Just wanted to reach out again to see if anyone had any thoughts on what I could try to get this working.
Kevin From: Kevin Leigeb <[email protected]> Sent: Monday, September 13, 2021 3:42 PM To: [email protected] Subject: Dockerized Guac LDAP Config Hey All - I've been having a really rough go lately getting the LDAP configuration to work with Guacamole running in docker compose. I'm able to get users to successfully authenticate, but the group stuff and the connection between LDAP/Postgres seems to be the biggest sticking point for me. Perhaps I'm going about this the wrong way, but I've been attempting to set up LDAP to use some RBAC groups in our AD using the LDAP_USER_SEARCH_FILTER set to the following: (&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(memberOf:1.2.840.113556.1.4.1941:=CN=guacamole_users--all,OU=Guacamole,OU=rbac_groups,OU=hey,DC=hi,DC=hello)(memberOf:1.2.840.113556.1.4.1941:=CN=guacamole_users--admins,OU=Guacamole,OU=rbac_groups,OU=hey,DC=hi,DC=hello))) The idea here is to just get this working with two groups: admins and non-admins for the time being. The user page populates with the members of these groups as expected, but the group page is a different story. Ideally I'd like the two groups above to be the only ones pulled from AD, but without a LDAP_GROUP_SEARCH_FILTER setting I'm having a hard time accomplishing this. If I set the group base DN to the OU of the two groups shown above, I see those groups but none of the members of the groups are the actual members pulled from AD as expected. Regardless of nested membership or direct membership in that group, the membership appears empty and the only options to add users are those manually created in the UI (so they also exist in the postgres DB). Am I misunderstanding how the LDAP/postgres connection is supposed to work? Should I approach this from a different angle? Thanks for any help you can provide in guiding me towards a solution, and let me know if there's any additional information I can provide that would be helpful. Kevin
