Uploaded image for project: 'Guacamole'
  1. Guacamole
  2. GUACAMOLE-1216

LDAP SearchRequest default atribute not overwriten by ldap-username-atribute parameter

VotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

      Description

      When using ldap authentication against Microsoft Active Directory, the default attribute for username is "sAMAccountName" which needs to be set with ldap-username-attribute property in guacamole.properties. Even if its explicitly set, LDAP search request still use "uid" attribute instead, which is not set in Active Directory be default and search response ends with empty result. When "uid" manually set in AD, user is properly authenticated. Please fix this weird behavior. Thank you.

      #### /etc/guacamole/guacamole.properties
      
      enable-environment-properties: true
      guacd-hostname: localhost
      guacd-port:     4822
      guacd-ssl:      true
      
      # AD
      ldap-hostname: winserv2019.rsdome.com
      ldap-port: 389
      ldap-encryption-method: none
      ldap-user-base-dn: CN=Users,DC=rsdome,DC=com
      ldap-username-atribute: sAMAccountName
      ldap-search-bind-dn: CN=adtest,CN=Local,CN=Users,DC=rsdome,DC=com
      ldap-search-bind-password: Test123
      ldap-user-search-filter: (&(objectClass=user)(memberOf=CN=GuacamoleUsers,CN=Local,CN=Users,DC=rsdome,DC=com))
      

       

      See end of the filter line in SearchRequest...

      #### part of cataline.out
      
      [2020-11-19 20:03:34] [info] 20:03:34.602 [http-nio-8001-exec-6] DEBUG o.a.d.l.c.api.LdapNetworkConnection - MSG_04104_SENDING_REQUEST (MessageType : SEARCH_REQUEST
      [2020-11-19 20:03:34] [info] Message ID : 2
      [2020-11-19 20:03:34] [info]     SearchRequest
      [2020-11-19 20:03:34] [info]         baseDn : 'CN=Users,DC=rsdome,DC=com'
      [2020-11-19 20:03:34] [info]         filter : '(&(&(objectClass=user)(memberOf=CN=GuacamoleUsers,CN=Local,CN=Users,DC=rsdome,DC=com))(|(uid=mspkt)))'
      [2020-11-19 20:03:34] [info]         scope : whole subtree
      [2020-11-19 20:03:34] [info]         typesOnly : false
      [2020-11-19 20:03:34] [info]         Size Limit : 1000
      [2020-11-19 20:03:34] [info]         Time Limit : 30
      [2020-11-19 20:03:34] [info]         Deref Aliases : never Deref Aliases
      [2020-11-19 20:03:34] [info]         attributes :
      .
      .
      .
      [2020-11-19 20:03:34] [info] 20:03:34.659 [NioProcessor-5] DEBUG o.a.d.l.c.api.LdapNetworkConnection - MSG_04131_SEARCH_SUCCESSFUL (MessageType : SEARCH_RESULT_DONE
      [2020-11-19 20:03:34] [info] Message ID : 2
      [2020-11-19 20:03:34] [info]     Search Result Done
      [2020-11-19 20:03:34] [info]         Ldap Result
      [2020-11-19 20:03:34] [info]             Result code : (SUCCESS) success
      [2020-11-19 20:03:34] [info]             Matched Dn : '' #<<< EMPTY RESULT
      [2020-11-19 20:03:34] [info]             Diagnostic message : ''
      [2020-11-19 20:03:34] [info] )
      .
      .
      .
      [2020-11-19 20:03:34] [info] 20:03:34.663 [http-nio-8001-exec-6] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 10.5.2.3 for user "mspkt" failed.
      
      

       

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              Rudik Robert

              Dates

              • Created:
                Updated:
                Resolved:

                Issue deployment