On Mon, Sep 13, 2021 at 4:42 PM Kevin Leigeb <[email protected]> wrote:
> Hey All – > > > > I’ve been having a really rough go lately getting the LDAP configuration > to work with Guacamole running in docker compose. I’m able to get users to > successfully authenticate, but the group stuff and the connection between > LDAP/Postgres seems to be the biggest sticking point for me. > > > > Perhaps I’m going about this the wrong way, but I’ve been attempting to > set up LDAP to use some RBAC groups in our AD using the > LDAP_USER_SEARCH_FILTER set to the following: > > > > > (&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(memberOf:1.2.840.113556.1.4.1941:=CN=guacamole_users--all,OU=Guacamole,OU=rbac_groups,OU=hey,DC=hi,DC=hello)(memberOf:1.2.840.113556.1.4.1941:=CN=guacamole_users--admins,OU=Guacamole,OU=rbac_groups,OU=hey,DC=hi,DC=hello))) > > > > The idea here is to just get this working with two groups: admins and > non-admins for the time being. > > > > The user page populates with the members of these groups as expected, but > the group page is a different story. Ideally I’d like the two groups above > to be the only ones pulled from AD, but without a LDAP_GROUP_SEARCH_FILTER > setting I’m having a hard time accomplishing this. If I set the group base > DN to the OU of the two groups shown above, I see those groups but none of > the members of the groups are the actual members pulled from AD as > expected. Regardless of nested membership or direct membership in that > group, the membership appears empty and the only options to add users are > those manually created in the UI (so they also exist in the postgres DB). > > > When you set the configuration for the group search dn, and you're looking at the groups, are you doing so as a user that is part of your AD tree, that is logged in via LDAP? Also, can you confirm what version of Guacamole Client you're running? -Nick >
