Dumb LDAP Properties Question

[Zer0Cool <me...@gmail.com>]

Guac: 1.0.0 with MySQL db + LDAP extension
OS: CentOS/RHEL 7.x (7.6 currently)

I am specifically talking about the following entries in
guacamole.properties:

ldap-hostname: myserver./mydomain/./com/
ldap-user-base-dn: dc=/mydomain/,dc=/com/
ldap-search-bind-dn: cn=myuser,ou=user_ou,dc=/mydomain/,dc=/com/

So in the above example, is there any logical, legitimate reason the parts
in italics could be/should be different than the other entries in red (line
to line)?

Put another way, is there any reason to have the DC entries be different on
those 3 lines or is it safe to assume that "mydomain" will be the same
across all 3 lines?

Sorry for the silly question. Thanks



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: Dumb LDAP Properties Question

[Zer0Cool <me...@gmail.com>]

Yes I agree, I am just going to leave it as is and have it be manually
entered instead of making assumptions. Thanks



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: Dumb LDAP Properties Question

[Nick Couchman <vn...@apache.org>]

On Mon, Jan 14, 2019 at 2:44 PM Zer0Cool <me...@gmail.com> wrote:

> Ok so from the responses it sounds like typically:
>
> ldap-user-base-dn: dc=mydomain,dc=com
> ldap-search-bind-dn: cn=myuser,ou=user_ou,dc=mydomain,dc=com
>
> should be using the same DC entries but that:
>
> ldap-hostname: myserver./mydomain/./com/
>
> could possibly be on another domain.
>
> However, it sounds like it theoretically possible they are not.
>
> I ask as I am working on a script in which currently all 3 are prompted for
> and hand entered. I was wondering if I could reduce the amount prompted for
> and assume the DC portions.
>
> In other words something like:
> prompt for ldap-hostname
> skip asking for ldap-user-base-dn (assume the same domain as ldap-hostname)
> and then for ldap-search-bind-dn the user only enters
> "cn=user_name,ou=user_ou" and assume the DC portions in the underlying
> code.
>
> So far it sounds like the answer is that the majority of time this would be
> a safe assumption but there could be instances in which they would differ.
> If thats the case I can leave it as is and have it be fully entered and not
> make assumptions.
>

I would say that, while it may be a "safe assumption" 51% ("majority") of
the time, it is not a good assumption.  There may be a variety of reasons
that the DNS domain (mydomain.com) differs from the LDAP tree base dn
(dc=mydomain,dc=com), and that you should prompt for each of them
individually.  As someone who administers a decent number of systems and
has done so for 20-ish years, I can say that having to enter that
information a couple of different times is preferable to not being given
that option and having the system make assumptions about the environment
that result in troubleshooting a bad configuration.

You could try to derive the values and use those derived values as
defaults, but still give the option to enter something different - that
might be a good compromise between extra key strokes and environments that
don't match your assumptions.

-Nick

Re: Dumb LDAP Properties Question

[Zer0Cool <me...@gmail.com>]

Ok so from the responses it sounds like typically:

ldap-user-base-dn: dc=mydomain,dc=com
ldap-search-bind-dn: cn=myuser,ou=user_ou,dc=mydomain,dc=com

should be using the same DC entries but that:

ldap-hostname: myserver./mydomain/./com/

could possibly be on another domain.

However, it sounds like it theoretically possible they are not.

I ask as I am working on a script in which currently all 3 are prompted for
and hand entered. I was wondering if I could reduce the amount prompted for
and assume the DC portions.

In other words something like:
prompt for ldap-hostname
skip asking for ldap-user-base-dn (assume the same domain as ldap-hostname)
and then for ldap-search-bind-dn the user only enters
"cn=user_name,ou=user_ou" and assume the DC portions in the underlying code.

So far it sounds like the answer is that the majority of time this would be
a safe assumption but there could be instances in which they would differ.
If thats the case I can leave it as is and have it be fully entered and not
make assumptions.



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: Dumb LDAP Properties Question

[Mike Jumper <mj...@apache.org>]

On Fri, Jan 11, 2019 at 12:59 PM Zer0Cool <me...@gmail.com> wrote:

> Guac: 1.0.0 with MySQL db + LDAP extension
> OS: CentOS/RHEL 7.x (7.6 currently)
>
> I am specifically talking about the following entries in
> guacamole.properties:
>
> ldap-hostname: myserver./mydomain/./com/
> ldap-user-base-dn: dc=/mydomain/,dc=/com/
> ldap-search-bind-dn: cn=myuser,ou=user_ou,dc=/mydomain/,dc=/com/
>
> So in the above example, is there any logical, legitimate reason the parts
> in italics could be/should be different than the other entries in red (line
> to line)?
>
> Put another way, is there any reason to have the DC entries be different on
> those 3 lines or is it safe to assume that "mydomain" will be the same
> across all 3 lines?


First, there are two DC entries here, not three. The hostname of your LDAP
server is independent of the contents of your LDAP directory and is purely
a network concern. Whether it matches the DC attributes of objects in your
directory depends on how you set things up and is not guaranteed. It will
match if you have set things up such that it matches.

As for the user base DN and search bind DN, I don't believe these are
guaranteed to match. It definitely would be unusual if they didn't, but the
correct values are dictated by the contents of your LDAP directory. You
should look at the definitions of those properties, look at the contents of
your LDAP directory, and determine the values from your directory which
satisfy the requirements of those properties. The user base DN should be
the base DN of the part of your LDAP tree that contains the users relevant
to Guacamole. The search bind DN needs to have permission to query the
objects within the user base DN.

- Mike

Re: Dumb LDAP Properties Question

[Erik Berndt <er...@superiorpaving.net>]

> Put another way, is there any reason to have the DC entries be different
on those 3 lines.
I can't think of any reason how/why they could be different. What are you
trying to accomplish or issue are you running into?

>is it safe to assume that "mydomain" will be the same across all 3 lines
Yes.

Erik Berndt / Systems Administrator



On Fri, Jan 11, 2019 at 3:59 PM Zer0Cool <me...@gmail.com> wrote:

> Guac: 1.0.0 with MySQL db + LDAP extension
> OS: CentOS/RHEL 7.x (7.6 currently)
>
> I am specifically talking about the following entries in
> guacamole.properties:
>
> ldap-hostname: myserver./mydomain/./com/
> ldap-user-base-dn: dc=/mydomain/,dc=/com/
> ldap-search-bind-dn: cn=myuser,ou=user_ou,dc=/mydomain/,dc=/com/
>
> So in the above example, is there any logical, legitimate reason the parts
> in italics could be/should be different than the other entries in red (line
> to line)?
>
> Put another way, is there any reason to have the DC entries be different on
> those 3 lines or is it safe to assume that "mydomain" will be the same
> across all 3 lines?
>
> Sorry for the silly question. Thanks
>
>
>
> --
> Sent from:
> http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
>

-- 


This
 e-mail and any files transmitted with it are confidential and are 

intended solely for the use of the individual or entity to whom they are
 
addressed.  If you are not the intended recipient or the person 

responsible for delivering the e-mail to the intended recipient, be 

advised that you have received this e-mail in error and that any use, 

dissemination, forwarding, printing or copying of this e-mail is 
strictly 
prohibited.  If you have received this e-mail in error, please 
immediately 
notify Superior Paving Corp. by telephone at (703) 
631-0004.  You will be 
reimbursed for reasonable costs incurred in 
notifying us.