You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@guacamole.apache.org by Kevin Cameron <ke...@gmail.com> on 2022/05/24 13:32:28 UTC

Issue with LDAP users not being dynamic

I have have Guacamole 1.4 connected to Windows AD and I was able to create
a user and group filter so that if I create a new AD nested group with
users it will add the users from that nested group in the initial read but
then any changes to the membership (additions or removals) are not
reflected in Guacamole no matter how many times I log in or restart Guac.

Any suggestions on what might cause this?

#LDAP settings:
ldap-hostname:             my_server
ldap-port:                 636
ldap-search-bind-dn:
CN=bind_user,OU=Dev,OU=ServiceAccounts,OU=UAG,DC=my_domain,dc=io
ldap-search-bind-password: <<password>>
ldap-user-base-dn:         OU=Users,OU=UAG,dc=my_domain,dc=io
ldap-user-search-filter:
 (memberOf:1.2.840.113556.1.4.1941:=CN=Guac_users,OU=testing,OU=Resource,OU=SecurityGroups,OU=UAG,DC=my_domain,DC=io)
ldap-group-base-dn:
 OU=testing,OU=Resource,OU=SecurityGroups,OU=UAG,DC=my_domain,DC=io
ldap-group-name-attribute: cn
ldap-encryption-method:    ssl
ldap-username-attribute:   sAMAccountName
ldap-member-attribute:     member
ldap-max-search-results:   3000
ldap-follow-referrals:     true

Thanks in advance
Kevin

Re: Issue with LDAP users not being dynamic

Posted by Michael Jumper <mj...@apache.org>.

On Tue, May 24, 2022, 06:32 Kevin Cameron <ke...@gmail.com> wrote:

> I have have Guacamole 1.4 connected to Windows AD and I was able to create
> a user and group filter so that if I create a new AD nested group with
> users it will add the users from that nested group in the initial read but
> then any changes to the membership (additions or removals) are not
> reflected in Guacamole no matter how many times I log in or restart Guac.
>
> Any suggestions on what might cause this?
>

The LDAP support does not perform recursive membership queries to determine
which LDAP groups apply to a user.

The user filter may be used to reduce the user accounts available based on
AD's recursive matching operator, but the operator used inside the LDAP
support to determine group membership is just a standard attribute equality
check and is not recursive.

- Mike