You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@guacamole.apache.org by Chris Lee <ch...@centurycity.com.hk> on 2020/04/24 02:47:53 UTC

LDAP Users Setting

Hi All,

If I use guacadmin logon the system, Users settings only show user from Database.


[cid:image005.jpg@01D61A25.CDDEA140]

However, if create normal guacamole user with "Create new users" permission:

[cid:image006.jpg@01D61A25.CDDEA140]

It can auto show LDAP Users (Windows AD)

[cid:image007.jpg@01D61A25.CDDEA140]

[cid:image008.jpg@01D61A25.CDDEA140]

Questions:


  *   Why admin user (guacadmin) cannot show LDAP users ?

  *   Why Username column show Full Name instead of Window logon ID?

Did I set following paramter wrong?

ldap-username-attribute: sAMAccountName

Regards,
Chris



This message and its attachment (if any) are strictly confidential and sent to the designated recipient(s) only. If you are not the intended recipient, please notify the sender by e-mail and delete this message and its attachment (if any) from your computer system immediately . Century City International Holdings Limited, Paliburg Holdings Limited, Regal Hotels International Holdings Limited, its respective related subsidiaries, associated companies and affiliates do not guarantee this message and its attachment (if any) are free of computer virus and would not accept any liability whatsoever arising from Internet transmission.

Re: LDAP Users Setting

Posted by Nick Couchman <vn...@apache.org>.

On Thu, Apr 23, 2020 at 10:48 PM Chris Lee <ch...@centurycity.com.hk>
wrote:

> Hi All,
>
>
>
> If I use *guacadmin *logon the system, Users settings only show user from
> Database.
>
>
>
>
>

Yes, this is as intended - see further response below.

>
>
> However, if create normal guacamole user with “Create new users”
> permission:
>
>
>
>
>
> It can auto show LDAP Users (Windows AD)
>
>
>
>
>
>
>
> *Questions:*
>
>
>
>    - Why admin user (guacadmin) cannot show LDAP users ?
>
>
>
Because, most likely, the guacadmin user cannot log in to LDAP.  The LDAP
extension only uses the Search DN/Password (from guacamole.properties) to
find the user who is logging in.  After the user is located, it closes the
session and re-binds as the user who is logging in in order to find
connections, users, and groups.  This is completely by design, as it allows
Guacamole to leverage the underlying security inherent within LDAP rather
than having to write an entire security layer on top of the LDAP
connection.  So, the user who logs in can only see the items that their
LDAP account has access to within the LDAP tree.  Thus, if the guacadmin
user does not exist in the LDAP tree, or cannot log in to the LDAP server,
it won't be able to see anything within the LDAP tree.

>
>    -
>    - Why Username column show *Full Name* instead of *Window logon ID*?
>
>
>
> Did I set following paramter wrong?
>
>
>
> ldap-username-attribute: sAMAccountName
>
>
>

That depends on what your sAMAccountName fields contain, but that is the
configuration I use in my AD environment and it works as expected.  After
modifying this configuration did you restart the Tomcat process or
container?  Usually a full name would be the "cn" attribute, but you should
check and make sure that you don't have that option specified twice in
guacamole.properties with another value, and you should query your LDAP
tree and verify what the sAMAccountName field contains.  And restart tomcat.

-Nick

>