Dockerized Guac LDAP Config

[Kevin Leigeb <ke...@wisc.edu.INVALID>]

Hey All -

I've been having a really rough go lately getting the LDAP configuration to work with Guacamole running in docker compose. I'm able to get users to successfully authenticate, but the group stuff and the connection between LDAP/Postgres seems to be the biggest sticking point for me.

Perhaps I'm going about this the wrong way, but I've been attempting to set up LDAP to use some RBAC groups in our AD using the LDAP_USER_SEARCH_FILTER set to the following:

(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(memberOf:1.2.840.113556.1.4.1941:=CN=guacamole_users--all,OU=Guacamole,OU=rbac_groups,OU=hey,DC=hi,DC=hello)(memberOf:1.2.840.113556.1.4.1941:=CN=guacamole_users--admins,OU=Guacamole,OU=rbac_groups,OU=hey,DC=hi,DC=hello)))

The idea here is to just get this working with two groups: admins and non-admins for the time being.

The user page populates with the members of these groups as expected, but the group page is a different story. Ideally I'd like the two groups above to be the only ones pulled from AD, but without a LDAP_GROUP_SEARCH_FILTER setting I'm having a hard time accomplishing this. If I set the group base DN to the OU of the two groups shown above, I see those groups but none of the members of the groups are the actual members pulled from AD as expected. Regardless of nested membership or direct membership in that group, the membership appears empty and the only options to add users are those manually created in the UI (so they also exist in the postgres DB).

Am I misunderstanding how the LDAP/postgres connection is supposed to work? Should I approach this from a different angle?

Thanks for any help you can provide in guiding me towards a solution, and let me know if there's any additional information I can provide that would be helpful.

Kevin

RE: Dockerized Guac LDAP Config

[Kevin Leigeb <ke...@wisc.edu.INVALID>]

Just wanted to reach out again to see if anyone had any thoughts on what I could try to get this working.

Kevin

From: Kevin Leigeb <ke...@wisc.edu.INVALID>
Sent: Monday, September 13, 2021 3:42 PM
To: user@guacamole.apache.org
Subject: Dockerized Guac LDAP Config

Hey All -

I've been having a really rough go lately getting the LDAP configuration to work with Guacamole running in docker compose. I'm able to get users to successfully authenticate, but the group stuff and the connection between LDAP/Postgres seems to be the biggest sticking point for me.

Perhaps I'm going about this the wrong way, but I've been attempting to set up LDAP to use some RBAC groups in our AD using the LDAP_USER_SEARCH_FILTER set to the following:

(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(memberOf:1.2.840.113556.1.4.1941:=CN=guacamole_users--all,OU=Guacamole,OU=rbac_groups,OU=hey,DC=hi,DC=hello)(memberOf:1.2.840.113556.1.4.1941:=CN=guacamole_users--admins,OU=Guacamole,OU=rbac_groups,OU=hey,DC=hi,DC=hello)))

The idea here is to just get this working with two groups: admins and non-admins for the time being.

The user page populates with the members of these groups as expected, but the group page is a different story. Ideally I'd like the two groups above to be the only ones pulled from AD, but without a LDAP_GROUP_SEARCH_FILTER setting I'm having a hard time accomplishing this. If I set the group base DN to the OU of the two groups shown above, I see those groups but none of the members of the groups are the actual members pulled from AD as expected. Regardless of nested membership or direct membership in that group, the membership appears empty and the only options to add users are those manually created in the UI (so they also exist in the postgres DB).

Am I misunderstanding how the LDAP/postgres connection is supposed to work? Should I approach this from a different angle?

Thanks for any help you can provide in guiding me towards a solution, and let me know if there's any additional information I can provide that would be helpful.

Kevin

RE: Dockerized Guac LDAP Config

[Kevin Leigeb <ke...@wisc.edu.INVALID>]

Hey Mike, thanks for the response. This clears things up a bit for me as I wasn’t expecting this to be the behavior, so I’ll have to do a bit more testing off of this new assumption to see if things are working as expected.

One thing I’m still curious about is whether it’s expected behavior to not see any data when you click the LDAP tab. I feel like it should still at least show the data from the group even if it can’t edit it.

[cid:image001.png@01D7AED3.389A5590]

From: Mike Jumper <mi...@glyptodon.com>
Sent: Tuesday, September 21, 2021 10:02 AM
To: user@guacamole.apache.org
Subject: Re: Dockerized Guac LDAP Config

The behavior described so far sounds like things are working: the groups in question appear, and they show the correct data within each of the datasource-specific tabs. You see two tabs for the group (LDAP and PostgreSQL) because the same group exists within both datasources. Within each of those tabs, you see data specific to the datasource associated with that tab, and only data from that datasource.

While the PostgreSQL tab is selected, you see no group members from LDAP because the tab is specific to PostgreSQL. No group members have been added manually from PostgreSQL. This is fine and doesn't mean that the group will not work - LDAP members of the LDAP version of that group will still inherit permissions granted to the PostgreSQL version of that group, even though you will not see LDAP members in the PostgreSQL tab.

When an LDAP user logs in that is a direct member of either of those groups within LDAP, do they have the expected level of access inherited from those groups? The UI will not show LDAP group members within the PostgreSQL tab, but LDAP group members will inherit those permissions upon login when Guacamole queries their group memberships.

Michael Jumper
CEO, Lead Developer
Glyptodon Inc<https://glyp.to/>.


On Tue, Sep 21, 2021 at 7:50 AM Kevin Leigeb <ke...@wisc.edu.invalid>> wrote:
Just wanted to check in one last time to see if anyone has any thoughts on what might be wrong here.


From: Kevin Leigeb <ke...@wisc.edu.INVALID>>
Sent: Wednesday, September 15, 2021 1:25 PM
To: user@guacamole.apache.org<ma...@guacamole.apache.org>
Subject: RE: Dockerized Guac LDAP Config

Yes to the first question. I’ve additionally created a guacadmin AD account so that I can log in as myself or that account and still see the AD account listings. When I open the user or group page, I see two tabs on the top; one for LDAP which shows a lock and tells me it can’t be edited and one for Postgres.

For the guac client, I’m running the latest tag of the image from dockerhub which I pulled again yesterday morning to make sure it was up to date. Happy to pin it to a specific tag if that might help.

From: Nick Couchman <vn...@apache.org>>
Sent: Wednesday, September 15, 2021 1:11 PM
To: user@guacamole.apache.org<ma...@guacamole.apache.org>
Subject: Re: Dockerized Guac LDAP Config

On Mon, Sep 13, 2021 at 4:42 PM Kevin Leigeb <ke...@wisc.edu.invalid>> wrote:
Hey All –

I’ve been having a really rough go lately getting the LDAP configuration to work with Guacamole running in docker compose. I’m able to get users to successfully authenticate, but the group stuff and the connection between LDAP/Postgres seems to be the biggest sticking point for me.

Perhaps I’m going about this the wrong way, but I’ve been attempting to set up LDAP to use some RBAC groups in our AD using the LDAP_USER_SEARCH_FILTER set to the following:

(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(memberOf:1.2.840.113556.1.4.1941:=CN=guacamole_users--all,OU=Guacamole,OU=rbac_groups,OU=hey,DC=hi,DC=hello)(memberOf:1.2.840.113556.1.4.1941:=CN=guacamole_users--admins,OU=Guacamole,OU=rbac_groups,OU=hey,DC=hi,DC=hello)))

The idea here is to just get this working with two groups: admins and non-admins for the time being.

The user page populates with the members of these groups as expected, but the group page is a different story. Ideally I’d like the two groups above to be the only ones pulled from AD, but without a LDAP_GROUP_SEARCH_FILTER setting I’m having a hard time accomplishing this. If I set the group base DN to the OU of the two groups shown above, I see those groups but none of the members of the groups are the actual members pulled from AD as expected. Regardless of nested membership or direct membership in that group, the membership appears empty and the only options to add users are those manually created in the UI (so they also exist in the postgres DB).


When you set the configuration for the group search dn, and you're looking at the groups, are you doing so as a user that is part of your AD tree, that is logged in via LDAP?

Also, can you confirm what version of Guacamole Client you're running?

-Nick

Re: Dockerized Guac LDAP Config

[Mike Jumper <mi...@glyptodon.com>]

The behavior described so far sounds like things are working: the groups in
question appear, and they show the correct data within each of the
datasource-specific tabs. You see two tabs for the group (LDAP and
PostgreSQL) because the same group exists within both datasources. Within
each of those tabs, you see data specific to the datasource associated with
that tab, and *only* data from that datasource.

While the PostgreSQL tab is selected, you see no group members from LDAP
because the tab is specific to PostgreSQL. No group members have been added
manually from PostgreSQL. This is fine and doesn't mean that the group will
not work - LDAP members of the LDAP version of that group will still
inherit permissions granted to the PostgreSQL version of that group, even
though you will not see LDAP members in the PostgreSQL tab.

When an LDAP user logs in that is a direct member of either of those groups
within LDAP, do they have the expected level of access inherited from those
groups? The UI will not show LDAP group members within the PostgreSQL tab,
but LDAP group members will inherit those permissions upon login when
Guacamole queries their group memberships.

Michael Jumper
CEO, Lead Developer
Glyptodon Inc <https://glyp.to/>.


On Tue, Sep 21, 2021 at 7:50 AM Kevin Leigeb <ke...@wisc.edu.invalid>
wrote:

> Just wanted to check in one last time to see if anyone has any thoughts on
> what might be wrong here.
>
>
>
>
>
> *From:* Kevin Leigeb <ke...@wisc.edu.INVALID>
> *Sent:* Wednesday, September 15, 2021 1:25 PM
> *To:* user@guacamole.apache.org
> *Subject:* RE: Dockerized Guac LDAP Config
>
>
>
> Yes to the first question. I’ve additionally created a guacadmin AD
> account so that I can log in as myself or that account and still see the AD
> account listings. When I open the user or group page, I see two tabs on the
> top; one for LDAP which shows a lock and tells me it can’t be edited and
> one for Postgres.
>
>
>
> For the guac client, I’m running the latest tag of the image from
> dockerhub which I pulled again yesterday morning to make sure it was up to
> date. Happy to pin it to a specific tag if that might help.
>
>
>
> *From:* Nick Couchman <vn...@apache.org>
> *Sent:* Wednesday, September 15, 2021 1:11 PM
> *To:* user@guacamole.apache.org
> *Subject:* Re: Dockerized Guac LDAP Config
>
>
>
> On Mon, Sep 13, 2021 at 4:42 PM Kevin Leigeb <
> kevin.leigeb@wisc.edu.invalid> wrote:
>
> Hey All –
>
>
>
> I’ve been having a really rough go lately getting the LDAP configuration
> to work with Guacamole running in docker compose. I’m able to get users to
> successfully authenticate, but the group stuff and the connection between
> LDAP/Postgres seems to be the biggest sticking point for me.
>
>
>
> Perhaps I’m going about this the wrong way, but I’ve been attempting to
> set up LDAP to use some RBAC groups in our AD using the
> LDAP_USER_SEARCH_FILTER set to the following:
>
>
>
>
> (&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(memberOf:1.2.840.113556.1.4.1941:=CN=guacamole_users--all,OU=Guacamole,OU=rbac_groups,OU=hey,DC=hi,DC=hello)(memberOf:1.2.840.113556.1.4.1941:=CN=guacamole_users--admins,OU=Guacamole,OU=rbac_groups,OU=hey,DC=hi,DC=hello)))
>
>
>
> The idea here is to just get this working with two groups: admins and
> non-admins for the time being.
>
>
>
> The user page populates with the members of these groups as expected, but
> the group page is a different story. Ideally I’d like the two groups above
> to be the only ones pulled from AD, but without a LDAP_GROUP_SEARCH_FILTER
> setting I’m having a hard time accomplishing this. If I set the group base
> DN to the OU of the two groups shown above, I see those groups but none of
> the members of the groups are the actual members pulled from AD as
> expected. Regardless of nested membership or direct membership in that
> group, the membership appears empty and the only options to add users are
> those manually created in the UI (so they also exist in the postgres DB).
>
>
>
>
>
> When you set the configuration for the group search dn, and you're looking
> at the groups, are you doing so as a user that is part of your AD tree,
> that is logged in via LDAP?
>
>
>
> Also, can you confirm what version of Guacamole Client you're running?
>
>
>
> -Nick
>
>
>
>
>

RE: Dockerized Guac LDAP Config

[Kevin Leigeb <ke...@wisc.edu.INVALID>]

Just wanted to check in one last time to see if anyone has any thoughts on what might be wrong here.


From: Kevin Leigeb <ke...@wisc.edu.INVALID>
Sent: Wednesday, September 15, 2021 1:25 PM
To: user@guacamole.apache.org
Subject: RE: Dockerized Guac LDAP Config

Yes to the first question. I’ve additionally created a guacadmin AD account so that I can log in as myself or that account and still see the AD account listings. When I open the user or group page, I see two tabs on the top; one for LDAP which shows a lock and tells me it can’t be edited and one for Postgres.

For the guac client, I’m running the latest tag of the image from dockerhub which I pulled again yesterday morning to make sure it was up to date. Happy to pin it to a specific tag if that might help.

From: Nick Couchman <vn...@apache.org>>
Sent: Wednesday, September 15, 2021 1:11 PM
To: user@guacamole.apache.org<ma...@guacamole.apache.org>
Subject: Re: Dockerized Guac LDAP Config

On Mon, Sep 13, 2021 at 4:42 PM Kevin Leigeb <ke...@wisc.edu.invalid>> wrote:
Hey All –

I’ve been having a really rough go lately getting the LDAP configuration to work with Guacamole running in docker compose. I’m able to get users to successfully authenticate, but the group stuff and the connection between LDAP/Postgres seems to be the biggest sticking point for me.

Perhaps I’m going about this the wrong way, but I’ve been attempting to set up LDAP to use some RBAC groups in our AD using the LDAP_USER_SEARCH_FILTER set to the following:

(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(memberOf:1.2.840.113556.1.4.1941:=CN=guacamole_users--all,OU=Guacamole,OU=rbac_groups,OU=hey,DC=hi,DC=hello)(memberOf:1.2.840.113556.1.4.1941:=CN=guacamole_users--admins,OU=Guacamole,OU=rbac_groups,OU=hey,DC=hi,DC=hello)))

The idea here is to just get this working with two groups: admins and non-admins for the time being.

The user page populates with the members of these groups as expected, but the group page is a different story. Ideally I’d like the two groups above to be the only ones pulled from AD, but without a LDAP_GROUP_SEARCH_FILTER setting I’m having a hard time accomplishing this. If I set the group base DN to the OU of the two groups shown above, I see those groups but none of the members of the groups are the actual members pulled from AD as expected. Regardless of nested membership or direct membership in that group, the membership appears empty and the only options to add users are those manually created in the UI (so they also exist in the postgres DB).


When you set the configuration for the group search dn, and you're looking at the groups, are you doing so as a user that is part of your AD tree, that is logged in via LDAP?

Also, can you confirm what version of Guacamole Client you're running?

-Nick

RE: Dockerized Guac LDAP Config

[Kevin Leigeb <ke...@wisc.edu.INVALID>]

Yes to the first question. I’ve additionally created a guacadmin AD account so that I can log in as myself or that account and still see the AD account listings. When I open the user or group page, I see two tabs on the top; one for LDAP which shows a lock and tells me it can’t be edited and one for Postgres.

For the guac client, I’m running the latest tag of the image from dockerhub which I pulled again yesterday morning to make sure it was up to date. Happy to pin it to a specific tag if that might help.

From: Nick Couchman <vn...@apache.org>
Sent: Wednesday, September 15, 2021 1:11 PM
To: user@guacamole.apache.org
Subject: Re: Dockerized Guac LDAP Config

On Mon, Sep 13, 2021 at 4:42 PM Kevin Leigeb <ke...@wisc.edu.invalid>> wrote:
Hey All –

I’ve been having a really rough go lately getting the LDAP configuration to work with Guacamole running in docker compose. I’m able to get users to successfully authenticate, but the group stuff and the connection between LDAP/Postgres seems to be the biggest sticking point for me.

Perhaps I’m going about this the wrong way, but I’ve been attempting to set up LDAP to use some RBAC groups in our AD using the LDAP_USER_SEARCH_FILTER set to the following:

(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(memberOf:1.2.840.113556.1.4.1941:=CN=guacamole_users--all,OU=Guacamole,OU=rbac_groups,OU=hey,DC=hi,DC=hello)(memberOf:1.2.840.113556.1.4.1941:=CN=guacamole_users--admins,OU=Guacamole,OU=rbac_groups,OU=hey,DC=hi,DC=hello)))

The idea here is to just get this working with two groups: admins and non-admins for the time being.

The user page populates with the members of these groups as expected, but the group page is a different story. Ideally I’d like the two groups above to be the only ones pulled from AD, but without a LDAP_GROUP_SEARCH_FILTER setting I’m having a hard time accomplishing this. If I set the group base DN to the OU of the two groups shown above, I see those groups but none of the members of the groups are the actual members pulled from AD as expected. Regardless of nested membership or direct membership in that group, the membership appears empty and the only options to add users are those manually created in the UI (so they also exist in the postgres DB).


When you set the configuration for the group search dn, and you're looking at the groups, are you doing so as a user that is part of your AD tree, that is logged in via LDAP?

Also, can you confirm what version of Guacamole Client you're running?

-Nick

Re: Dockerized Guac LDAP Config

[Nick Couchman <vn...@apache.org>]

On Mon, Sep 13, 2021 at 4:42 PM Kevin Leigeb <ke...@wisc.edu.invalid>
wrote:

> Hey All –
>
>
>
> I’ve been having a really rough go lately getting the LDAP configuration
> to work with Guacamole running in docker compose. I’m able to get users to
> successfully authenticate, but the group stuff and the connection between
> LDAP/Postgres seems to be the biggest sticking point for me.
>
>
>
> Perhaps I’m going about this the wrong way, but I’ve been attempting to
> set up LDAP to use some RBAC groups in our AD using the
> LDAP_USER_SEARCH_FILTER set to the following:
>
>
>
>
> (&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(memberOf:1.2.840.113556.1.4.1941:=CN=guacamole_users--all,OU=Guacamole,OU=rbac_groups,OU=hey,DC=hi,DC=hello)(memberOf:1.2.840.113556.1.4.1941:=CN=guacamole_users--admins,OU=Guacamole,OU=rbac_groups,OU=hey,DC=hi,DC=hello)))
>
>
>
> The idea here is to just get this working with two groups: admins and
> non-admins for the time being.
>
>
>
> The user page populates with the members of these groups as expected, but
> the group page is a different story. Ideally I’d like the two groups above
> to be the only ones pulled from AD, but without a LDAP_GROUP_SEARCH_FILTER
> setting I’m having a hard time accomplishing this. If I set the group base
> DN to the OU of the two groups shown above, I see those groups but none of
> the members of the groups are the actual members pulled from AD as
> expected. Regardless of nested membership or direct membership in that
> group, the membership appears empty and the only options to add users are
> those manually created in the UI (so they also exist in the postgres DB).
>
>
>

When you set the configuration for the group search dn, and you're looking
at the groups, are you doing so as a user that is part of your AD tree,
that is logged in via LDAP?

Also, can you confirm what version of Guacamole Client you're running?

-Nick

>