Hey Mike, thanks for the response. This clears things up a bit for me as I wasn’t expecting this to be the behavior, so I’ll have to do a bit more testing off of this new assumption to see if things are working as expected.
One thing I’m still curious about is whether it’s expected behavior to not see any data when you click the LDAP tab. I feel like it should still at least show the data from the group even if it can’t edit it. [cid:[email protected]] From: Mike Jumper <[email protected]> Sent: Tuesday, September 21, 2021 10:02 AM To: [email protected] Subject: Re: Dockerized Guac LDAP Config The behavior described so far sounds like things are working: the groups in question appear, and they show the correct data within each of the datasource-specific tabs. You see two tabs for the group (LDAP and PostgreSQL) because the same group exists within both datasources. Within each of those tabs, you see data specific to the datasource associated with that tab, and only data from that datasource. While the PostgreSQL tab is selected, you see no group members from LDAP because the tab is specific to PostgreSQL. No group members have been added manually from PostgreSQL. This is fine and doesn't mean that the group will not work - LDAP members of the LDAP version of that group will still inherit permissions granted to the PostgreSQL version of that group, even though you will not see LDAP members in the PostgreSQL tab. When an LDAP user logs in that is a direct member of either of those groups within LDAP, do they have the expected level of access inherited from those groups? The UI will not show LDAP group members within the PostgreSQL tab, but LDAP group members will inherit those permissions upon login when Guacamole queries their group memberships. Michael Jumper CEO, Lead Developer Glyptodon Inc<https://glyp.to/>. On Tue, Sep 21, 2021 at 7:50 AM Kevin Leigeb <[email protected]<mailto:[email protected]>> wrote: Just wanted to check in one last time to see if anyone has any thoughts on what might be wrong here. From: Kevin Leigeb <[email protected]<mailto:[email protected]>> Sent: Wednesday, September 15, 2021 1:25 PM To: [email protected]<mailto:[email protected]> Subject: RE: Dockerized Guac LDAP Config Yes to the first question. I’ve additionally created a guacadmin AD account so that I can log in as myself or that account and still see the AD account listings. When I open the user or group page, I see two tabs on the top; one for LDAP which shows a lock and tells me it can’t be edited and one for Postgres. For the guac client, I’m running the latest tag of the image from dockerhub which I pulled again yesterday morning to make sure it was up to date. Happy to pin it to a specific tag if that might help. From: Nick Couchman <[email protected]<mailto:[email protected]>> Sent: Wednesday, September 15, 2021 1:11 PM To: [email protected]<mailto:[email protected]> Subject: Re: Dockerized Guac LDAP Config On Mon, Sep 13, 2021 at 4:42 PM Kevin Leigeb <[email protected]<mailto:[email protected]>> wrote: Hey All – I’ve been having a really rough go lately getting the LDAP configuration to work with Guacamole running in docker compose. I’m able to get users to successfully authenticate, but the group stuff and the connection between LDAP/Postgres seems to be the biggest sticking point for me. Perhaps I’m going about this the wrong way, but I’ve been attempting to set up LDAP to use some RBAC groups in our AD using the LDAP_USER_SEARCH_FILTER set to the following: (&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(memberOf:1.2.840.113556.1.4.1941:=CN=guacamole_users--all,OU=Guacamole,OU=rbac_groups,OU=hey,DC=hi,DC=hello)(memberOf:1.2.840.113556.1.4.1941:=CN=guacamole_users--admins,OU=Guacamole,OU=rbac_groups,OU=hey,DC=hi,DC=hello))) The idea here is to just get this working with two groups: admins and non-admins for the time being. The user page populates with the members of these groups as expected, but the group page is a different story. Ideally I’d like the two groups above to be the only ones pulled from AD, but without a LDAP_GROUP_SEARCH_FILTER setting I’m having a hard time accomplishing this. If I set the group base DN to the OU of the two groups shown above, I see those groups but none of the members of the groups are the actual members pulled from AD as expected. Regardless of nested membership or direct membership in that group, the membership appears empty and the only options to add users are those manually created in the UI (so they also exist in the postgres DB). When you set the configuration for the group search dn, and you're looking at the groups, are you doing so as a user that is part of your AD tree, that is logged in via LDAP? Also, can you confirm what version of Guacamole Client you're running? -Nick
