LDAP extension: how to ldap-user-base-dn with space in its name?

[wouterve <wo...@avr.be>]

Hi,
I want to integrate LDAP authentification through the available extensions,
but having problems with providing the correct DN in my ldap-user-base-dn.
My security group has a space in its name (e.g. Company - aftersales)
How do I correctly provide the DN?

kr
wouter



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: LDAP extension: how to ldap-user-base-dn with space in its name?

[wouterve <wo...@avr.be>]

vnick wrote
> On Tue, Feb 26, 2019 at 9:57 AM wouterve <

> woutervaneenoo@

> > wrote:
> 
>> I've just tested it and it works! Now, only users member of the SG
>> 'Company -
>> Aftersales' have access to guacamole!
>>
>> Great!
> 
> 
>> Thanks a lot!
>>
>> regarding the syntaxis (ldap-user-search-filter:
>> (&(objectClass=person)(memberOf=cn=aftersales,ou=groups,dc=example,dc=com))
>> , is this defined by Guacamole or is this just standard LDAP (just
>> wetting
>> my feet into this)
>>
>>
> This is standard LDAP filter syntax - it is passed through the LDAP
> extension after being encoded to verify that nothing bad (e.g. LDAP
> Injection) is going on.
> 
> -Nick

Ok thx for the clarification, have learned something new. 

kr

wouter



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: LDAP extension: how to ldap-user-base-dn with space in its name?

[Nick Couchman <vn...@apache.org>]

On Tue, Feb 26, 2019 at 9:57 AM wouterve <wo...@avr.be> wrote:

> I've just tested it and it works! Now, only users member of the SG
> 'Company -
> Aftersales' have access to guacamole!
>
> Great!


> Thanks a lot!
>
> regarding the syntaxis (ldap-user-search-filter:
> (&(objectClass=person)(memberOf=cn=aftersales,ou=groups,dc=example,dc=com))
> , is this defined by Guacamole or is this just standard LDAP (just wetting
> my feet into this)
>
>
This is standard LDAP filter syntax - it is passed through the LDAP
extension after being encoded to verify that nothing bad (e.g. LDAP
Injection) is going on.

-Nick

Re: LDAP extension: how to ldap-user-base-dn with space in its name?

[wouterve <wo...@avr.be>]

I've just tested it and it works! Now, only users member of the SG 'Company -
Aftersales' have access to guacamole!

Thanks a lot!

regarding the syntaxis (ldap-user-search-filter:
(&(objectClass=person)(memberOf=cn=aftersales,ou=groups,dc=example,dc=com))
, is this defined by Guacamole or is this just standard LDAP (just wetting
my feet into this)

kr

wouter



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: LDAP extension: how to ldap-user-base-dn with space in its name?

[Mike Jumper <mj...@apache.org>]

On Tue, Feb 26, 2019, 05:42 wouterve <wo...@avr.be> wrote:

> ... Unfortunately,
> I cannot restart guacd right nog as the server is in use.
>
> I'll update when this has solved my problem.
>

Though you'll still need to wait for the server to not be in use, what you
need to restart is Guacamole (by restarting Tomcat), not guacd. Restarting
guacd will have no impact on auth; it is independent of that.

- Mike

Re: LDAP extension: how to ldap-user-base-dn with space in its name?

[wouterve <wo...@avr.be>]

Hi,

Sry,  I forgot to reply to your answer. I've updated my previous answer
witht the code that was ommitted ( I used markup, which is not supported
apparently)

So yes I already tried to use ldap-user-search-filter, but my syntaxis was
not correct when I compare it to yours. So, i've adapted it. Unfortunately,
I cannot restart guacd right nog as the server is in use.

I'll update when this has solved my problem.

kr
wouter



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: LDAP extension: how to ldap-user-base-dn with space in its name?

[Nick Couchman <vn...@apache.org>]

On Thu, Feb 21, 2019 at 4:17 AM wouterve <wo...@avr.be> wrote:

> Hi,
>
> Strangely, I don't see any error output in /var/log/tomcat7/catalina.out
>
> Then I tried to use the following:
>
>
> I do receive the following error:
>
>
>
> (still using the same userbase
>
> so, how could I limit the users to only the aftersales security group
> please?
>
>
Any screenshots you were trying to post inline got stripped out.

If you're trying to limit to a certain set of users within LDAP, I'd
suggest using the ldap-user-search-filter parameter in
guacamole.properties, which will allow you to define the LDAP filter used.
You could do something like:
ldap-user-search-filter:
(&(objectClass=person)(memberOf=cn=aftersales,ou=groups,dc=example,dc=com))

Obviously adjust that to the type of object you actually want to find, and
the location of the group.

-Nick

Re: LDAP extension: how to ldap-user-base-dn with space in its name?

[wouterve <wo...@avr.be>]

Hi,

Strangely, I don't see any error output in /var/log/tomcat7/catalina.out

Then I tried to use the following: 


I do receive the following error:



(still using the same userbase 

so, how could I limit the users to only the aftersales security group
please?



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: LDAP extension: how to ldap-user-base-dn with space in its name?

[Nick Couchman <vn...@apache.org>]

On Tue, Feb 19, 2019 at 7:54 AM wouterve <wo...@avr.be> wrote:

> Hi,
> I want to integrate LDAP authentification through the available extensions,
> but having problems with providing the correct DN in my ldap-user-base-dn.
> My security group has a space in its name (e.g. Company - aftersales)
> How do I correctly provide the DN?
>
>
As far as I know you should just be able to put the full DN, including the
space, on the line:

ldap-user-base-dn: ou=Company - aftersales,dc=example,dc=com

The extension should just process the entire line as a string after the ":"
on the ldap-user-base-dn, so it really shouldn't matter.

If you're running into problems check the Tomcat log file and see if there
are any indications in there why it isn't working.

-Nick