You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Jim Rx <ji...@mail.com> on 2021/08/25 19:42:17 UTC
New Active Directory users not showing in user list
Hello,
I saw a thread on LDAP issues just a couple of days ago, but it didn't seem to
match my situation.
I built Guacamole 1.3.0 from source on a debian 10, using mysql for connection
properties and active directory (Server 2019) for authentication. We noticed
that some AD users were not listed in users (observed from guacadmin account).
We added a new user to AD and restarted the system to see if something would
shake loose. No joy.
/etc/guacamole.properties looks like this:
#######
guacd-hostname: localhost
guacd-port: 4822
user-mapping: /etc/guacamole/user-mapping.xml
auth-provider:
net.sourcforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
mysql-password: supersecretpassword
ldap-hostname: 10.x.x.10
ldap-port: 389
ldap-encryption-method: none
ldap-user-base-dn: DC=mynet, DC=local
ldap-username-attribute: sAMAccountName
ldap-search-bind-dn: cn=SVC.GUACAMOLE, ou=Service Accounts, ou-Administration,
dc=mynet, dc=local
ldap-search-bind-password: supersecretpassword
ldap-user-search-filter: (sAMAccountType=805306368)
#######
right now, logback.xml is set to "info", and searching through the different
log files doesn't seem to show any LDAP errors. I've checked:
/var/log/syslog
/var/log/nginx/guac_access.log
/var/log/nginx/guac_error.log
/var/log/tomcat9/catalina.out
I cannot find any log entries in windows system even viewer that indicate an
issue on that side. And... *most* of the users are there, and can log in, and
can use the connections allocated to them (I imported the connection list
manually into SQL and then connected the dots in the web UI).
Any suggestions would be greatly appreciated.
Thanks
Jim
\--------------------------------------------------------------------- To
unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org For additional
commands, e-mail: user-help@guacamole.apache.org
Re: New Active Directory users not showing in user list
Posted by Jim Rx <ji...@mail.com>.
Craig,
I just looked at the guacamole_entity table and the user I'm logged in with is
not present in the table. However -- I also looked at the
guacamole_user_history table, and the user IS listed with a NULL in the
user_id field. So it appears that the user is not being inserted into SQL.
So now I'm trying to figure how to get privileges to the guacamole_user in
sql. I did the grant select,insert,update,delete on guacamole_db.* to
'guacamole_user'@'localhost' .. but no luck. guacamole_user doesn't exist in
any of the tables in guacamole_db. That user does exist in the sql database,
and shows no privileges.
Jim
**Sent:** Wednesday, August 25, 2021 at 3:21 PM
**From:** "Craig Sawyer" <cs...@yumaed.org>
**To:** user@guacamole.apache.org
**Subject:** Re: New Active Directory users not showing in user list
Huh, If they are logged into Guacamole, then they by definition have
a guac account, so I'm confused as to why they aren't showing up in
the list. Perhaps someone else here will have some ideas.
The only thing that comes to mind at the moment is maybe MySQL is
being mean and not showing the new inserted record for some reason?
That would be odd, but it is MySQL, it's not known for sane behaviour
by default. Can you see the account record in the MySQL DB?
On Wed, Aug 25, 2021 at 1:12 PM Jim Rx <ji...@mail.com> wrote:
>
> Yes - I'm doing this right now while a user who doesn't appear is logged in,
and they are not present in the list.
>
> Sent: Wednesday, August 25, 2021 at 3:05 PM
> From: "Craig Sawyer" <cs...@yumaed.org>
> To: user@guacamole.apache.org
> Subject: Re: New Active Directory users not showing in user list
> Did you refresh the web UI? (shift+click the reload button) it's not 100%
live.
>
> -Craig
>
> On Wed, Aug 25, 2021 at 1:04 PM Jim Rx <ji...@mail.com> wrote:
> >
> > Craig,
> >
> > Thanks for the clarification. After testing, they are able to log in...
but... their name does not appear in users in the webui, so no connections can
be assigned to their account.
> >
> > Thanks,
> >
> > Jim
> >
> >
> > Sent: Wednesday, August 25, 2021 at 2:59 PM
> > From: "Craig Sawyer" <cs...@yumaed.org>
> > To: user@guacamole.apache.org
> > Subject: Re: New Active Directory users not showing in user list
> > They won't show up until after they login. LDAP requests from Guac are
> > only triggered when an auth request happens. The corresponding guac
> > account will then be created on the fly as it were. There is no
> > "sync" between AD <-> Guac, except at login time.
> >
> > If they are unable to login, but everyone else can, then it's
> > probably one of two things:
> >
> > 1) ldap-search-bind-dn: cn=SVC.GUACAMOLE doesn't have permissions to
> > see the new users
> > 2) ldap-user-search-filter: (sAMAccountType=805306368) the users are
> > not matching against this filter.
> >
> > -Craig
> >
> > On Wed, Aug 25, 2021 at 12:42 PM Jim Rx <ji...@mail.com> wrote:
> > >
> > > Hello,
> > >
> > > I saw a thread on LDAP issues just a couple of days ago, but it didn't
seem to match my situation.
> > >
> > > I built Guacamole 1.3.0 from source on a debian 10, using mysql for
connection properties and active directory (Server 2019) for authentication.
We noticed that some AD users were not listed in users (observed from
guacadmin account). We added a new user to AD and restarted the system to see
if something would shake loose. No joy.
> > >
> > > /etc/guacamole.properties looks like this:
> > > #######
> > > guacd-hostname: localhost
> > > guacd-port: 4822
> > > user-mapping: /etc/guacamole/user-mapping.xml
> > > auth-provider:
net.sourcforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider
> > >
> > > mysql-hostname: localhost
> > > mysql-port: 3306
> > > mysql-database: guacamole_db
> > > mysql-username: guacamole_user
> > > mysql-password: supersecretpassword
> > >
> > > ldap-hostname: 10.x.x.10
> > > ldap-port: 389
> > > ldap-encryption-method: none
> > > ldap-user-base-dn: DC=mynet, DC=local
> > > ldap-username-attribute: sAMAccountName
> > > ldap-search-bind-dn: cn=SVC.GUACAMOLE, ou=Service Accounts, ou-
Administration, dc=mynet, dc=local
> > > ldap-search-bind-password: supersecretpassword
> > > ldap-user-search-filter: (sAMAccountType=805306368)
> > > #######
> > >
> > > right now, logback.xml is set to "info", and searching through the
different log files doesn't seem to show any LDAP errors. I've checked:
> > > /var/log/syslog
> > > /var/log/nginx/guac_access.log
> > > /var/log/nginx/guac_error.log
> > > /var/log/tomcat9/catalina.out
> > >
> > > I cannot find any log entries in windows system even viewer that
indicate an issue on that side. And... *most* of the users are there, and can
log in, and can use the connections allocated to them (I imported the
connection list manually into SQL and then connected the dots in the web UI).
> > >
> > > Any suggestions would be greatly appreciated.
> > >
> > > Thanks
> > >
> > > Jim
> > >
> > >
> > > \---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org For additional
commands, e-mail: user-help@guacamole.apache.org
> >
> > \---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> > For additional commands, e-mail: user-help@guacamole.apache.org
> >
> > \--------------------------------------------------------------------- To
unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org For additional
commands, e-mail: user-help@guacamole.apache.org
>
> \---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> For additional commands, e-mail: user-help@guacamole.apache.org
>
> \--------------------------------------------------------------------- To
unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org For additional
commands, e-mail: user-help@guacamole.apache.org
\---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
\--------------------------------------------------------------------- To
unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org For additional
commands, e-mail: user-help@guacamole.apache.org
Re: New Active Directory users not showing in user list
Posted by Craig Sawyer <cs...@yumaed.org>.
Good call! I forgot about that option, I have it turned on and assumed. My bad!
On Wed, Aug 25, 2021 at 1:36 PM Nick Couchman <vn...@apache.org> wrote:
>
> On Wed, Aug 25, 2021 at 4:22 PM Craig Sawyer <cs...@yumaed.org> wrote:
>>
>> Huh, If they are logged into Guacamole, then they by definition have
>> a guac account, so I'm confused as to why they aren't showing up in
>> the list. Perhaps someone else here will have some ideas.
>>
>
> There may be some confusion here as to what it means to "have a guac account." If you've enabled both the MySQL JDBC extension and the LDAP extensions, then users only need to exist in one of these two extensions in order to successfully authenticate. They do not have to be in both, and LDAP users do not have to have an entry in MySQL in order to successfully log in, nor does a successful login mean that the users will be automatically created - unless you enable this feature. See this manual page for more information:
>
> http://guacamole.apache.org/doc/gug/jdbc-auth.html#jdbc-auth-auto-create
>
> Looking at the guacamole.properties output that was posted in the original question, I do not see the "mysql-auto-create-accounts" property anywhere, so Guacamole is not creating an entry for these users in the database.
>
> Also, it's important to understand that the default "guacadmin" account in the JDBC extensions will have *no visibility* into the LDAP tree to see possible users, unless you happen to have an LDAP user called "guacadmin" with the same password that is in the JDBC account. The LDAP extension leverages LDAP security for both the login and the retrieval of user and group information from LDAP. This tends to trip people up a bit, but it is a very deliberate design of the LDAP extension - it does not use the Search Bind DN for all or even most LDAP operations - it only uses the Search Bind DN to find the user who is trying to log in - once it locates that user, it unbinds and then re-binds as that user account and continues to retrieve other user accounts, LDAP groups, and/or connection information stored in LDAP. This means that, in order to see users, groups, and connections from LDAP, the user logging in to Guacamole needs to be an LDAP user, and needs to successfully bind to LDAP.
>
> -Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: New Active Directory users not showing in user list
Posted by Nick Couchman <vn...@apache.org>.
On Wed, Aug 25, 2021 at 4:54 PM Jim Rx <ji...@mail.com> wrote:
> Nick,
>
> Thanks for that explanation. You may see from other messages in the thread
> that the user I was testing with was showing up in the
> guacamole_user_history table with a user_id of NULL.
>
> Without auto-create turned on, I'm confused as to how the accounts that do
> exist were created. I'm going to have to snapshot this VM and then adjust
> add the auto-create (after I read the reference you provided).
>
There are other events that will trigger a user creation in the database.
For example, if you log in with an LDAP account that also has Admin
privileges (which is a JDBC assignment), and then you assign a user
permissions to a connection stored in the JDBC module, that will trigger an
account creation for that user, and they will end up with an account in the
JDBC module. Same thing if you add a user to a JDBC group. The
mysql-auto-create-accounts property just makes sure that this happens as
soon as a user successfully authenticates to Guacamole.
>
> Along with that -- how do I verify that the guacamole_user has the proper
> privileges? I used the grant select,insert,update,delete sql command that
> many pages suggest... but those changes never stick, even after the flush
> privileges command.
>
>
This is a little unclear to me, and depends on what command you're using to
try to grant this access, what user is doing the granting, and what other
permissions that user already has. So, it may seem that these changes are
not "sticking" if the user you're granting these permissions to already has
a "GRANT ALL ON guacamoledb.*" permission, where the permissions have been
granted at a higher level in the DB hierarchy. If you're able to go in and
create users within the interface using the guacadmin user, and you're not
getting any errors, then your DB user probably already has the requisite
permissions to that table.
-Nick
Re: New Active Directory users not showing in user list
Posted by Nick Couchman <vn...@apache.org>.
On Thu, Aug 26, 2021 at 8:01 AM Jim Rx <ji...@mail.com> wrote:
> Mike,
>
> Thank you for your detailed explanation. I believe all four conditions
> you've listed are true, and yet about 20 out of 150 users do not appear in
> the admin interface. We aren't having authentication issues. The users who
> don't appear in the webui can log in just fine. However, because they are
> not in the webui, I cannot assign connections to them, so when they log in
> they don't have anywhere to go. I will step through the conditions just to
> make sure I don't miss anything.
>
> 1) Guacadmin is in Active Directory as a standard user
>
When you log in to the WebUI with guacadmin, are you logging in with the AD
password or the JDBC password? If the password is the same in both places,
and JDBC is succeeding, first, it may not even be moving on to try to
connect to LDAP. So, if you're going to have guacadmin as an AD user, I'd
recommend you make sure the passwords are different and that you log in
with the AD password.
> 2) Guacadmin is an admin user in the webui
> 3) The ldap-user binding in guacamole.properties is a service account
> assigned as a domain administrator in AD
>
This is definitely not required, and, for obvious security reasons, I'd
recommend you not do this. All that account needs to be able to do is
location the user who is trying to log in, so basically needs to be able to
search AD, read whatever attribute you're using to log in, and read user
DNs. Nothing else.
4) The LDAP base is the entire domain, with a filter matching only normal
> user accounts (based on sAMAccountType). I can tell this is working because
> we have user accounts in the webui that come from different AD OU.
>
>
-Nick
Re: New Active Directory users not showing in user list
Posted by Jim Rx <ji...@mail.com>.
Mike,
Thank you for your detailed explanation. I believe all four conditions you've
listed are true, and yet about 20 out of 150 users do not appear in the admin
interface. We aren't having authentication issues. The users who don't appear
in the webui can log in just fine. However, because they are not in the webui,
I cannot assign connections to them, so when they log in they don't have
anywhere to go. I will step through the conditions just to make sure I don't
miss anything.
1) Guacadmin is in Active Directory as a standard user
2) Guacadmin is an admin user in the webui
3) The ldap-user binding in guacamole.properties is a service account assigned
as a domain administrator in AD
4) The LDAP base is the entire domain, with a filter matching only normal user
accounts (based on sAMAccountType). I can tell this is working because we have
user accounts in the webui that come from different AD OU.
One might think that the disconnect between guacadmin as a normal user in LDAP
and the SVC.GUACAMOLE account being a Domain Admin could cause issues... but
the majority of the LDAP users do appear in and are manipulated/managed by the
webui, specifically connetion assignments.
Any other information or analysis you might provide would be most appreciated.
This system is in 'production', so I have limited ability to do more than view
the configurations during the day for the next week or so, until we cycle
down.
Thanks
Jim
**Sent:** Wednesday, August 25, 2021 at 4:06 PM
**From:** "Mike Jumper" <mi...@glyptodon.com>
**To:** user@guacamole.apache.org
**Subject:** Re: New Active Directory users not showing in user list
A user does not need to exist within the database to be able to log in, nor
will they be automatically added to the database upon login.
The entry you see in the database is _not_ the user being created, nor is it
the user being partially created. It's the system recording that a login for a
user occurred. There is no database permissions issue.
To be clear, **a user does not need to exist in the database** for the user to
be able to log in, nor do they need to exist in the database to be listed in
the admin screen:
* If a user can log in, that means that **at least one authentication extension recognizes that user 's credentials** and has validated their identity. If you only have a database extension installed, then yes, this means they exist in the database. If you have both LDAP and a database extension installed, then this means they exist in LDAP _or_ the database, etc.
* If a user is listed in the admin interface, it means that **the current user has permission to see that user according to at least one authentication extension**. That user may exist in both LDAP and the database, they may exist only in LDAP, or they may exist only in the database.
* There is an option to automatically create database users, **but this is not needed except when using an extension that requires storage for all users** (the TOTP extension). You do not need to enable this option simply to be able to see users, log in as those users, etc.
If you are expecting to see LDAP users within the admin interface, but aren't,
the way to troubleshoot that is _not_ to execute queries against the database
(which truly has nothing to do with LDAP), but to check the details of your
user within LDAP.
To see an LDAP user within the admin interface, the following must be true:
1) You must log in with LDAP credentials, not database credentials. You will
not be able to see LDAP objects of any kind unless your credentials are
recognized by the LDAP server, as it's your access rights within LDAP that
dictate visibility of LDAP objects.
2) You must log in with LDAP credentials that match a user with admin
privileges in the database.
3) Your LDAP user must have permission within LDAP to retrieve the details of
the user in question.
4) The user in question must match the declared LDAP structure within
guacamole.properties. This means they must be beneath the declared user base
DN. If you specified an LDAP user search filter within guacamole.properties,
the user must match that, too.
Michael Jumper
CEO, Lead Developer
[Glyptodon Inc](https://glyp.to/).
On Wed, Aug 25, 2021 at 1:54 PM Jim Rx
<[jimr999@mail.com](mailto:jimr999@mail.com)> wrote:
> Nick,
>
>
>
> Thanks for that explanation. You may see from other messages in the thread
that the user I was testing with was showing up in the guacamole_user_history
table with a user_id of NULL.
>
>
>
> Without auto-create turned on, I'm confused as to how the accounts that do
exist were created. I'm going to have to snapshot this VM and then adjust add
the auto-create (after I read the reference you provided).
>
>
>
> Along with that -- how do I verify that the guacamole_user has the proper
privileges? I used the grant select,insert,update,delete sql command that many
pages suggest... but those changes never stick, even after the flush
privileges command.
>
>
>
> Thanks
>
>
>
> Jim
>
>
>
>
>
> **Sent:** Wednesday, August 25, 2021 at 3:35 PM
> **From:** "Nick Couchman" <[vnick@apache.org](mailto:vnick@apache.org)>
> **To:** [user@guacamole.apache.org](mailto:user@guacamole.apache.org)
> **Subject:** Re: New Active Directory users not showing in user list
>
> On Wed, Aug 25, 2021 at 4:22 PM Craig Sawyer
<[csawyer@yumaed.org](mailto:csawyer@yumaed.org)> wrote:
>
>> Huh, If they are logged into Guacamole, then they by definition have
> a guac account, so I'm confused as to why they aren't showing up in
> the list. Perhaps someone else here will have some ideas.
>
>
>
>
> There may be some confusion here as to what it means to "have a guac
account." If you've enabled both the MySQL JDBC extension and the LDAP
extensions, then users only need to exist in one of these two extensions in
order to successfully authenticate. They do not have to be in both, and LDAP
users do not have to have an entry in MySQL in order to successfully log in,
nor does a successful login mean that the users will be automatically created
- unless you enable this feature. See this manual page for more information:
>
>
>
> <http://guacamole.apache.org/doc/gug/jdbc-auth.html#jdbc-auth-auto-create>
>
>
>
> Looking at the guacamole.properties output that was posted in the original
question, I do not see the "mysql-auto-create-accounts" property anywhere, so
Guacamole is not creating an entry for these users in the database.
>
>
>
> Also, it's important to understand that the default "guacadmin" account in
the JDBC extensions will have *no visibility* into the LDAP tree to see
possible users, unless you happen to have an LDAP user called "guacadmin" with
the same password that is in the JDBC account. The LDAP extension leverages
LDAP security for both the login and the retrieval of user and group
information from LDAP. This tends to trip people up a bit, but it is a very
deliberate design of the LDAP extension - it does not use the Search Bind DN
for all or even most LDAP operations - it only uses the Search Bind DN to find
the user who is trying to log in - once it locates that user, it unbinds and
then re-binds as that user account and continues to retrieve other user
accounts, LDAP groups, and/or connection information stored in LDAP. This
means that, in order to see users, groups, and connections from LDAP, the user
logging in to Guacamole needs to be an LDAP user, and needs to successfully
bind to LDAP.
>
>
>
> -Nick
>
> \--------------------------------------------------------------------- To
unsubscribe, e-mail: [user-unsubscribe@guacamole.apache.org](mailto:user-
unsubscribe@guacamole.apache.org) For additional commands, e-mail: [user-
help@guacamole.apache.org](mailto:user-help@guacamole.apache.org)
\--------------------------------------------------------------------- To
unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org For additional
commands, e-mail: user-help@guacamole.apache.org
Re: New Active Directory users not showing in user list
Posted by Mike Jumper <mi...@glyptodon.com>.
A user does not need to exist within the database to be able to log in, nor
will they be automatically added to the database upon login.
The entry you see in the database is _not_ the user being created, nor is
it the user being partially created. It's the system recording that a login
for a user occurred. There is no database permissions issue.
To be clear, *a user does not need to exist in the database* for the user
to be able to log in, nor do they need to exist in the database to be
listed in the admin screen:
* If a user can log in, that means that *at least one authentication
extension recognizes that user's credentials* and has validated their
identity. If you only have a database extension installed, then yes, this
means they exist in the database. If you have both LDAP and a database
extension installed, then this means they exist in LDAP *or* the database,
etc.
* If a user is listed in the admin interface, it means that *the current
user has permission to see that user according to at least one
authentication extension*. That user may exist in both LDAP and the
database, they may exist only in LDAP, or they may exist only in the
database.
* There is an option to automatically create database users, *but this is
not needed except when using an extension that requires storage for all
users* (the TOTP extension). You do not need to enable this option simply
to be able to see users, log in as those users, etc.
If you are expecting to see LDAP users within the admin interface, but
aren't, the way to troubleshoot that is *not* to execute queries against
the database (which truly has nothing to do with LDAP), but to check the
details of your user within LDAP.
To see an LDAP user within the admin interface, the following must be true:
1) You must log in with LDAP credentials, not database credentials. You
will not be able to see LDAP objects of any kind unless your credentials
are recognized by the LDAP server, as it's your access rights within LDAP
that dictate visibility of LDAP objects.
2) You must log in with LDAP credentials that match a user with admin
privileges in the database.
3) Your LDAP user must have permission within LDAP to retrieve the details
of the user in question.
4) The user in question must match the declared LDAP structure within
guacamole.properties. This means they must be beneath the declared user
base DN. If you specified an LDAP user search filter within
guacamole.properties, the user must match that, too.
Michael Jumper
CEO, Lead Developer
Glyptodon Inc <https://glyp.to/>.
On Wed, Aug 25, 2021 at 1:54 PM Jim Rx <ji...@mail.com> wrote:
> Nick,
>
> Thanks for that explanation. You may see from other messages in the thread
> that the user I was testing with was showing up in the
> guacamole_user_history table with a user_id of NULL.
>
> Without auto-create turned on, I'm confused as to how the accounts that do
> exist were created. I'm going to have to snapshot this VM and then adjust
> add the auto-create (after I read the reference you provided).
>
> Along with that -- how do I verify that the guacamole_user has the proper
> privileges? I used the grant select,insert,update,delete sql command that
> many pages suggest... but those changes never stick, even after the flush
> privileges command.
>
> Thanks
>
> Jim
>
>
> *Sent:* Wednesday, August 25, 2021 at 3:35 PM
> *From:* "Nick Couchman" <vn...@apache.org>
> *To:* user@guacamole.apache.org
> *Subject:* Re: New Active Directory users not showing in user list
> On Wed, Aug 25, 2021 at 4:22 PM Craig Sawyer <cs...@yumaed.org> wrote:
>
>> Huh, If they are logged into Guacamole, then they by definition have
>> a guac account, so I'm confused as to why they aren't showing up in
>> the list. Perhaps someone else here will have some ideas.
>>
>
>
> There may be some confusion here as to what it means to "have a guac
> account." If you've enabled both the MySQL JDBC extension and the LDAP
> extensions, then users only need to exist in one of these two extensions in
> order to successfully authenticate. They do not have to be in both, and
> LDAP users do not have to have an entry in MySQL in order to successfully
> log in, nor does a successful login mean that the users will be
> automatically created - unless you enable this feature. See this manual
> page for more information:
>
> http://guacamole.apache.org/doc/gug/jdbc-auth.html#jdbc-auth-auto-create
>
> Looking at the guacamole.properties output that was posted in the original
> question, I do not see the "mysql-auto-create-accounts" property anywhere,
> so Guacamole is not creating an entry for these users in the database.
>
> Also, it's important to understand that the default "guacadmin" account in
> the JDBC extensions will have *no visibility* into the LDAP tree to see
> possible users, unless you happen to have an LDAP user called "guacadmin"
> with the same password that is in the JDBC account. The LDAP extension
> leverages LDAP security for both the login and the retrieval of user and
> group information from LDAP. This tends to trip people up a bit, but it is
> a very deliberate design of the LDAP extension - it does not use the Search
> Bind DN for all or even most LDAP operations - it only uses the Search Bind
> DN to find the user who is trying to log in - once it locates that user, it
> unbinds and then re-binds as that user account and continues to retrieve
> other user accounts, LDAP groups, and/or connection information stored in
> LDAP. This means that, in order to see users, groups, and connections from
> LDAP, the user logging in to Guacamole needs to be an LDAP user, and needs
> to successfully bind to LDAP.
>
> -Nick
> --------------------------------------------------------------------- To
> unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org For additional
> commands, e-mail: user-help@guacamole.apache.org
Re: New Active Directory users not showing in user list
Posted by Jim Rx <ji...@mail.com>.
Nick,
Thanks for that explanation. You may see from other messages in the thread
that the user I was testing with was showing up in the guacamole_user_history
table with a user_id of NULL.
Without auto-create turned on, I'm confused as to how the accounts that do
exist were created. I'm going to have to snapshot this VM and then adjust add
the auto-create (after I read the reference you provided).
Along with that -- how do I verify that the guacamole_user has the proper
privileges? I used the grant select,insert,update,delete sql command that many
pages suggest... but those changes never stick, even after the flush
privileges command.
Thanks
Jim
**Sent:** Wednesday, August 25, 2021 at 3:35 PM
**From:** "Nick Couchman" <vn...@apache.org>
**To:** user@guacamole.apache.org
**Subject:** Re: New Active Directory users not showing in user list
On Wed, Aug 25, 2021 at 4:22 PM Craig Sawyer
<[csawyer@yumaed.org](mailto:csawyer@yumaed.org)> wrote:
> Huh, If they are logged into Guacamole, then they by definition have
> a guac account, so I'm confused as to why they aren't showing up in
> the list. Perhaps someone else here will have some ideas.
>
There may be some confusion here as to what it means to "have a guac account."
If you've enabled both the MySQL JDBC extension and the LDAP extensions, then
users only need to exist in one of these two extensions in order to
successfully authenticate. They do not have to be in both, and LDAP users do
not have to have an entry in MySQL in order to successfully log in, nor does a
successful login mean that the users will be automatically created - unless
you enable this feature. See this manual page for more information:
<http://guacamole.apache.org/doc/gug/jdbc-auth.html#jdbc-auth-auto-create>
Looking at the guacamole.properties output that was posted in the original
question, I do not see the "mysql-auto-create-accounts" property anywhere, so
Guacamole is not creating an entry for these users in the database.
Also, it's important to understand that the default "guacadmin" account in the
JDBC extensions will have *no visibility* into the LDAP tree to see possible
users, unless you happen to have an LDAP user called "guacadmin" with the same
password that is in the JDBC account. The LDAP extension leverages LDAP
security for both the login and the retrieval of user and group information
from LDAP. This tends to trip people up a bit, but it is a very deliberate
design of the LDAP extension - it does not use the Search Bind DN for all or
even most LDAP operations - it only uses the Search Bind DN to find the user
who is trying to log in - once it locates that user, it unbinds and then re-
binds as that user account and continues to retrieve other user accounts, LDAP
groups, and/or connection information stored in LDAP. This means that, in
order to see users, groups, and connections from LDAP, the user logging in to
Guacamole needs to be an LDAP user, and needs to successfully bind to LDAP.
-Nick
\--------------------------------------------------------------------- To
unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org For additional
commands, e-mail: user-help@guacamole.apache.org
Re: New Active Directory users not showing in user list
Posted by Nick Couchman <vn...@apache.org>.
On Wed, Aug 25, 2021 at 4:22 PM Craig Sawyer <cs...@yumaed.org> wrote:
> Huh, If they are logged into Guacamole, then they by definition have
> a guac account, so I'm confused as to why they aren't showing up in
> the list. Perhaps someone else here will have some ideas.
>
>
There may be some confusion here as to what it means to "have a guac
account." If you've enabled both the MySQL JDBC extension and the LDAP
extensions, then users only need to exist in one of these two extensions in
order to successfully authenticate. They do not have to be in both, and
LDAP users do not have to have an entry in MySQL in order to successfully
log in, nor does a successful login mean that the users will be
automatically created - unless you enable this feature. See this manual
page for more information:
http://guacamole.apache.org/doc/gug/jdbc-auth.html#jdbc-auth-auto-create
Looking at the guacamole.properties output that was posted in the original
question, I do not see the "mysql-auto-create-accounts" property anywhere,
so Guacamole is not creating an entry for these users in the database.
Also, it's important to understand that the default "guacadmin" account in
the JDBC extensions will have *no visibility* into the LDAP tree to see
possible users, unless you happen to have an LDAP user called "guacadmin"
with the same password that is in the JDBC account. The LDAP extension
leverages LDAP security for both the login and the retrieval of user and
group information from LDAP. This tends to trip people up a bit, but it is
a very deliberate design of the LDAP extension - it does not use the Search
Bind DN for all or even most LDAP operations - it only uses the Search Bind
DN to find the user who is trying to log in - once it locates that user, it
unbinds and then re-binds as that user account and continues to retrieve
other user accounts, LDAP groups, and/or connection information stored in
LDAP. This means that, in order to see users, groups, and connections from
LDAP, the user logging in to Guacamole needs to be an LDAP user, and needs
to successfully bind to LDAP.
-Nick
Re: New Active Directory users not showing in user list
Posted by Craig Sawyer <cs...@yumaed.org>.
Huh, If they are logged into Guacamole, then they by definition have
a guac account, so I'm confused as to why they aren't showing up in
the list. Perhaps someone else here will have some ideas.
The only thing that comes to mind at the moment is maybe MySQL is
being mean and not showing the new inserted record for some reason?
That would be odd, but it is MySQL, it's not known for sane behaviour
by default. Can you see the account record in the MySQL DB?
On Wed, Aug 25, 2021 at 1:12 PM Jim Rx <ji...@mail.com> wrote:
>
> Yes - I'm doing this right now while a user who doesn't appear is logged in, and they are not present in the list.
>
> Sent: Wednesday, August 25, 2021 at 3:05 PM
> From: "Craig Sawyer" <cs...@yumaed.org>
> To: user@guacamole.apache.org
> Subject: Re: New Active Directory users not showing in user list
> Did you refresh the web UI? (shift+click the reload button) it's not 100% live.
>
> -Craig
>
> On Wed, Aug 25, 2021 at 1:04 PM Jim Rx <ji...@mail.com> wrote:
> >
> > Craig,
> >
> > Thanks for the clarification. After testing, they are able to log in... but... their name does not appear in users in the webui, so no connections can be assigned to their account.
> >
> > Thanks,
> >
> > Jim
> >
> >
> > Sent: Wednesday, August 25, 2021 at 2:59 PM
> > From: "Craig Sawyer" <cs...@yumaed.org>
> > To: user@guacamole.apache.org
> > Subject: Re: New Active Directory users not showing in user list
> > They won't show up until after they login. LDAP requests from Guac are
> > only triggered when an auth request happens. The corresponding guac
> > account will then be created on the fly as it were. There is no
> > "sync" between AD <-> Guac, except at login time.
> >
> > If they are unable to login, but everyone else can, then it's
> > probably one of two things:
> >
> > 1) ldap-search-bind-dn: cn=SVC.GUACAMOLE doesn't have permissions to
> > see the new users
> > 2) ldap-user-search-filter: (sAMAccountType=805306368) the users are
> > not matching against this filter.
> >
> > -Craig
> >
> > On Wed, Aug 25, 2021 at 12:42 PM Jim Rx <ji...@mail.com> wrote:
> > >
> > > Hello,
> > >
> > > I saw a thread on LDAP issues just a couple of days ago, but it didn't seem to match my situation.
> > >
> > > I built Guacamole 1.3.0 from source on a debian 10, using mysql for connection properties and active directory (Server 2019) for authentication. We noticed that some AD users were not listed in users (observed from guacadmin account). We added a new user to AD and restarted the system to see if something would shake loose. No joy.
> > >
> > > /etc/guacamole.properties looks like this:
> > > #######
> > > guacd-hostname: localhost
> > > guacd-port: 4822
> > > user-mapping: /etc/guacamole/user-mapping.xml
> > > auth-provider: net.sourcforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider
> > >
> > > mysql-hostname: localhost
> > > mysql-port: 3306
> > > mysql-database: guacamole_db
> > > mysql-username: guacamole_user
> > > mysql-password: supersecretpassword
> > >
> > > ldap-hostname: 10.x.x.10
> > > ldap-port: 389
> > > ldap-encryption-method: none
> > > ldap-user-base-dn: DC=mynet, DC=local
> > > ldap-username-attribute: sAMAccountName
> > > ldap-search-bind-dn: cn=SVC.GUACAMOLE, ou=Service Accounts, ou-Administration, dc=mynet, dc=local
> > > ldap-search-bind-password: supersecretpassword
> > > ldap-user-search-filter: (sAMAccountType=805306368)
> > > #######
> > >
> > > right now, logback.xml is set to "info", and searching through the different log files doesn't seem to show any LDAP errors. I've checked:
> > > /var/log/syslog
> > > /var/log/nginx/guac_access.log
> > > /var/log/nginx/guac_error.log
> > > /var/log/tomcat9/catalina.out
> > >
> > > I cannot find any log entries in windows system even viewer that indicate an issue on that side. And... *most* of the users are there, and can log in, and can use the connections allocated to them (I imported the connection list manually into SQL and then connected the dots in the web UI).
> > >
> > > Any suggestions would be greatly appreciated.
> > >
> > > Thanks
> > >
> > > Jim
> > >
> > >
> > > --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org For additional commands, e-mail: user-help@guacamole.apache.org
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> > For additional commands, e-mail: user-help@guacamole.apache.org
> >
> > --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org For additional commands, e-mail: user-help@guacamole.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> For additional commands, e-mail: user-help@guacamole.apache.org
>
> --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org For additional commands, e-mail: user-help@guacamole.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: New Active Directory users not showing in user list
Posted by Jim Rx <ji...@mail.com>.
Yes - I'm doing this right now while a user who doesn't appear is logged in,
and they are not present in the list.
**Sent:** Wednesday, August 25, 2021 at 3:05 PM
**From:** "Craig Sawyer" <cs...@yumaed.org>
**To:** user@guacamole.apache.org
**Subject:** Re: New Active Directory users not showing in user list
Did you refresh the web UI? (shift+click the reload button) it's not 100%
live.
-Craig
On Wed, Aug 25, 2021 at 1:04 PM Jim Rx <ji...@mail.com> wrote:
>
> Craig,
>
> Thanks for the clarification. After testing, they are able to log in...
but... their name does not appear in users in the webui, so no connections can
be assigned to their account.
>
> Thanks,
>
> Jim
>
>
> Sent: Wednesday, August 25, 2021 at 2:59 PM
> From: "Craig Sawyer" <cs...@yumaed.org>
> To: user@guacamole.apache.org
> Subject: Re: New Active Directory users not showing in user list
> They won't show up until after they login. LDAP requests from Guac are
> only triggered when an auth request happens. The corresponding guac
> account will then be created on the fly as it were. There is no
> "sync" between AD <-> Guac, except at login time.
>
> If they are unable to login, but everyone else can, then it's
> probably one of two things:
>
> 1) ldap-search-bind-dn: cn=SVC.GUACAMOLE doesn't have permissions to
> see the new users
> 2) ldap-user-search-filter: (sAMAccountType=805306368) the users are
> not matching against this filter.
>
> -Craig
>
> On Wed, Aug 25, 2021 at 12:42 PM Jim Rx <ji...@mail.com> wrote:
> >
> > Hello,
> >
> > I saw a thread on LDAP issues just a couple of days ago, but it didn't
seem to match my situation.
> >
> > I built Guacamole 1.3.0 from source on a debian 10, using mysql for
connection properties and active directory (Server 2019) for authentication.
We noticed that some AD users were not listed in users (observed from
guacadmin account). We added a new user to AD and restarted the system to see
if something would shake loose. No joy.
> >
> > /etc/guacamole.properties looks like this:
> > #######
> > guacd-hostname: localhost
> > guacd-port: 4822
> > user-mapping: /etc/guacamole/user-mapping.xml
> > auth-provider:
net.sourcforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider
> >
> > mysql-hostname: localhost
> > mysql-port: 3306
> > mysql-database: guacamole_db
> > mysql-username: guacamole_user
> > mysql-password: supersecretpassword
> >
> > ldap-hostname: 10.x.x.10
> > ldap-port: 389
> > ldap-encryption-method: none
> > ldap-user-base-dn: DC=mynet, DC=local
> > ldap-username-attribute: sAMAccountName
> > ldap-search-bind-dn: cn=SVC.GUACAMOLE, ou=Service Accounts, ou-
Administration, dc=mynet, dc=local
> > ldap-search-bind-password: supersecretpassword
> > ldap-user-search-filter: (sAMAccountType=805306368)
> > #######
> >
> > right now, logback.xml is set to "info", and searching through the
different log files doesn't seem to show any LDAP errors. I've checked:
> > /var/log/syslog
> > /var/log/nginx/guac_access.log
> > /var/log/nginx/guac_error.log
> > /var/log/tomcat9/catalina.out
> >
> > I cannot find any log entries in windows system even viewer that indicate
an issue on that side. And... *most* of the users are there, and can log in,
and can use the connections allocated to them (I imported the connection list
manually into SQL and then connected the dots in the web UI).
> >
> > Any suggestions would be greatly appreciated.
> >
> > Thanks
> >
> > Jim
> >
> >
> > \--------------------------------------------------------------------- To
unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org For additional
commands, e-mail: user-help@guacamole.apache.org
>
> \---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> For additional commands, e-mail: user-help@guacamole.apache.org
>
> \--------------------------------------------------------------------- To
unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org For additional
commands, e-mail: user-help@guacamole.apache.org
\---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
\--------------------------------------------------------------------- To
unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org For additional
commands, e-mail: user-help@guacamole.apache.org
Re: New Active Directory users not showing in user list
Posted by Craig Sawyer <cs...@yumaed.org>.
Did you refresh the web UI? (shift+click the reload button) it's not 100% live.
-Craig
On Wed, Aug 25, 2021 at 1:04 PM Jim Rx <ji...@mail.com> wrote:
>
> Craig,
>
> Thanks for the clarification. After testing, they are able to log in... but... their name does not appear in users in the webui, so no connections can be assigned to their account.
>
> Thanks,
>
> Jim
>
>
> Sent: Wednesday, August 25, 2021 at 2:59 PM
> From: "Craig Sawyer" <cs...@yumaed.org>
> To: user@guacamole.apache.org
> Subject: Re: New Active Directory users not showing in user list
> They won't show up until after they login. LDAP requests from Guac are
> only triggered when an auth request happens. The corresponding guac
> account will then be created on the fly as it were. There is no
> "sync" between AD <-> Guac, except at login time.
>
> If they are unable to login, but everyone else can, then it's
> probably one of two things:
>
> 1) ldap-search-bind-dn: cn=SVC.GUACAMOLE doesn't have permissions to
> see the new users
> 2) ldap-user-search-filter: (sAMAccountType=805306368) the users are
> not matching against this filter.
>
> -Craig
>
> On Wed, Aug 25, 2021 at 12:42 PM Jim Rx <ji...@mail.com> wrote:
> >
> > Hello,
> >
> > I saw a thread on LDAP issues just a couple of days ago, but it didn't seem to match my situation.
> >
> > I built Guacamole 1.3.0 from source on a debian 10, using mysql for connection properties and active directory (Server 2019) for authentication. We noticed that some AD users were not listed in users (observed from guacadmin account). We added a new user to AD and restarted the system to see if something would shake loose. No joy.
> >
> > /etc/guacamole.properties looks like this:
> > #######
> > guacd-hostname: localhost
> > guacd-port: 4822
> > user-mapping: /etc/guacamole/user-mapping.xml
> > auth-provider: net.sourcforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider
> >
> > mysql-hostname: localhost
> > mysql-port: 3306
> > mysql-database: guacamole_db
> > mysql-username: guacamole_user
> > mysql-password: supersecretpassword
> >
> > ldap-hostname: 10.x.x.10
> > ldap-port: 389
> > ldap-encryption-method: none
> > ldap-user-base-dn: DC=mynet, DC=local
> > ldap-username-attribute: sAMAccountName
> > ldap-search-bind-dn: cn=SVC.GUACAMOLE, ou=Service Accounts, ou-Administration, dc=mynet, dc=local
> > ldap-search-bind-password: supersecretpassword
> > ldap-user-search-filter: (sAMAccountType=805306368)
> > #######
> >
> > right now, logback.xml is set to "info", and searching through the different log files doesn't seem to show any LDAP errors. I've checked:
> > /var/log/syslog
> > /var/log/nginx/guac_access.log
> > /var/log/nginx/guac_error.log
> > /var/log/tomcat9/catalina.out
> >
> > I cannot find any log entries in windows system even viewer that indicate an issue on that side. And... *most* of the users are there, and can log in, and can use the connections allocated to them (I imported the connection list manually into SQL and then connected the dots in the web UI).
> >
> > Any suggestions would be greatly appreciated.
> >
> > Thanks
> >
> > Jim
> >
> >
> > --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org For additional commands, e-mail: user-help@guacamole.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> For additional commands, e-mail: user-help@guacamole.apache.org
>
> --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org For additional commands, e-mail: user-help@guacamole.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: New Active Directory users not showing in user list
Posted by Jim Rx <ji...@mail.com>.
Craig,
Thanks for the clarification. After testing, they are able to log in... but...
their name does not appear in users in the webui, so no connections can be
assigned to their account.
Thanks,
Jim
**Sent:** Wednesday, August 25, 2021 at 2:59 PM
**From:** "Craig Sawyer" <cs...@yumaed.org>
**To:** user@guacamole.apache.org
**Subject:** Re: New Active Directory users not showing in user list
They won't show up until after they login. LDAP requests from Guac are
only triggered when an auth request happens. The corresponding guac
account will then be created on the fly as it were. There is no
"sync" between AD <-> Guac, except at login time.
If they are unable to login, but everyone else can, then it's
probably one of two things:
1) ldap-search-bind-dn: cn=SVC.GUACAMOLE doesn't have permissions to
see the new users
2) ldap-user-search-filter: (sAMAccountType=805306368) the users are
not matching against this filter.
-Craig
On Wed, Aug 25, 2021 at 12:42 PM Jim Rx <ji...@mail.com> wrote:
>
> Hello,
>
> I saw a thread on LDAP issues just a couple of days ago, but it didn't seem
to match my situation.
>
> I built Guacamole 1.3.0 from source on a debian 10, using mysql for
connection properties and active directory (Server 2019) for authentication.
We noticed that some AD users were not listed in users (observed from
guacadmin account). We added a new user to AD and restarted the system to see
if something would shake loose. No joy.
>
> /etc/guacamole.properties looks like this:
> #######
> guacd-hostname: localhost
> guacd-port: 4822
> user-mapping: /etc/guacamole/user-mapping.xml
> auth-provider:
net.sourcforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider
>
> mysql-hostname: localhost
> mysql-port: 3306
> mysql-database: guacamole_db
> mysql-username: guacamole_user
> mysql-password: supersecretpassword
>
> ldap-hostname: 10.x.x.10
> ldap-port: 389
> ldap-encryption-method: none
> ldap-user-base-dn: DC=mynet, DC=local
> ldap-username-attribute: sAMAccountName
> ldap-search-bind-dn: cn=SVC.GUACAMOLE, ou=Service Accounts, ou-
Administration, dc=mynet, dc=local
> ldap-search-bind-password: supersecretpassword
> ldap-user-search-filter: (sAMAccountType=805306368)
> #######
>
> right now, logback.xml is set to "info", and searching through the different
log files doesn't seem to show any LDAP errors. I've checked:
> /var/log/syslog
> /var/log/nginx/guac_access.log
> /var/log/nginx/guac_error.log
> /var/log/tomcat9/catalina.out
>
> I cannot find any log entries in windows system even viewer that indicate an
issue on that side. And... *most* of the users are there, and can log in, and
can use the connections allocated to them (I imported the connection list
manually into SQL and then connected the dots in the web UI).
>
> Any suggestions would be greatly appreciated.
>
> Thanks
>
> Jim
>
>
> \--------------------------------------------------------------------- To
unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org For additional
commands, e-mail: user-help@guacamole.apache.org
\---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
\--------------------------------------------------------------------- To
unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org For additional
commands, e-mail: user-help@guacamole.apache.org
Re: New Active Directory users not showing in user list
Posted by Craig Sawyer <cs...@yumaed.org>.
They won't show up until after they login. LDAP requests from Guac are
only triggered when an auth request happens. The corresponding guac
account will then be created on the fly as it were. There is no
"sync" between AD <-> Guac, except at login time.
If they are unable to login, but everyone else can, then it's
probably one of two things:
1) ldap-search-bind-dn: cn=SVC.GUACAMOLE doesn't have permissions to
see the new users
2) ldap-user-search-filter: (sAMAccountType=805306368) the users are
not matching against this filter.
-Craig
On Wed, Aug 25, 2021 at 12:42 PM Jim Rx <ji...@mail.com> wrote:
>
> Hello,
>
> I saw a thread on LDAP issues just a couple of days ago, but it didn't seem to match my situation.
>
> I built Guacamole 1.3.0 from source on a debian 10, using mysql for connection properties and active directory (Server 2019) for authentication. We noticed that some AD users were not listed in users (observed from guacadmin account). We added a new user to AD and restarted the system to see if something would shake loose. No joy.
>
> /etc/guacamole.properties looks like this:
> #######
> guacd-hostname: localhost
> guacd-port: 4822
> user-mapping: /etc/guacamole/user-mapping.xml
> auth-provider: net.sourcforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider
>
> mysql-hostname: localhost
> mysql-port: 3306
> mysql-database: guacamole_db
> mysql-username: guacamole_user
> mysql-password: supersecretpassword
>
> ldap-hostname: 10.x.x.10
> ldap-port: 389
> ldap-encryption-method: none
> ldap-user-base-dn: DC=mynet, DC=local
> ldap-username-attribute: sAMAccountName
> ldap-search-bind-dn: cn=SVC.GUACAMOLE, ou=Service Accounts, ou-Administration, dc=mynet, dc=local
> ldap-search-bind-password: supersecretpassword
> ldap-user-search-filter: (sAMAccountType=805306368)
> #######
>
> right now, logback.xml is set to "info", and searching through the different log files doesn't seem to show any LDAP errors. I've checked:
> /var/log/syslog
> /var/log/nginx/guac_access.log
> /var/log/nginx/guac_error.log
> /var/log/tomcat9/catalina.out
>
> I cannot find any log entries in windows system even viewer that indicate an issue on that side. And... *most* of the users are there, and can log in, and can use the connections allocated to them (I imported the connection list manually into SQL and then connected the dots in the web UI).
>
> Any suggestions would be greatly appreciated.
>
> Thanks
>
> Jim
>
>
> --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org For additional commands, e-mail: user-help@guacamole.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org