LDAP in docker, no new users

[Teis Angel Clausen <ta...@jobindex.dk.INVALID>]

Hey

When i add new users to the AD group i specified in my docker-compose file, they do not appear in the Guacamole user list.

Existing users, can still authenticate, and get access.

This worked fine in version 1.0.0, where i added the LDAP_USER_SEARCH_FILTER parameter to the start.sh file, from pull request GUACAMOLE-688<https://issues.apache.org/jira/browse/GUACAMOLE-688>.

I don't see any obvious errors in the logs

This is my LDAP options

LDAP_HOSTNAME: LDAP_SERVER
LDAP_USER_BASE_DN: "DC=job,DC=dk"
LDAP_USERNAME_ATTRIBUTE: sAMAccountName
LDAP_SEARCH_BIND_DN: "CN=sa_guaca,OU=Users,OU=Service Accounts,OU=Job.dk Users,DC=job,DC=dk"
LDAP_SEARCH_BIND_PASSWORD: SOME_PASSWORD

I tried both:

LDAP_USER_SEARCH_FILTER: "(memberOf=CN=guaca,OU=Job.dk Groups,DC=job,DC=dk)"

LDAP_USER_SEARCH_FILTER: "(&(objectClass=*)(memberOf=CN=guaca,OU=Job.dk Groups,DC=job,DC=dk))"

If anyone can i help, i would greatly appreciate it.

Best regards
Teis<https://issues.apache.org/jira/browse/GUACAMOLE-961#>

Re: LDAP in docker, no new users

[Mike Jumper <mj...@apache.org>]

On Sun, Feb 23, 2020, 01:16 Teis Angel Clausen <ta...@jobindex.dk.invalid>
wrote:

> Thanks for the excellent answer, I really appreciate it.
> It makes way more sense that way.
>
> The only thing I don't get is why I was experiencing this "import"
> behavior in 1.0.0. But I will let it rest.
>

There is functionality which allows LDAP users to appear within the list,
regardless of whether they exist in the database. The intent of this is to
allow those users to be linked within the database more easily.

As long as the user you're using has sufficient permissions in your LDAP
directory (and admin permissions within Guacamole), you should see a user
list which combines users in this way.

See:

https://guacamole.apache.org/doc/gug/ldap-auth.html#ldap-and-database

From the link above:

"... If an administrator account (such as the default guacadmin user
provided with the database authentication) has a corresponding user in the
LDAP directory with permission to read other LDAP users and groups, the
Guacamole administrative interface will include them in the lists presented
to the administrator, and will allow connections from the database to be
associated with those users or groups directly."

- Mike

Re: LDAP in docker, no new users

[Teis Angel Clausen <ta...@jobindex.dk.INVALID>]

Thanks for the excellent answer, I really appreciate it.
It makes way more sense that way.

The only thing I don't get is why I was experiencing this "import" behavior in 1.0.0. But I will let it rest.

Best regards
Teis
________________________________
From: Nick Couchman <vn...@apache.org>
Sent: Saturday, February 22, 2020 7:17:11 PM
To: user@guacamole.apache.org <us...@guacamole.apache.org>
Subject: Re: LDAP in docker, no new users

On Mon, Feb 17, 2020 at 8:04 AM Teis Angel Clausen <ta...@jobindex.dk.invalid> wrote:
I just noticed, if i add the users manually only by username, it also authenticates using LDAP.
So could the user import, part be broken ?


There's no "import" functionality in Guacamole Client - it will attempt to authenticate users from any of the modules you have enabled, in order of loading, and it will read in the users if possible and depending on what access it has to the underlying directory (in the case of LDAP).  But these users are not automatically "imported" from the LDAP module into the JDBC module.

The authentication system does "stack" modules such that if a user is authenticated in one module (for example, LDAP), the permissions for that user in the other module (for example, JDBC) should apply.  However, at present, you still have to create either the users or groups in the JDBC module that you want to match up from the LDAP module.  There were some changes/improvements made to this in the 1.1.0 release in terms of matching groups and user membership in groups - see the release notes for more details.

In the future (hopefully the next release) we will have support for auto-creating users in the JDBC module that are authenticated through other modules, which will ease the administrative burden of having to manually create users and/or groups.  But this is not finished, yet - the PR is still being worked/reviewed.

-Nick

Re: LDAP in docker, no new users

[Nick Couchman <vn...@apache.org>]

On Mon, Feb 17, 2020 at 8:04 AM Teis Angel Clausen <ta...@jobindex.dk.invalid>
wrote:

> I just noticed, if i add the users manually only by username, it also
> authenticates using LDAP.
> So could the user import, part be broken ?
>
>
There's no "import" functionality in Guacamole Client - it will attempt to
authenticate users from any of the modules you have enabled, in order of
loading, and it will read in the users if possible and depending on what
access it has to the underlying directory (in the case of LDAP).  But these
users are not automatically "imported" from the LDAP module into the JDBC
module.

The authentication system does "stack" modules such that if a user is
authenticated in one module (for example, LDAP), the permissions for that
user in the other module (for example, JDBC) should apply.  However, at
present, you still have to create either the users or groups in the JDBC
module that you want to match up from the LDAP module.  There were some
changes/improvements made to this in the 1.1.0 release in terms of matching
groups and user membership in groups - see the release notes for more
details.

In the future (hopefully the next release) we will have support for
auto-creating users in the JDBC module that are authenticated through other
modules, which will ease the administrative burden of having to manually
create users and/or groups.  But this is not finished, yet - the PR is
still being worked/reviewed.

-Nick

Re: LDAP in docker, no new users

[Teis Angel Clausen <ta...@jobindex.dk.INVALID>]

I just noticed, if i add the users manually only by username, it also authenticates using LDAP.
So could the user import, part be broken ?

On 17/02/2020 13.11, Teis Angel Clausen wrote:

Hey

When i add new users to the AD group i specified in my docker-compose file, they do not appear in the Guacamole user list.

Existing users, can still authenticate, and get access.

This worked fine in version 1.0.0, where i added the LDAP_USER_SEARCH_FILTER parameter to the start.sh file, from pull request GUACAMOLE-688<https://issues.apache.org/jira/browse/GUACAMOLE-688>.

I don't see any obvious errors in the logs

This is my LDAP options

LDAP_HOSTNAME: LDAP_SERVER
LDAP_USER_BASE_DN: "DC=job,DC=dk"
LDAP_USERNAME_ATTRIBUTE: sAMAccountName
LDAP_SEARCH_BIND_DN: "CN=sa_guaca,OU=Users,OU=Service Accounts,OU=Job.dk Users,DC=job,DC=dk"
LDAP_SEARCH_BIND_PASSWORD: SOME_PASSWORD

I tried both:

LDAP_USER_SEARCH_FILTER: "(memberOf=CN=guaca,OU=Job.dk Groups,DC=job,DC=dk)"

LDAP_USER_SEARCH_FILTER: "(&(objectClass=*)(memberOf=CN=guaca,OU=Job.dk Groups,DC=job,DC=dk))"

If anyone can i help, i would greatly appreciate it.

Best regards
Teis<https://issues.apache.org/jira/browse/GUACAMOLE-961#>