Guacamole does not list users and groups from the active directory

[Estevão Costa <es...@gmail.com>]

Hi

We have a Guacamole instance deployed by docker and we are run into that
problem:
- We set up the Active Directory using env vars, including
LDAP_SEARCH_BIND_DN and LDAP_SEARCH_BIND_PASSWORD and we are able to login
into Guacamole with AD users. However, we can't see the AD users and groups
in the Guacamole Admin Dashboard.

So we can't assign connections to users because the users don't appear in
the list.

In the log, we don't see anything. No messages about it.

Please, how can I solve it?

Thank you!

Estevão

Re: Guacamole does not list users and groups from the active directory

[Estevão Costa <es...@gmail.com>]

Ok. Thank you. That worked for me.

Estevão


Em sáb., 9 de abr. de 2022 às 15:50, Nick Couchman <vn...@apache.org>
escreveu:

> On Thu, Apr 7, 2022 at 6:35 PM Estevão Costa <es...@gmail.com> wrote:
>
>> Perfect. We are using Postgres as database. How Can I set up that
>> configuration properly?
>>
>> I created an account with the same username and password as the AD
>> account in the Guacamole Admin panel but it doesn't work too. Looks like
>> I'm doing something wrong.
>>
>>
> Don't create the user with the same password as your AD password - for two
> reasons. First, this will still bypass the LDAP module, as the JDBC module
> will most likely be evaluated, first, and will succeed. Second, the
> password will get out-of-sync, anyway, assuming you're enforcing password
> rotation in AD, and there's no reason to try to keep them in-sync. Just set
> a different/random password for the JDBC user, but make sure the username
> is the same, and you should be good.
>
> One other note - the username matching that Guacamole does is
> case-sensitive - so, if you create a user in the JDBC module called
> "John_Doe" but log in with your AD credentials using "john_doe", they are
> considered different users.
>
> -Nick
>
>>

Re: Guacamole does not list users and groups from the active directory

[Nick Couchman <vn...@apache.org>]

On Thu, Apr 7, 2022 at 6:35 PM Estevão Costa <es...@gmail.com> wrote:

> Perfect. We are using Postgres as database. How Can I set up that
> configuration properly?
>
> I created an account with the same username and password as the AD account
> in the Guacamole Admin panel but it doesn't work too. Looks like I'm doing
> something wrong.
>
>
Don't create the user with the same password as your AD password - for two
reasons. First, this will still bypass the LDAP module, as the JDBC module
will most likely be evaluated, first, and will succeed. Second, the
password will get out-of-sync, anyway, assuming you're enforcing password
rotation in AD, and there's no reason to try to keep them in-sync. Just set
a different/random password for the JDBC user, but make sure the username
is the same, and you should be good.

One other note - the username matching that Guacamole does is
case-sensitive - so, if you create a user in the JDBC module called
"John_Doe" but log in with your AD credentials using "john_doe", they are
considered different users.

-Nick

>

Re: Guacamole does not list users and groups from the active directory

[Estevão Costa <es...@gmail.com>]

Perfect. We are using Postgres as database. How Can I set up that
configuration properly?

I created an account with the same username and password as the AD account
in the Guacamole Admin panel but it doesn't work too. Looks like I'm doing
something wrong.

Thanks a lot!
Estevão


Em qui., 7 de abr. de 2022 às 18:55, Nick Couchman <vn...@apache.org>
escreveu:

> On Thu, Apr 7, 2022 at 5:46 PM Estevão Costa <es...@gmail.com> wrote:
>
>> Hi
>>
>> We have a Guacamole instance deployed by docker and we are run into that
>> problem:
>> - We set up the Active Directory using env vars, including
>> LDAP_SEARCH_BIND_DN and LDAP_SEARCH_BIND_PASSWORD and we are able to login
>> into Guacamole with AD users. However, we can't see the AD users and groups
>> in the Guacamole Admin Dashboard.
>>
>> So we can't assign connections to users because the users don't appear in
>> the list.
>>
>> In the log, we don't see anything. No messages about it.
>>
>> Please, how can I solve it?
>>
>>
> You need to log in as an LDAP (Active Directory) user to see the users in
> LDAP/AD. This is because, except for the initial search for the user who is
> logging in, access to LDAP/AD is done by the user who is logging in.
>
> Practically speaking this means, that if you're using the JDBC module to
> store connections, you'll need to either manually create a JDBC account for
> one of your LDAP/AD users that you want to be an admin, or you'll need to
> enable the DB auto-creation setting so that LDAP/AD users are automatically
> added to the database upon successful login.
>
> -Nick
>
>>

Re: Guacamole does not list users and groups from the active directory

[Nick Couchman <vn...@apache.org>]

On Thu, Apr 7, 2022 at 5:46 PM Estevão Costa <es...@gmail.com> wrote:

> Hi
>
> We have a Guacamole instance deployed by docker and we are run into that
> problem:
> - We set up the Active Directory using env vars, including
> LDAP_SEARCH_BIND_DN and LDAP_SEARCH_BIND_PASSWORD and we are able to login
> into Guacamole with AD users. However, we can't see the AD users and groups
> in the Guacamole Admin Dashboard.
>
> So we can't assign connections to users because the users don't appear in
> the list.
>
> In the log, we don't see anything. No messages about it.
>
> Please, how can I solve it?
>
>
You need to log in as an LDAP (Active Directory) user to see the users in
LDAP/AD. This is because, except for the initial search for the user who is
logging in, access to LDAP/AD is done by the user who is logging in.

Practically speaking this means, that if you're using the JDBC module to
store connections, you'll need to either manually create a JDBC account for
one of your LDAP/AD users that you want to be an admin, or you'll need to
enable the DB auto-creation setting so that LDAP/AD users are automatically
added to the database upon successful login.

-Nick

>