You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@guacamole.apache.org by "Mike Jumper (Jira)" <ji...@apache.org> on 2020/05/30 18:10:00 UTC

[jira] [Updated] (GUACAMOLE-1086) Nested AD group memberships not parsed correctly

     [ https://issues.apache.org/jira/browse/GUACAMOLE-1086?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Mike Jumper updated GUACAMOLE-1086:
-----------------------------------
    Description: 
Hi,

We've recently deployed Guacamole 1.1.0 in an environment with Active Driectory and seem to be having a problem with managing connection permissions via nested groups.
Here's an ilustration of what we're running into:

User "joe" is a member of group "A" and that group is nested inside a parent group "B".
We are tryign to grant connection permissions to group "B", so that joe and member of any other future subgroup nested inside group "B" will automatically be granted acces to that same connection.

This does not seem to be working as we'd expect, and only works when we grant connection permission directly to group "A" (subgroup). In other words granting connection permission to the parent group does not seem to be working - joe logs-in but can't see any connections.

 

Here's what it looks like in terms of hierarchy:
Group B (granting connection permissions here does not work)
   -> Group A (granting connection permission here works)
           ->joe

All the AD groups are reflected in Guacamole's "Groups" menu, so this does not seem to be an "ldap-group-base-dn" parameter issue.

We already tried using the LDAP filter: "ldap-group-search-filter:

{code:none}
ldap-group-search-filter:(&(objectclass=group)(memberOf:1.2.840.113556.1.4.1941:=CN=Group B,OU=Farm Access,OU=Groups,OU=Lab,DC=domain,DC=local))
{code}

  was:
Hi,

We've recently deployed Guacamole 1.1.0 in an environment with Active Driectory and seem to be having a problem with managing connection permissions via nested groups.
Here's an ilustration of what we're running into:

User "joe" is a member of group "A" and that group is nested inside a parent group "B".
We are tryign to grant connection permissions to group "B", so that joe and member of any other future subgroup nested inside group "B" will automatically be granted acces to that same connection.

This does not seem to be working as we'd expect, and only works when we grant connection permission directly to group "A" (subgroup). In other words granting connection permission to the parent group does not seem to be working - joe logs-in but can't see any connections.

 

Here's what it looks like in terms of hierarchy:
Group B (granting connection permissions here does not work)
   -> Group A (granting connection permission here works)
           ->joe

All the AD groups are reflected in Guacamole's "Groups" menu, so this does not seem to be an "ldap-group-base-dn" parameter issue.

We already tried using the LDAP filter: "ldap-group-search-filter:

ldap-group-search-filter:(&(objectclass=group)(memberOf:1.2.840.113556.1.4.1941:=CN=Group B,OU=Farm Access,OU=Groups,OU=Lab,DC=domain,DC=local))


> Nested AD group memberships not parsed correctly
> ------------------------------------------------
>
>                 Key: GUACAMOLE-1086
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1086
>             Project: Guacamole
>          Issue Type: Bug
>          Components: guacamole-auth-ldap
>    Affects Versions: 1.1.0
>         Environment: Guacamole 1.1.0 with mysql (mariadb) on Ubuntu 18.04 + tomcat9 + Windows 2019 AD bound to guacamole via LDAPS over 636.
>            Reporter: Piotrek
>            Priority: Minor
>              Labels: active-directory, ldap, nested-groups, permissions
>
> Hi,
> We've recently deployed Guacamole 1.1.0 in an environment with Active Driectory and seem to be having a problem with managing connection permissions via nested groups.
> Here's an ilustration of what we're running into:
> User "joe" is a member of group "A" and that group is nested inside a parent group "B".
> We are tryign to grant connection permissions to group "B", so that joe and member of any other future subgroup nested inside group "B" will automatically be granted acces to that same connection.
> This does not seem to be working as we'd expect, and only works when we grant connection permission directly to group "A" (subgroup). In other words granting connection permission to the parent group does not seem to be working - joe logs-in but can't see any connections.
>  
> Here's what it looks like in terms of hierarchy:
> Group B (granting connection permissions here does not work)
>    -> Group A (granting connection permission here works)
>            ->joe
> All the AD groups are reflected in Guacamole's "Groups" menu, so this does not seem to be an "ldap-group-base-dn" parameter issue.
> We already tried using the LDAP filter: "ldap-group-search-filter:
> {code:none}
> ldap-group-search-filter:(&(objectclass=group)(memberOf:1.2.840.113556.1.4.1941:=CN=Group B,OU=Farm Access,OU=Groups,OU=Lab,DC=domain,DC=local))
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)