap:/// <ldap:///> -b "ou=users,dc=my,dc=domain" -s sub "(memberof=cn=guacusers,ou=groups,dc=my,dc=domain)”
And I get the expected result….
I’ve also tried adding other specifiers to the filter, like
(memberof=cn=guacusers,ou=users,dc=my,dc=domain)
they all work when I query the LDAP server with ldapsearch, but don’t seem to have any effect when I use them in Guacamole.
Here are the log entries on my LDAP server for a Guacamole access for a user (“user_in_guacusers”) that is in the guacusers group:
slapd[904]: conn=9470 fd=48 ACCEPT from IP=10.16.33.12:52422 (IP=0.0.0.0:389)
slapd[904]: conn=9470 op=0 BIND dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" method=128
slapd[904]: conn=9470 op=0 BIND dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE ssf=0
slapd[904]: conn=9470 op=0 RESULT tag=97 err=0 text=
slapd[904]: conn=9470 op=1 SRCH base="ou=groups,dc=my,dc=domain" scope=2 deref=0 filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_in_guacusers,ou=users,dc=my,dc=domain)))"
slapd[904]: conn=9470 op=1 SEARCH RESULT tag=101 err=0 nentries=5 text=
slapd[904]: conn=9470 fd=48 closed (connection lost)
slapd[904]: conn=9471 fd=48 ACCEPT from IP=10.16.33.12:52424 (IP=0.0.0.0:389)
slapd[904]: conn=9471 op=0 BIND dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" method=128
slapd[904]: conn=9471 op=0 BIND dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE ssf=0
slapd[904]: conn=9471 op=0 RESULT tag=97 err=0 text=
slapd[904]: conn=9471 op=1 SRCH base="ou=users,dc=my,dc=domain" scope=2 deref=0 filter="(&(&(objectClass=person)(memberOf=cn=guacusers,ou=groups,dc=my,dc=domain))(|(uid=*)))"
slapd[904]: conn=9471 op=1 SEARCH RESULT tag=101 err=0 nentries=6 text=
slapd[904]: conn=9471 op=2 SRCH base="ou=groups,dc=my,dc=domain" scope=2 deref=0 filter="(&(!(objectClass=guacConfigGroup))(|(cn=*)))"
slapd[904]: conn=9471 op=2 SEARCH RESULT tag=101 err=0 nentries=46 text=
slapd[904]: conn=9471 op=3 SRCH base="ou=groups,dc=my,dc=domain" scope=2 deref=0 filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_in_guacusers,ou=users,dc=my,dc=domain)))"
slapd[904]: conn=9471 op=3 SEARCH RESULT tag=101 err=0 nentries=5 text=
slapd[904]: conn=9471 op=4 SRCH base="ou=guac_config,dc=my,dc=domain" scope=2 deref=0 filter="(&(objectClass=guacConfigGroup)(|(member=uid=user_in_guacusers,ou=users,dc=my,dc=domain)(seeAlso=cn=group1,ou=groups,dc=my,dc=domain)(seeAlso=cn=group2,ou=groups,dc=my,dc=domain)(seeAlso=cn=group3,ou=groups,dc=my,dc=domain)(seeAlso=cn=group4,ou=groups,dc=my,dc=domain)(seeAlso=cn=guacusers,ou=groups,dc=my,dc=domain)))"
slapd[904]: conn=9471 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=
…and for the user (“user_not_in_guacusers”) that is not in the guacusers group:
slapd[904]: conn=9478 fd=88 ACCEPT from IP=10.16.33.12:52430 (IP=0.0.0.0:389)
slapd[904]: conn=9478 op=0 BIND dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" method=128
slapd[904]: conn=9478 op=0 BIND dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE ssf=0
slapd[904]: conn=9478 op=0 RESULT tag=97 err=0 text=
slapd[904]: conn=9478 op=1 SRCH base="ou=groups,dc=my,dc=domain" scope=2 deref=0 filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_not_in_guacusers,ou=users,dc=my,dc=domain)))"
slapd[904]: conn=9478 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
slapd[904]: conn=9478 fd=88 closed (connection lost)
slapd[904]: conn=9479 fd=88 ACCEPT from IP=10.16.33.12:52432 (IP=0.0.0.0:389)
slapd[904]: conn=9479 op=0 BIND dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" method=128
slapd[904]: conn=9479 op=0 BIND dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE ssf=0
slapd[904]: conn=9479 op=0 RESULT tag=97 err=0 text=
slapd[904]: conn=9479 op=1 SRCH base="ou=users,dc=my,dc=domain" scope=2 deref=0 filter="(&(&(objectClass=person)(memberOf=cn=guacusers,ou=groups,dc=my,dc=domain))(|(uid=*)))"
slapd[904]: conn=9479 op=1 SEARCH RESULT tag=101 err=0 nentries=6 text=
slapd[904]: conn=9479 op=2 SRCH base="ou=groups,dc=my,dc=domain" scope=2 deref=0 filter="(&(!(objectClass=guacConfigGroup))(|(cn=*)))"
slapd[904]: conn=9479 op=2 SEARCH RESULT tag=101 err=0 nentries=46 text=
slapd[904]: conn=9479 op=3 SRCH base="ou=groups,dc=my,dc=domain" scope=2 deref=0 filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_not_in_guacusers,ou=users,dc=my,dc=domain)))"
slapd[904]: conn=9479 op=3 SEARCH RESULT tag=101 err=0 nentries=0 text=
slapd[904]: conn=9479 op=4 SRCH base="ou=guac_config,dc=my,dc=domain" scope=2 deref=0 filter="(&(objectClass=guacConfigGroup)(|(member=uid=user_not_in_guacusers,ou=users,dc=my,dc=domain)))"
slapd[904]: conn=9479 op=4 SEARCH RESULT tag=101 err=0 nentries=0 text=
Many thanks for your help,
Fabio
> On Apr 28, 2020, at 17:29, Nick Couchman <vn...@apache.org> wrote:
>
> On Tue, Apr 28, 2020 at 3:16 PM carlog <cgrossman@turlock.ca.us <ma...@turlock.ca.us>> wrote:
> Thank you for posting your working config. I, too, and using staging/1.2.0
> code. I matched mine up to yours, and made sure I had an appropriate line
> for each one of your lines, but still, no go. :(
>
> So far, I have the guacadmin account in AD, as well as in mysql. It's also
> using that account to bind to LDAP. When I log in as guacadmin, go to
> Users, there's only the guacadmin account. I can't add Admin access to any
> users because they aren't there.
>
>
> This is expected behavior - the guacadmin account, unless it also exists in LDAP, won't be able to see any of the LDAP users. The Guacamole LDAP extension, by design, only ever uses the search account from the guacamole.properties file to attempt to find a user who is logging in. It is not used as a generic query account to search for all items or users in LDAP. So, if the user logging in (guacadmin, for example), cannot authenticate to the LDAP directory, then you won't see any of the data for the LDAP directory with that user. You'll need to create an account in the JDBC module that matches one in your LDAP tree...
>
> ...which is possible! Now, you can't do it directly the way you can once you get an LDAP admin logged in, but all you have to do is create a new user in the JDBC module (using the guacadmin account) with a username that matches the LDAP user, and assign that account the correct permissions. You can leave the password field blank when you create this user, and Guacamole will auto-generate a password within the JDBC module. From that point, any time the user logs in and is authenticated with LDAP, the permissions from JDBC will match it.
>
> One thing to be aware of is that the JDBC module is case-sensitive with respect to users (and matching users from other modules), whereas most authentication systems tend to be case-insensitive. This has caused me some headaches in my environment when trying to assign users, because the LDAP module reads them in with the case they are entered (e.g. Nick_Couchman), but most people tend to log in with the simplest format (e.g. nick_couchman), and it can matter.
>
> -When I log in as my AD user, it will accept it, but I'm not an admin, so I
> only see limited menu options.
> -When I attempt to log in as another AD user that's not in the AD group
> specified in the search filter, it won't log in
> -When logged in as guacadmin, if I attempt to add a new user matching the
> name of an AD user account that should have access, I get an "internal error
> occured" message.
>
> This should not happen - something else is going on, here. You'll need to look at the log files for Tomcat and see what error it is throwing.
>
> -When I turn on debugging on my AD server, I see in the log that it matches
> my LDAP search filter (and appends sAMAccountName=*), and returns 60
> results, which are the 60 users that are in the AD group
>
> The same exact config on my Guac 1.0 server is running perfectly, so I'm
> confused why it isn't working for me in Guac 1.2.
>
>
> There were some pretty significant changes between 1.0.0 and 1.1.0 with regard to LDAP and how matching is done between the JDBC module and other modules. I would imagine you're hitting a variety of things, here.
>
> Best to work through the issues you're seeing systematically and solve them one-by-one.
>
> -Nick
Re: ldap-user-search-filter problem
Posted by carlog <cg...@turlock.ca.us>.
The guacadmin account does exist in Active Directory/LDAP. Shouldn't it be
able to see the rest of the users in the LDAP group?
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: ldap-user-search-filter problem
Posted by Nick Couchman <vn...@apache.org>.
On Tue, Apr 28, 2020 at 3:16 PM carlog <cg...@turlock.ca.us> wrote:
> Thank you for posting your working config. I, too, and using staging/1.2.0
> code. I matched mine up to yours, and made sure I had an appropriate line
> for each one of your lines, but still, no go. :(
>
> So far, I have the guacadmin account in AD, as well as in mysql. It's also
> using that account to bind to LDAP. When I log in as guacadmin, go to
> Users, there's only the guacadmin account. I can't add Admin access to any
> users because they aren't there.
>
>
This is expected behavior - the guacadmin account, unless it also exists in
LDAP, won't be able to see any of the LDAP users. The Guacamole LDAP
extension, by design, only ever uses the search account from the
guacamole.properties file to attempt to find a user who is logging in. It
is not used as a generic query account to search for all items or users in
LDAP. So, if the user logging in (guacadmin, for example), cannot
authenticate to the LDAP directory, then you won't see any of the data for
the LDAP directory with that user. You'll need to create an account in the
JDBC module that matches one in your LDAP tree...
...which is possible! Now, you can't do it directly the way you can once
you get an LDAP admin logged in, but all you have to do is create a new
user in the JDBC module (using the guacadmin account) with a username that
matches the LDAP user, and assign that account the correct permissions.
You can leave the password field blank when you create this user, and
Guacamole will auto-generate a password within the JDBC module. From that
point, any time the user logs in and is authenticated with LDAP, the
permissions from JDBC will match it.
One thing to be aware of is that the JDBC module is case-sensitive with
respect to users (and matching users from other modules), whereas most
authentication systems tend to be case-insensitive. This has caused me
some headaches in my environment when trying to assign users, because the
LDAP module reads them in with the case they are entered (e.g.
Nick_Couchman), but most people tend to log in with the simplest format
(e.g. nick_couchman), and it can matter.
> -When I log in as my AD user, it will accept it, but I'm not an admin, so I
> only see limited menu options.
> -When I attempt to log in as another AD user that's not in the AD group
> specified in the search filter, it won't log in
> -When logged in as guacadmin, if I attempt to add a new user matching the
> name of an AD user account that should have access, I get an "internal
> error
> occured" message.
>
This should not happen - something else is going on, here. You'll need to
look at the log files for Tomcat and see what error it is throwing.
> -When I turn on debugging on my AD server, I see in the log that it matches
> my LDAP search filter (and appends sAMAccountName=*), and returns 60
> results, which are the 60 users that are in the AD group
>
> The same exact config on my Guac 1.0 server is running perfectly, so I'm
> confused why it isn't working for me in Guac 1.2.
>
>
There were some pretty significant changes between 1.0.0 and 1.1.0 with
regard to LDAP and how matching is done between the JDBC module and other
modules. I would imagine you're hitting a variety of things, here.
Best to work through the issues you're seeing systematically and solve them
one-by-one.
-Nick
Re: ldap-user-search-filter problem
Posted by carlog <cg...@turlock.ca.us>.
Thank you for posting your working config. I, too, and using staging/1.2.0
code. I matched mine up to yours, and made sure I had an appropriate line
for each one of your lines, but still, no go. :(
So far, I have the guacadmin account in AD, as well as in mysql. It's also
using that account to bind to LDAP. When I log in as guacadmin, go to
Users, there's only the guacadmin account. I can't add Admin access to any
users because they aren't there.
-When I log in as my AD user, it will accept it, but I'm not an admin, so I
only see limited menu options.
-When I attempt to log in as another AD user that's not in the AD group
specified in the search filter, it won't log in
-When logged in as guacadmin, if I attempt to add a new user matching the
name of an AD user account that should have access, I get an "internal error
occured" message.
-When I turn on debugging on my AD server, I see in the log that it matches
my LDAP search filter (and appends sAMAccountName=*), and returns 60
results, which are the 60 users that are in the AD group
The same exact config on my Guac 1.0 server is running perfectly, so I'm
confused why it isn't working for me in Guac 1.2.
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: ldap-user-search-filter problem
Posted by Nick Couchman <vn...@apache.org>.
On Tue, Apr 28, 2020 at 10:54 AM Fabio Corsi <
fabio1299.discussionlists@gmail.com> wrote:
> I’m also still waiting to hear something about this problem. My post dated
> March 2, 2020 summarizes the problem and provides my LDAP log entries.
> Happy to repost if that makes it easier to find.
> Many thanks!
I'm using the staging/1.2.0 code with the following LDAP configuration:
ldap-hostname: ldap.example.com
ldap-port: 389
ldap-encryption-method: none
ldap-search-bind-dn: CN=Guac_Search_User,OU=IT,DC=example,DC=com
ldap-search-bind-password: T0p$ecret
ldap-user-base-dn: dc=example,dc=com
ldap-group-base-dn: ou=Guacamole_Groups,ou=Groups,ou=IT,dc=example,dc=com
ldap-username-attribute: sAMAccountName
ldap-user-search-filter:
(&(objectClass=user)(memberOf=CN=Guacamole_Users,OU=Guacamole_Groups,OU=Groups,OU=IT,DC=example,DC=com))
ldap-follow-referrals: false
This works fine for me - I'm authenticating against Active Directory, and
when I log in with my LDAP account I can see both the users and groups from
LDAP. Groups are only the ones listed in the ldap-group-base-dn search
base, above, and users are the only ones that are a member of the group
listed in the search filter.
-Nick
Re: ldap-user-search-filter problem
Posted by Fabio Corsi <fa...@gmail.com>.
I’m also still waiting to hear something about this problem. My post dated March 2, 2020 summarizes the problem and provides my LDAP log entries.
Happy to repost if that makes it easier to find.
Many thanks!
> On Apr 28, 2020, at 9:17 AM, carlog <cg...@turlock.ca.us> wrote:
>
> I turned on logging on the domain controller and I can see that it sends the
> proper LDAP search and returns 60 entries, like it should. I just can't see
> any of them in Guacamole.
>
>
>
> --
> Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> For additional commands, e-mail: user-help@guacamole.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: ldap-user-search-filter problem
Posted by carlog <cg...@turlock.ca.us>.
I turned on logging on the domain controller and I can see that it sends the
proper LDAP search and returns 60 entries, like it should. I just can't see
any of them in Guacamole.
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: ldap-user-search-filter problem
Posted by carlog <cg...@turlock.ca.us>.
Thank you for posting your solution. However I'm having the same issue.
Works in 1.0 but not in 1.1 nor 1.2. anybody else having this issue? How
can I debug this against a Windows domain controller?
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: ldap-user-search-filter problem
Posted by chrooge <ch...@infrabel.be>.
Problem solved.
If that can help other users with same issue, I've just rewritten the
filter:
(objectClass=user)(|(department=A)(department=B)(department=C))
->
(&(objectClass=user)(|(department=A)(department=B)(department=C)))
Best regards,
Christophe
ps: sorry if it is trivial but I'm not an AD/LDAP expert.
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: ldap-user-search-filter problem
Posted by chrooge <ch...@infrabel.be>.
Hi,
any news about this issue ?
I have the same problem:
the filter works with 1.0 and not with 1.1.
Best regards,
Christophe
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: ldap-user-search-filter problem
Posted by Fabio Corsi <fa...@gmail.com>.
Hi,
I was wondering if anyone could provide some insight on this issue.
To recap my previous message I have a ldap-user-search-filter set to
(&(objectClass=person)(memberof=cn=guacusers,ou=groups,dc=asrc,dc=crossroads))
however any valid LDAP user is allowed to login on the Guacamole web page.
My configuration: Guacamole 1.1.0, Ubuntu 18.04, openLDAP (libldap-2.4-2:amd64) on a separate Ubuntu 18.04 VM.
since my first message I’ve done some additional investigation into the problem.
By looking at the logs on my LDAP server I can see that the filters are passed on to the LDAP server and they do return the correct number of entries.
There are a couple of things that seem strange to me:
Not sure why the "(|(uid=*)) clause is added to the main group filter defined in my configuration
For the user in the guacusers group the SeeAlso seems to expand to all the object of class groupOfNames in my directory
Here are the log entries for the user that is in the guacusers group:
slapd[904]: conn=9470 fd=48 ACCEPT from IP=10.16.33.12:52422 (IP=0.0.0.0:389)
slapd[904]: conn=9470 op=0 BIND dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" method=128
slapd[904]: conn=9470 op=0 BIND dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE ssf=0
slapd[904]: conn=9470 op=0 RESULT tag=97 err=0 text=
slapd[904]: conn=9470 op=1 SRCH base="ou=groups,dc=my,dc=domain" scope=2 deref=0 filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_in_guacusers,ou=users,dc=my,dc=domain)))"
slapd[904]: conn=9470 op=1 SEARCH RESULT tag=101 err=0 nentries=5 text=
slapd[904]: conn=9470 fd=48 closed (connection lost)
slapd[904]: conn=9471 fd=48 ACCEPT from IP=10.16.33.12:52424 (IP=0.0.0.0:389)
slapd[904]: conn=9471 op=0 BIND dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" method=128
slapd[904]: conn=9471 op=0 BIND dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE ssf=0
slapd[904]: conn=9471 op=0 RESULT tag=97 err=0 text=
slapd[904]: conn=9471 op=1 SRCH base="ou=users,dc=my,dc=domain" scope=2 deref=0 filter="(&(&(objectClass=person)(memberOf=cn=guacusers,ou=groups,dc=my,dc=domain))(|(uid=*)))"
slapd[904]: conn=9471 op=1 SEARCH RESULT tag=101 err=0 nentries=6 text=
slapd[904]: conn=9471 op=2 SRCH base="ou=groups,dc=my,dc=domain" scope=2 deref=0 filter="(&(!(objectClass=guacConfigGroup))(|(cn=*)))"
slapd[904]: conn=9471 op=2 SEARCH RESULT tag=101 err=0 nentries=46 text=
slapd[904]: conn=9471 op=3 SRCH base="ou=groups,dc=my,dc=domain" scope=2 deref=0 filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_in_guacusers,ou=users,dc=my,dc=domain)))"
slapd[904]: conn=9471 op=3 SEARCH RESULT tag=101 err=0 nentries=5 text=
slapd[904]: conn=9471 op=4 SRCH base="ou=guac_config,dc=my,dc=domain" scope=2 deref=0 filter="(&(objectClass=guacConfigGroup)(|(member=uid=user_in_guacusers,ou=users,dc=my,dc=domain)(seeAlso=cn=group1,ou=groups,dc=my,dc=domain)(seeAlso=cn=group2,ou=groups,dc=my,dc=domain)(seeAlso=cn=group3,ou=groups,dc=my,dc=domain)(seeAlso=cn=group4,ou=groups,dc=my,dc=domain)(seeAlso=cn=guacusers,ou=groups,dc=my,dc=domain)))"
slapd[904]: conn=9471 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=
And for the user that is not in the guacusers group:
slapd[904]: conn=9478 fd=88 ACCEPT from IP=10.16.33.12:52430 (IP=0.0.0.0:389)
slapd[904]: conn=9478 op=0 BIND dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" method=128
slapd[904]: conn=9478 op=0 BIND dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE ssf=0
slapd[904]: conn=9478 op=0 RESULT tag=97 err=0 text=
slapd[904]: conn=9478 op=1 SRCH base="ou=groups,dc=my,dc=domain" scope=2 deref=0 filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_not_in_guacusers,ou=users,dc=my,dc=domain)))"
slapd[904]: conn=9478 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
slapd[904]: conn=9478 fd=88 closed (connection lost)
slapd[904]: conn=9479 fd=88 ACCEPT from IP=10.16.33.12:52432 (IP=0.0.0.0:389)
slapd[904]: conn=9479 op=0 BIND dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" method=128
slapd[904]: conn=9479 op=0 BIND dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE ssf=0
slapd[904]: conn=9479 op=0 RESULT tag=97 err=0 text=
slapd[904]: conn=9479 op=1 SRCH base="ou=users,dc=my,dc=domain" scope=2 deref=0 filter="(&(&(objectClass=person)(memberOf=cn=guacusers,ou=groups,dc=my,dc=domain))(|(uid=*)))"
slapd[904]: conn=9479 op=1 SEARCH RESULT tag=101 err=0 nentries=6 text=
slapd[904]: conn=9479 op=2 SRCH base="ou=groups,dc=my,dc=domain" scope=2 deref=0 filter="(&(!(objectClass=guacConfigGroup))(|(cn=*)))"
slapd[904]: conn=9479 op=2 SEARCH RESULT tag=101 err=0 nentries=46 text=
slapd[904]: conn=9479 op=3 SRCH base="ou=groups,dc=my,dc=domain" scope=2 deref=0 filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_not_in_guacusers,ou=users,dc=my,dc=domain)))"
slapd[904]: conn=9479 op=3 SEARCH RESULT tag=101 err=0 nentries=0 text=
slapd[904]: conn=9479 op=4 SRCH base="ou=guac_config,dc=my,dc=domain" scope=2 deref=0 filter="(&(objectClass=guacConfigGroup)(|(member=uid=user_not_in_guacusers,ou=users,dc=my,dc=domain)))"
slapd[904]: conn=9479 op=4 SEARCH RESULT tag=101 err=0 nentries=0 text=
And this is my full configuration file:
# Hostname and port of guacamole proxy
guacd-hostname: localhost
guacd-port: 4822
#skip-if-unavailable: mysql, ldap
api-session-timeout: 15
# LDAP properties
ldap-hostname: configserver.my.domain
ldap-port: 389
ldap-user-base-dn: ou=users,dc=my,dc=domain
ldap-username-attribute: uid
ldap-user-search-filter: (&(objectClass=person)(memberof=cn=guacusers,ou=groups,dc=my,dc=domain))
ldap-config-base-dn: ou=guac_config,dc=my,dc=domain
ldap-group-base-dn: ou=groups,dc=my,dc=domain
# MySQL properties
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
mysql-password: MySecret
Thanks,
Fabio
> On Feb 25, 2020, at 10:46, Fabio Corsi <fa...@gmail.com> wrote:
>
> We're using openLDAP (libldap-2.4-2:amd64) on a separate Ubuntu 18.04 installation.
>
> Many thanks,
> Fabio
>
>> On Feb 24, 2020, at 22:57, Mike Jumper <mjumper@apache.org <ma...@apache.org>> wrote:
>>
>> On Mon, Feb 24, 2020, 19:52 Fabio Corsi <fabio1299.discussionlists@gmail.com <ma...@gmail.com>> wrote:
>> Hi,
>>
>> I’ve a fresh install of Guacamole 1.1.0 on Ubuntu 18.0.4 Server.
>>
>> I have the LDAP extension installed (along with the MySQL one) and I’ve defined connections directly into LDAP.
>> Everything works just fine, users are authenticated and are allowed the proper connections, however I would like to allow only users MemberOf a one LDAP group (e.g. guacusers) to login to my Guacamole site.
>> I’m using ldap-user-search-filter, but it does not seem to work. As of now any active users in my LDAP directory can login into the Guacamole site.
>> No connections are displayed for the users that I would like to disallow, but nevertheless they can still login...
>>
>> This is the LDAP configuration in my guacamole.properties
>>
>> # LDAP properties
>> ldap-hostname: configserver.my.domain
>> ldap-port: 389
>> ldap-user-base-dn: ou=users,dc=my,dc=domain
>> ldap-username-attribute: uid
>> ldap-user-search-filter: (&(objectClass=person)(memberof=cn=guacusers,ou=groups,dc=asrc,dc=crossroads))
>> ldap-config-base-dn: ou=guac_config,dc=my,dc=domain
>> ldap-group-base-dn: ou=groups,dc=my,dc=domain
>>
>> And I have previously used this same configuration some time back when I was testing version 0.9.14 and it seemed to be working...
>>
>>
>> Note that if I run the same filter on my LDAP server, e.g.:
>> ldapsearch -x -LLL -H ldap:/// <> -b "ou=users,dc=my,dc=domain" -s sub "(memberof=cn=guacusers,ou=groups,dc=my,dc=domain)”
>> I get the expected result….
>>
>> I’ve also tried adding other specifiers to the filter, like
>> (memberof=cn=guacusers,ou=groups,dc=my,dc=domain)
>>
>> they all work when I query the LDAP server with ldapsearch, but don’t seem to have any effect when I use them in Guacamole.
>>
>> What LDAP server is being used?
>>
>> - Mike
>
Re: ldap-user-search-filter problem
Posted by Fabio Corsi <fa...@gmail.com>.
We're using openLDAP (libldap-2.4-2:amd64) on a separate Ubuntu 18.04 installation.
Many thanks,
Fabio
> On Feb 24, 2020, at 22:57, Mike Jumper <mj...@apache.org> wrote:
>
> On Mon, Feb 24, 2020, 19:52 Fabio Corsi <fabio1299.discussionlists@gmail.com <ma...@gmail.com>> wrote:
> Hi,
>
> I’ve a fresh install of Guacamole 1.1.0 on Ubuntu 18.0.4 Server.
>
> I have the LDAP extension installed (along with the MySQL one) and I’ve defined connections directly into LDAP.
> Everything works just fine, users are authenticated and are allowed the proper connections, however I would like to allow only users MemberOf a one LDAP group (e.g. guacusers) to login to my Guacamole site.
> I’m using ldap-user-search-filter, but it does not seem to work. As of now any active users in my LDAP directory can login into the Guacamole site.
> No connections are displayed for the users that I would like to disallow, but nevertheless they can still login...
>
> This is the LDAP configuration in my guacamole.properties
>
> # LDAP properties
> ldap-hostname: configserver.my.domain
> ldap-port: 389
> ldap-user-base-dn: ou=users,dc=my,dc=domain
> ldap-username-attribute: uid
> ldap-user-search-filter: (memberof=cn=guacusers,ou=users,dc=my,dc=domain)
> ldap-config-base-dn: ou=guac_config,dc=my,dc=domain
> ldap-group-base-dn: ou=groups,dc=my,dc=domain
>
> And I have previously used this same configuration some time back when I was testing version 0.9.14 and it seemed to be working...
>
>
> Note that if I run the same filter on my LDAP server, e.g.:
> ldapsearch -x -LLL -H ldap:/// <> -b "ou=users,dc=my,dc=domain" -s sub "(memberof=cn=guacusers,ou=groups,dc=my,dc=domain)”
> I get the expected result….
>
> I’ve also tried adding other specifiers to the filter, like
> (&(objectClass=person)(memberof=cn=guacusers,ou=groups,dc=my,dc=domain))
>
> they all work when I query the LDAP server with ldapsearch, but don’t seem to have any effect when I use them in Guacamole.
>
> What LDAP server is being used?
>
> - Mike
Re: ldap-user-search-filter problem
Posted by Mike Jumper <mj...@apache.org>.
On Mon, Feb 24, 2020, 19:52 Fabio Corsi <fa...@gmail.com>
wrote:
> Hi,
>
> I’ve a fresh install of Guacamole 1.1.0 on Ubuntu 18.0.4 Server.
>
> I have the LDAP extension installed (along with the MySQL one) and I’ve
> defined connections directly into LDAP.
> Everything works just fine, users are authenticated and are allowed the
> proper connections, however I would like to allow only users MemberOf a one
> LDAP group (e.g. guacusers) to login to my Guacamole site.
> I’m using ldap-user-search-filter, but it does not seem to work. As of
> now any active users in my LDAP directory can login into the Guacamole
> site.
> No connections are displayed for the users that I would like to disallow,
> but nevertheless they can still login...
>
> This is the LDAP configuration in my guacamole.properties
>
> # LDAP properties
> ldap-hostname: configserver.my.domain
> ldap-port: 389
> ldap-user-base-dn: ou=users,dc=my,dc=domain
> ldap-username-attribute: uid
> ldap-user-search-filter: (memberof=cn=guacusers,ou=users,dc=my,dc=domain)
> ldap-config-base-dn: ou=guac_config,dc=my,dc=domain
> ldap-group-base-dn: ou=groups,dc=my,dc=domain
>
>
> And I have previously used this same configuration some time back when I
> was testing version 0.9.14 and it seemed to be working...
>
>
> Note that if I run the same filter on my LDAP server, e.g.:
>
> ldapsearch -x -LLL -H ldap:/// -b "ou=users,dc=my,dc=domain" -s sub
> "(memberof=cn=guacusers,ou=groups,dc=my,dc=domain)”
>
> I get the expected result….
>
> I’ve also tried adding other specifiers to the filter, like
>
> &(objectClass=person)(memberof=cn=guacusers,ou=groups,dc=my,dc=domain))
>
>
> they all work when I query the LDAP server with ldapsearch, but don’t
> seem to have any effect when I use them in Guacamole.
>
What LDAP server is being used?
- Mike