Azure AADDS "duplicate" users random string

[Stefan Bogdan Cimpeanu <bo...@cimpeanu.org>]

Hello all,
In our Azure AADDS, which from Guacamole’s point of view is just a simple LDAP, we have situations where a user would appear as duplicate, depending on its sign in domain.
For example we might have firstname.lastname@domain1.com <ma...@domain1.com> and firstname.lastname@ad.local <ma...@ad.local> .

In this situation in Guacamole we see two users, one of them having what appears to be a random string attached, like firstname.lastn (FD5FDBAD) (yes there’s also some trimming involved too, I’d assume so that it would fit the 20 chars limit for ldap?).

Can you please explain how’s this random string being generated?

Thanks,
Bogdan

Re: Azure AADDS "duplicate" users random string

[Mike Jumper <mj...@apache.org>]

On Wed, Mar 18, 2020, 13:27 Stefan Bogdan Cimpeanu <bo...@cimpeanu.org>
wrote:

> Hi Nick,
> That would be ok in a greed field deployment, but unfortunately this is
> not the case.
>
> We don’t have an actual issue with this setup, we only limit guacamole
> login to a specific domain anyway, however it’s blocking from being able to
> automate connection and user permissions in guacamole.
> It’s why I was hoping there’s a predictable way these strings are
> generated.
>

I don't believe these strings are generated, at least not by Guacamole.
Nothing within Guacamole appends a random string to usernames. When using
LDAP, usernames are simply queried directly from LDAP.

- Mike

Re: Azure AADDS "duplicate" users random string

[Stefan Bogdan Cimpeanu <bo...@cimpeanu.org>]

Hi Nick,
That would be ok in a greed field deployment, but unfortunately this is not the case.

We don’t have an actual issue with this setup, we only limit guacamole login to a specific domain anyway, however it’s blocking from being able to automate connection and user permissions in guacamole.
It’s why I was hoping there’s a predictable way these strings are generated.

Regards,
Bogdan

> On 17 Mar 2020, at 22:20, Nick Couchman <vn...@apache.org> wrote:
> 
> On Mon, Mar 16, 2020 at 7:34 PM Stefan Bogdan Cimpeanu <bogdan@cimpeanu.org <ma...@cimpeanu.org>> wrote:
> Hello all,
> In our Azure AADDS, which from Guacamole’s point of view is just a simple LDAP, we have situations where a user would appear as duplicate, depending on its sign in domain.
> For example we might have firstname.lastname@domain1.com <ma...@domain1.com> and firstname.lastname@ad.local <ma...@ad.local> .
> 
> 
> In this case I would suggest that you change the ldap-username-attribute to something other than sAMAccountName that actually uniquely identifies the user.  You might use mail to make it their e-mail address, or userPrincipal (I think?) usually includes both the username and domain name.
> 
> -Nick 

Re: Azure AADDS "duplicate" users random string

[Nick Couchman <vn...@apache.org>]

On Mon, Mar 16, 2020 at 7:34 PM Stefan Bogdan Cimpeanu <bo...@cimpeanu.org>
wrote:

> Hello all,
> In our Azure AADDS, which from Guacamole’s point of view is just a simple
> LDAP, we have situations where a user would appear as duplicate, depending
> on its sign in domain.
> For example we might have firstname.lastname@domain1.com and
> firstname.lastname@ad.local .
>
>
In this case I would suggest that you change the ldap-username-attribute to
something other than sAMAccountName that actually uniquely identifies the
user.  You might use mail to make it their e-mail address, or userPrincipal
(I think?) usually includes both the username and domain name.

-Nick