LDAP search vs. bind - what does guacamole use when?

[nicoschottelius <ni...@ungleich.ch>]

Hello,

I've tried several combinations of ldap-search-bind-dn,
ldap-user-search-filter, ldap-max-search-results - all with one result: 

- User  successfully authenticated in the logs
- Unable to query list of objects from LDAP directory message on the login
screen

What I would expect guacamole to do:

- bind as the user to find out whether it can login
- use the search-bind-dn to look for other objects

What I *assume* guacamole is actually doing:

- search the DN of the user using the search-bind-dn
- searching other objects using the USER dn

I suspect this behaviour, because having an ACL on a test server that allows
the user to read the sub tree, makes it finally work.

If my assumption is correct, is there any way to tell guacamole to behave as
written in the expected part above?

Best,

Nico






--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: LDAP search vs. bind - what does guacamole use when?

[nicoschottelius <ni...@ungleich.ch>]

Hey Mike,

just read the part of "...the exception will prevent a login altogether."!
So far I thought I could avoid the problem with filters / using a sub tree,
but this is an eye opener...

and re testing: will certainly test against staging/1.1.0 tomorrow and then
come back to you!

Thanks for the quick replies and wish you a good evening!

Best,

Nico

p.s.: We have started building RPMs for centos7 / guacamole 1.0.0 - they are
not yet production ready, just a heads up that they exists in case anyone
else is interested.



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: LDAP search vs. bind - what does guacamole use when?

[Mike Jumper <mj...@apache.org>]

On Wed, May 1, 2019 at 12:48 PM nicoschottelius <
nico.schottelius@ungleich.ch> wrote:

> Hey Mike,
>
> the problem is that users cannot login like this at the moment. They are
> being shown the "Unable to query list of objects from ldap directory" on
> the
> website message after I see a successful login in the guacamole logs.
>
> ...
>
> If I understood you correctly, this "should work", as there are no objects
> that are needed to be accessed, or did I understand that wrong?
>

That is correct. Guacamole does not *need* access to the objects in the
tree to authenticate users. It tries, but any failure is supposed to be
non-fatal. You might be running into:

https://issues.apache.org/jira/browse/GUACAMOLE-702

The above was recently fixed. Feel like testing against git master or
staging/1.1.0? :)

- Mike

Re: LDAP search vs. bind - what does guacamole use when?

[nicoschottelius <ni...@ungleich.ch>]

Hey Mike,

the problem is that users cannot login like this at the moment. They are
being shown the "Unable to query list of objects from ldap directory" on the
website message after I see a successful login in the guacamole logs.

From what I can see how this LDAP tree works is pretty "standard", from what
I have seen so far:

The tree basically holds all user information, but users cannot browse it
themselves. Users are only entities that are being managed by system
accounts (i.e. read or writing to the tree).

The tree itself covers 60k+ users and I as far as I can see it is rather
"complex" environment. 

But coming back to your statement before, about accessing objects: the way
we intend to run guacamole is to use LDAP only for authentication and
storing all information in a postgres database. So from my point of view,
the users don't need access to *any* object in the tree, after it is
verified that guacamole could bind to it.

What I however see *after* the successful login is 2 search requests:

User "nico" successfully authenticated from 10.X.X.X.
Searching "ou=V,ou=X,ou=Z,ou=Y,o=A,c=ch" for objects matching
"(&(ou=SOME-OU)(cn=nico))".
Searching "ou=V,ou=X,ou=Z,ou=Y,o=A,c=ch" for objects matching
"(&(ou=SOME-OU)(cn=*))".

And then the final error message on the webinterface.

We are not using the ldap scheme nor trying to store objects in ldap from
guacamole.

If I understood you correctly, this "should work", as there are no objects
that are needed to be accessed, or did I understand that wrong?

Best,

Nico




--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: LDAP search vs. bind - what does guacamole use when?

[Mike Jumper <mj...@apache.org>]

On Wed, May 1, 2019 at 12:06 PM nicoschottelius <
nico.schottelius@ungleich.ch> wrote:

> ...
> The way how things are configured in this particular network is that there
> is one "reading" binding user that can search the tree and find objects.
>
> User can only bind, but cannot search anything.
>

Assuming your users don't need access to those objects, that should still
be OK. Users should still be able to log in to Guacamole using their
credentials. They will simply not be able to access anything they don't
have permission to access.


>
> Is there any way to alter the behaviour in guacamole to switch it around?
> I.e. by adding a flag like ldap-search-with-search-bind-dn: true ?
>

If your LDAP directory is explicitly configured to deny those users access
to those objects, then effectively bypassing the access controls of LDAP is
not a good path forward. If your users authenticating via LDAP *do* need
access to those objects within LDAP, then you should grant those users
access to those objects, perhaps by creating a group with the necessary
access.


>
> As this project is a also a bit time critical, I'd be happy for any
> feedback
> in the direction of "sounds doable" or "absolutely impossible".
>

Neither. It's not a matter of whether it's possible. My feedback in this
case would be: "sounds like it shouldn't be done".

Is there a reason why making code changes to software to add a new
configuration option to work around enforcement of intended access
restrictions is a more inviting solution than simply granting access to the
users in question?

- Mike

Re: LDAP search vs. bind - what does guacamole use when?

[nicoschottelius <ni...@ungleich.ch>]

Good evening Nick,

understood how it works and somewhat happy to see that my findings where not
incorrect.

However in the (rather huge) environment I would like to get guacamole
working, this will be a full show stopper, as users don't have *any* search
right in the AD/LDAP tree.

The way how things are configured in this particular network is that there
is one "reading" binding user that can search the tree and find objects.

User can only bind, but cannot search anything.

Is there any way to alter the behaviour in guacamole to switch it around?
I.e. by adding a flag like ldap-search-with-search-bind-dn: true ?

As this project is a also a bit time critical, I'd be happy for any feedback
in the direction of "sounds doable" or "absolutely impossible". 

Best regards,

Nico



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: LDAP search vs. bind - what does guacamole use when?

[Nick Couchman <vn...@apache.org>]

On Wed, May 1, 2019 at 11:38 AM nicoschottelius <
nico.schottelius@ungleich.ch> wrote:

> Hello,
>
> I've tried several combinations of ldap-search-bind-dn,
> ldap-user-search-filter, ldap-max-search-results - all with one result:
>
> - User  successfully authenticated in the logs
> - Unable to query list of objects from LDAP directory message on the login
> screen
>
> What I would expect guacamole to do:
>
> - bind as the user to find out whether it can login
> - use the search-bind-dn to look for other objects
>

No.  And there's a good reason for this - see below.


>
> What I *assume* guacamole is actually doing:
>
> - search the DN of the user using the search-bind-dn
> - searching other objects using the USER dn
>

It depends a little bit on how you have things configured.  If you do not
enter a ldap-search-bind-dn and password, the extension attempts to
generate the bind DN using the ldap-username-attribute (uid by default),
the username entered, and the ldap-user-base-dn.  So, if you leave the
attribute as uid, set ldap-user-base-dn to "dc=example,dc=com", and log in
with "testuser", the bind DN that the extension will use would be:
uid=testuser,dc=example,dc=com.

If you enter the ldap-search-bind-dn and password values, the extension
will bind with those credentials, search the LDAP tree for the user that is
logging in, using the username attribute (uid by default), and then will
attempt to re-bind with the DN that was located and the password provided
by the user at login time.

All of the other searches within the LDAP tree - for connections (assuming
ldap-config-base-dn is set) and user groups (assuming ldap-group-base-dn is
set) are done using the bind DN and password of *the user that logged in*
(NOT the ldap-search-bind-dn).  The *only* thing the ldap-search-bind-dn
value and password are used for is to locate the user logging in.  The
reason it behaves this way, and not the way you expect, is that the LDAP
extension relies explicitly on LDAP access control for the user who is
logging in to govern what other users, groups, and connections
(configurations) the user can see within Guacamole.  This is by design.

This behavior is described in the LDAP section of the manual:
http://guacamole.apache.org/doc/gug/ldap-auth.html

-Nick