You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@guacamole.apache.org by Kevin Cameron <ke...@gmail.com> on 2022/07/08 16:47:16 UTC

Issues with LDAP groups and users not populating

I have 6 different instances of Guacamole setup connected to MS Active
Directory with a Postgres background DB.

They all have a similar guacamole.properties and when I verify my group and
user search filter strings with ldapsearch I get consistent and expected
results.

Problem:
  In the catalina.out I can see LDAP search results showing the users and
AD groups that are expected but they sometimes update in Guacamole,
sometimes not.  If I sign into guacamole with an AD user the user can
authenticate and the user does show up in the Guacamole Gui BUT at the top
of the page they don't have the tabs that reflect that they are LDAP /
Postgres users.

At the same time the AD groups don't populate the groups list.

postgresql-auto-create-accounts is set to true.

Sometimes if I manually create a random user then all of a sudden the lists
populate on the next user login but not always.  And then any future
updates do not show.  Restarting the application does not seem to make a
difference.

Instance 1
[image: image.png]
vs

Instance2:
[image: image.png]

My logback is setup to debug so I get a lot of log activity but is there
something I can add to the logback to focus on the LDAP process.

I have spent a lot of time on this and could use help.  I really need the
AD groups to import correctly so that we can tie connections to them
Thanks,
Kevin

Re: Issues with LDAP groups and users not populating

Posted by Kevin Cameron <ke...@gmail.com>.

I know this is an old post but given the amount of time I put into this I
thought I would post a follow-up.

  So I was having a crazy amount of issues with users not populating
consistently or not working from LDAP.  What I finally figured out is it
was related to the Primary AD group that the users were part of.  In our
use case the accounts used by Guac users were not part of the "Domain
Users" group so we had the primary group the same as the AD group tied to
Guacamole.  Because of the way that the LDAP details are returned a users
primary AD group does not appear in the "MembersOf" list.

After finally figuring this out we had to have a unique AD group to use as
the primary AD group and then when we assigned a user to their sub group
which was tied to Guacamole they populated right away!

Kevin

On Fri, Jul 8, 2022 at 1:25 PM David Haukeness <da...@hauken.us> wrote:

> For reference, here is my sanitized AD LDAP config. Do you notice any
> obvious differences from yours? I’m running 1.4.0 on Ubuntu LTS 20.04.3
>
> auth-provider: net.sourceforge.guacamole.net
> .auth.ldap.LDAPAuthenticationProvider
>
> ### LDAP properties
> ldap-hostname:           contoso.com
> ldap-port:               636
> ldap-encryption-method:  ssl
> ldap-user-base-dn:       OU=Users,DC=contoso,DC=com
> ldap-username-attribute: sAMAccountName
> ldap-search-bind-dn:     CN=LDAP Query User,OU=Service
> Accounts,DC=contoso,DC=com
> ldap-search-bind-password: correcthorsebatterystaple
> ldap-group-base-dn: OU=Guacamole Groups,DC=contoso,DC=com
> ldap-follow-referrals: true
> ldap-dereference-aliases: always
>
> # Postgres
> postgresql-hostname: localhost
> postgresql-port: 5432
> postgresql-database: guacamole_db
> postgresql-username: guacamole_user
> postgresql-password: correcthorsebatterystaple
> postgresql-auto-create-accounts: true
>
>
> David Haukeness
> Sent from my iPhone
>
> > On Jul 8, 2022, at 10:47 AM, Kevin Cameron <ke...@gmail.com>
> wrote:
> >
> > 
> > I have 6 different instances of Guacamole setup connected to MS Active
> Directory with a Postgres background DB.
> >
> > They all have a similar guacamole.properties and when I verify my group
> and user search filter strings with ldapsearch I get consistent and
> expected results.
> >
> > Problem:
> >   In the catalina.out I can see LDAP search results showing the users
> and AD groups that are expected but they sometimes update in Guacamole,
> sometimes not.  If I sign into guacamole with an AD user the user can
> authenticate and the user does show up in the Guacamole Gui BUT at the top
> of the page they don't have the tabs that reflect that they are LDAP /
> Postgres users.
> >
> > At the same time the AD groups don't populate the groups list.
> >
> > postgresql-auto-create-accounts is set to true.
> >
> > Sometimes if I manually create a random user then all of a sudden the
> lists populate on the next user login but not always.  And then any future
> updates do not show.  Restarting the application does not seem to make a
> difference.
> >
> > Instance 1
> >
> > vs
> >
> > Instance2:
> >
> >
> > My logback is setup to debug so I get a lot of log activity but is there
> something I can add to the logback to focus on the LDAP process.
> >
> > I have spent a lot of time on this and could use help.  I really need
> the AD groups to import correctly so that we can tie connections to them
> > Thanks,
> > Kevin
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> For additional commands, e-mail: user-help@guacamole.apache.org

Re: Issues with LDAP groups and users not populating

Posted by Kevin Cameron <ke...@gmail.com>.

Thanks David,
  The only obvious thing was that I do not have the alias option defined. I
tried adding it and restarting Gucamole but still the same thing.

Here are my settings:

#LDAP settings:
ldap-hostname:             myADserver.mydomain.io
ldap-port:                 636
ldap-encryption-method:    ssl
ldap-search-bind-dn:
CN=bind_user,OU=Infrastructure,OU=ServiceAccounts,OU=UAG,DC=mydomain,dc=io
ldap-search-bind-password: mypassword
ldap-user-base-dn:         OU=UAG,dc=mydomain,dc=io
ldap-user-search-filter:
(&(objectClass=person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=CN=my_user_group,OU=Resource,OU=SecurityGroups,OU=UAG,DC=mydomain,DC=io)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
ldap-group-base-dn:
 OU=Customer,OU=User,OU=SecurityGroups,OU=UAG,DC=mydomain,DC=io
ldap-group-name-attribute: cn
ldap-group-search-filter:
 (&(objectClass=group)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=CN=my_user_group,OU=Resource,OU=SecurityGroups,OU=UAG,DC=mydomain,DC=io))
ldap-username-attribute:   sAMAccountName
ldap-member-attribute:     member
ldap-max-search-results:   3000
ldap-follow-referrals:     true

# PostgreSQL properties
postgresql-hostname:             localhost
postgresql-port:                 5432
postgresql-database:             guacamole_db
postgresql-username:             guacamole_user
postgresql-password:             my_password
postgresql-auto-create-accounts: true

On Fri, Jul 8, 2022 at 1:25 PM David Haukeness <da...@hauken.us> wrote:

> For reference, here is my sanitized AD LDAP config. Do you notice any
> obvious differences from yours? I’m running 1.4.0 on Ubuntu LTS 20.04.3
>
> auth-provider: net.sourceforge.guacamole.net
> .auth.ldap.LDAPAuthenticationProvider
>
> ### LDAP properties
> ldap-hostname:           contoso.com
> ldap-port:               636
> ldap-encryption-method:  ssl
> ldap-user-base-dn:       OU=Users,DC=contoso,DC=com
> ldap-username-attribute: sAMAccountName
> ldap-search-bind-dn:     CN=LDAP Query User,OU=Service
> Accounts,DC=contoso,DC=com
> ldap-search-bind-password: correcthorsebatterystaple
> ldap-group-base-dn: OU=Guacamole Groups,DC=contoso,DC=com
> ldap-follow-referrals: true
> ldap-dereference-aliases: always
>
> # Postgres
> postgresql-hostname: localhost
> postgresql-port: 5432
> postgresql-database: guacamole_db
> postgresql-username: guacamole_user
> postgresql-password: correcthorsebatterystaple
> postgresql-auto-create-accounts: true
>
>
> David Haukeness
> Sent from my iPhone
>
> > On Jul 8, 2022, at 10:47 AM, Kevin Cameron <ke...@gmail.com>
> wrote:
> >
> > 
> > I have 6 different instances of Guacamole setup connected to MS Active
> Directory with a Postgres background DB.
> >
> > They all have a similar guacamole.properties and when I verify my group
> and user search filter strings with ldapsearch I get consistent and
> expected results.
> >
> > Problem:
> >   In the catalina.out I can see LDAP search results showing the users
> and AD groups that are expected but they sometimes update in Guacamole,
> sometimes not.  If I sign into guacamole with an AD user the user can
> authenticate and the user does show up in the Guacamole Gui BUT at the top
> of the page they don't have the tabs that reflect that they are LDAP /
> Postgres users.
> >
> > At the same time the AD groups don't populate the groups list.
> >
> > postgresql-auto-create-accounts is set to true.
> >
> > Sometimes if I manually create a random user then all of a sudden the
> lists populate on the next user login but not always.  And then any future
> updates do not show.  Restarting the application does not seem to make a
> difference.
> >
> > Instance 1
> >
> > vs
> >
> > Instance2:
> >
> >
> > My logback is setup to debug so I get a lot of log activity but is there
> something I can add to the logback to focus on the LDAP process.
> >
> > I have spent a lot of time on this and could use help.  I really need
> the AD groups to import correctly so that we can tie connections to them
> > Thanks,
> > Kevin
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> For additional commands, e-mail: user-help@guacamole.apache.org

Re: Issues with LDAP groups and users not populating

Posted by David Haukeness <da...@hauken.us>.

For reference, here is my sanitized AD LDAP config. Do you notice any obvious differences from yours? I’m running 1.4.0 on Ubuntu LTS 20.04.3

auth-provider: net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider

### LDAP properties
ldap-hostname:contoso.com
ldap-port:636
ldap-encryption-method:  ssl
ldap-user-base-dn:OU=Users,DC=contoso,DC=com
ldap-username-attribute: sAMAccountName
ldap-search-bind-dn:     CN=LDAP Query User,OU=Service Accounts,DC=contoso,DC=com
ldap-search-bind-password: correcthorsebatterystaple
ldap-group-base-dn: OU=Guacamole Groups,DC=contoso,DC=com
ldap-follow-referrals: true
ldap-dereference-aliases: always

# Postgres
postgresql-hostname: localhost
postgresql-port: 5432
postgresql-database: guacamole_db
postgresql-username: guacamole_user
postgresql-password: correcthorsebatterystaple
postgresql-auto-create-accounts: true


David Haukeness
Sent from my iPhone

> On Jul 8, 2022, at 10:47 AM, Kevin Cameron <ke...@gmail.com> wrote:
> 
> 
> I have 6 different instances of Guacamole setup connected to MS Active Directory with a Postgres background DB.
> 
> They all have a similar guacamole.properties and when I verify my group and user search filter strings with ldapsearch I get consistent and expected results.
> 
> Problem:
>   In the catalina.out I can see LDAP search results showing the users and AD groups that are expected but they sometimes update in Guacamole, sometimes not.  If I sign into guacamole with an AD user the user can authenticate and the user does show up in the Guacamole Gui BUT at the top of the page they don't have the tabs that reflect that they are LDAP / Postgres users. 
> 
> At the same time the AD groups don't populate the groups list.
> 
> postgresql-auto-create-accounts is set to true.
> 
> Sometimes if I manually create a random user then all of a sudden the lists populate on the next user login but not always.  And then any future updates do not show.  Restarting the application does not seem to make a difference.
> 
> Instance 1