You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Kevin Cameron <ke...@gmail.com> on 2022/11/16 16:44:08 UTC
Re: Issues with LDAP groups and users not populating
I know this is an old post but given the amount of time I put into this I
thought I would post a follow-up.
So I was having a crazy amount of issues with users not populating
consistently or not working from LDAP. What I finally figured out is it
was related to the Primary AD group that the users were part of. In our
use case the accounts used by Guac users were not part of the "Domain
Users" group so we had the primary group the same as the AD group tied to
Guacamole. Because of the way that the LDAP details are returned a users
primary AD group does not appear in the "MembersOf" list.
After finally figuring this out we had to have a unique AD group to use as
the primary AD group and then when we assigned a user to their sub group
which was tied to Guacamole they populated right away!
Kevin
On Fri, Jul 8, 2022 at 1:25 PM David Haukeness <da...@hauken.us> wrote:
> For reference, here is my sanitized AD LDAP config. Do you notice any
> obvious differences from yours? I’m running 1.4.0 on Ubuntu LTS 20.04.3
>
> auth-provider: net.sourceforge.guacamole.net
> .auth.ldap.LDAPAuthenticationProvider
>
> ### LDAP properties
> ldap-hostname: contoso.com
> ldap-port: 636
> ldap-encryption-method: ssl
> ldap-user-base-dn: OU=Users,DC=contoso,DC=com
> ldap-username-attribute: sAMAccountName
> ldap-search-bind-dn: CN=LDAP Query User,OU=Service
> Accounts,DC=contoso,DC=com
> ldap-search-bind-password: correcthorsebatterystaple
> ldap-group-base-dn: OU=Guacamole Groups,DC=contoso,DC=com
> ldap-follow-referrals: true
> ldap-dereference-aliases: always
>
> # Postgres
> postgresql-hostname: localhost
> postgresql-port: 5432
> postgresql-database: guacamole_db
> postgresql-username: guacamole_user
> postgresql-password: correcthorsebatterystaple
> postgresql-auto-create-accounts: true
>
>
> David Haukeness
> Sent from my iPhone
>
> > On Jul 8, 2022, at 10:47 AM, Kevin Cameron <ke...@gmail.com>
> wrote:
> >
> >
> > I have 6 different instances of Guacamole setup connected to MS Active
> Directory with a Postgres background DB.
> >
> > They all have a similar guacamole.properties and when I verify my group
> and user search filter strings with ldapsearch I get consistent and
> expected results.
> >
> > Problem:
> > In the catalina.out I can see LDAP search results showing the users
> and AD groups that are expected but they sometimes update in Guacamole,
> sometimes not. If I sign into guacamole with an AD user the user can
> authenticate and the user does show up in the Guacamole Gui BUT at the top
> of the page they don't have the tabs that reflect that they are LDAP /
> Postgres users.
> >
> > At the same time the AD groups don't populate the groups list.
> >
> > postgresql-auto-create-accounts is set to true.
> >
> > Sometimes if I manually create a random user then all of a sudden the
> lists populate on the next user login but not always. And then any future
> updates do not show. Restarting the application does not seem to make a
> difference.
> >
> > Instance 1
> >
> > vs
> >
> > Instance2:
> >
> >
> > My logback is setup to debug so I get a lot of log activity but is there
> something I can add to the logback to focus on the LDAP process.
> >
> > I have spent a lot of time on this and could use help. I really need
> the AD groups to import correctly so that we can tie connections to them
> > Thanks,
> > Kevin
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> For additional commands, e-mail: user-help@guacamole.apache.org