LDAP extension problems

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

LDAP extension problems

Samuel Schumacher
Hey there,

So I have Guacamole 1.1.0 with an Postgresql as Backend and have added the LDAP extension. The login works just fine but there are some problems with the authentication itself.

I added a query, that only Objects in a group can login. But still every ldap Posixaccount can login and do not have any clue why.

The second problem is, that the config objects from LDAP are not added. I have added the schema by hand and again, maybe its just a problem with the LDAP itself.

For me it looks like the LDAP Server is getting the right querys, but i dont know what he is giving back and couldn't find the right logs on the guac Server.

Would be happy for every bit of help.

Best regads
Samuel

Config of .properties

ldap-hostname:                  IPofLDAPServer
ldap-port:                      389
ldap-encryption-method:         none
ldap-max-search-results:        100
ldap-username-attribute:        uid
ldap-user-base-dn:              ou=people,dc=main,dc=domain
#ldap-search-bind-dn:           cn=guacbind,ou=services,dc=main,dc=domain
#ldap-serach-bind-password:     SECRETPASSWORD
ldap-config-base-dn:            ou=guacamole,ou=permissions,dc=main,dc=domain
#ldap-follow-referrals:         true
ldap-user-search-filter:        (&(objectClass=posixAccount)(memberOf=cn=guacamole_use
r,ou=permissions,dc=main,dc=domain))

LDIF of Search-filter Group
dn: cn=guacamole_user,ou=permissions,dc=main,dc=domain
objectClass: groupOfNames
objectClass: nsMemberOf
objectClass: top
cn: guacamole_user
member: uid=normaluser,ou=people,dc=main,dc=domain
member: uid=guacadmin,ou=people,dc=main,dc=domain

LDIF of Config ITEM
dn: cn=guac config tardis,ou=guacamole,ou=permissions,dc=main,dc=domain
objectClass: groupOfNames
objectClass: guacConfigGroup
objectClass: top
cn: guac config tardis
guacConfigProtocol: ssh
guacConfigParameter: hostname=IpofTardis
member: uid=normaluser,ou=people,dc=main,dc=domain
seeAlso: cn=linux_user,ou=permissions,dc=main,dc=domain

LDAP-Server log of three Users
conn=9635 fd=66 slot=66 connection from IPGUAC to IPofLDAPServer conn=9635 op=0 BIND dn="uid=guacadmin,ou=people,dc=main,dc=domain" method=128 version=3 conn=9635 op=0 RESULT err=0 tag=97 nentries=0 etime=0.025868462 dn="uid=guacadmin,ou=people,dc=main,dc=domain" conn=9635 op=-1 fd=66 closed - B1 conn=9636 fd=66 slot=66 connection from IPGUAC to IPofLDAPServer conn=9636 op=0 BIND dn="uid=guacadmin,ou=people,dc=main,dc=domain" method=128 version=3 conn=9636 op=0 RESULT err=0 tag=97 nentries=0 etime=0.025927676 dn="uid=guacadmin,ou=people,dc=main,dc=domain" conn=9636 op=1 SRCH base="ou=people,dc=main,dc=domain" scope=2 filter="(&(&(objectClass=posixAccount)(memberOf=cn=guacamole_user,ou=permissions,dc=main,dc=domain))(|(uid=*)))" attrs=ALL conn=9636 op=1 RESULT err=0 tag=101 nentries=1 etime=0.000867371 conn=9636 op=2 SRCH base="ou=guacamole,ou=permissions,dc=main,dc=domain" scope=2 filter="(&(objectClass=guacConfigGroup)(|(member=uid=guacadmin,ou=people,dc=main,dc=domain)))" attrs=ALL conn=9636 op=2 RESULT err=0 tag=101 nentries=0 etime=0.000194381 conn=9636 op=-1 fd=66 closed - B1 conn=9833 fd=66 slot=66 connection from IPGUAC to IPofLDAPServer conn=9833 op=0 BIND dn="uid=testuser,ou=people,dc=main,dc=domain" method=128 version=3 conn=9833 op=0 RESULT err=0 tag=97 nentries=0 etime=0.181102656 dn="uid=testuser,ou=people,dc=main,dc=domain" conn=9833 op=-1 fd=66 closed - B1 conn=9834 fd=66 slot=66 connection from IPGUAC to IPofLDAPServer conn=9834 op=0 BIND dn="uid=testuser,ou=people,dc=main,dc=domain" method=128 version=3 conn=9834 op=0 RESULT err=0 tag=97 nentries=0 etime=0.023140709 dn="uid=testuser,ou=people,dc=main,dc=domain" conn=9834 op=1 SRCH base="ou=people,dc=main,dc=domain" scope=2 filter="(&(&(objectClass=posixAccount)(memberOf=cn=guacamole_user,ou=permissions,dc=main,dc=domain))(|(uid=*)))" attrs=ALL conn=9834 op=1 RESULT err=0 tag=101 nentries=2 etime=0.001377452 conn=9834 op=2 SRCH base="ou=guacamole,ou=permissions,dc=main,dc=domain" scope=2 filter="(&(objectClass=guacConfigGroup)(|(member=uid=testuser,ou=people,dc=main,dc=domain)))" attrs=ALL conn=9834 op=2 RESULT err=0 tag=101 nentries=0 etime=0.000238315 conn=9834 op=-1 fd=66 closed - B1 conn=9856 fd=66 slot=66 connection from IPGUAC to IPofLDAPServer conn=9856 op=0 BIND dn="uid=normaluser,ou=people,dc=main,dc=domain" method=128 version=3 conn=9856 op=0 RESULT err=0 tag=97 nentries=0 etime=0.022962337 dn="uid=normaluser,ou=people,dc=main,dc=domain" conn=9856 op=-1 fd=66 closed - B1 conn=9857 fd=66 slot=66 connection from IPGUAC to IPofLDAPServer conn=9857 op=0 BIND dn="uid=normaluser,ou=people,dc=main,dc=domain" method=128 version=3 conn=9857 op=0 RESULT err=0 tag=97 nentries=0 etime=0.022838888 dn="uid=normaluser,ou=people,dc=main,dc=domain" conn=9857 op=1 SRCH base="ou=people,dc=main,dc=domain" scope=2 filter="(&(&(objectClass=posixAccount)(memberOf=cn=guacamole_user,ou=permissions,dc=main,dc=domain))(|(uid=*)))" attrs=ALL conn=9857 op=1 RESULT err=0 tag=101 nentries=2 etime=0.001322204 conn=9857 op=2 SRCH base="ou=guacamole,ou=permissions,dc=main,dc=domain" scope=2 filter="(&(objectClass=guacConfigGroup)(|(member=uid=normaluser,ou=people,dc=main,dc=domain)))" attrs=ALL conn=9857 op=2 RESULT err=0 tag=101 nentries=0 etime=0.000202359 conn=9857 op=-1 fd=66 closed - B1


Reply | Threaded
Open this post in threaded view
|

Re: LDAP extension problems

fabio1299d
Hi Samuel,

I have the same problem.

I was told that you need to enable the ldap-search-bind-dn (with the corresponding ldap-serach-bind-password), because guacamole will first query the LDAP directory using the search-bind-dn user (applying the ldap-user-search-filter) and then authenticate users against the returned list…

Probably similarly to you, I was expecting the filter to be applied directly to the authentication criteria, thus not requiring the bind-dn user...

I still have not had a chance to try if the solution actually works, but you could give it a try (I’d be happy to know if it actually works :))

Cheers,
Fabio


> On May 27, 2020, at 08:23, Samuel Schumacher <[hidden email]> wrote:
>
> Hey there,
>
> So I have Guacamole 1.1.0 with an Postgresql as Backend and have added the LDAP extension. The login works just fine but there are some problems with the authentication itself.
>
> I added a query, that only Objects in a group can login. But still every ldap Posixaccount can login and do not have any clue why.
>
> The second problem is, that the config objects from LDAP are not added. I have added the schema by hand and again, maybe its just a problem with the LDAP itself.
>
> For me it looks like the LDAP Server is getting the right querys, but i dont know what he is giving back and couldn't find the right logs on the guac Server.
>
> Would be happy for every bit of help.
>
> Best regads
> Samuel
>
> Config of .properties
>
> ldap-hostname:                  IPofLDAPServer
> ldap-port:                      389
> ldap-encryption-method:         none
> ldap-max-search-results:        100
> ldap-username-attribute:        uid
> ldap-user-base-dn:              ou=people,dc=main,dc=domain
> #ldap-search-bind-dn:           cn=guacbind,ou=services,dc=main,dc=domain
> #ldap-serach-bind-password:     SECRETPASSWORD
> ldap-config-base-dn:            ou=guacamole,ou=permissions,dc=main,dc=domain
> #ldap-follow-referrals:         true
> ldap-user-search-filter:        (&(objectClass=posixAccount)(memberOf=cn=guacamole_use
> r,ou=permissions,dc=main,dc=domain))
>
> LDIF of Search-filter Group
> dn: cn=guacamole_user,ou=permissions,dc=main,dc=domain
> objectClass: groupOfNames
> objectClass: nsMemberOf
> objectClass: top
> cn: guacamole_user
> member: uid=normaluser,ou=people,dc=main,dc=domain
> member: uid=guacadmin,ou=people,dc=main,dc=domain
>
> LDIF of Config ITEM
> dn: cn=guac config tardis,ou=guacamole,ou=permissions,dc=main,dc=domain
> objectClass: groupOfNames
> objectClass: guacConfigGroup
> objectClass: top
> cn: guac config tardis
> guacConfigProtocol: ssh
> guacConfigParameter: hostname=IpofTardis
> member: uid=normaluser,ou=people,dc=main,dc=domain
> seeAlso: cn=linux_user,ou=permissions,dc=main,dc=domain
>
> LDAP-Server log of three Users
>
> conn=9635 fd=66 slot=66 connection from IPGUAC to IPofLDAPServer
> conn=9635 op=0 BIND dn="uid=guacadmin,ou=people,dc=main,dc=domain" method=128 version=3
> conn=9635 op=0 RESULT err=0 tag=97 nentries=0 etime=0.025868462 dn="uid=guacadmin,ou=people,dc=main,dc=domain"
> conn=9635 op=-1 fd=66 closed - B1
> conn=9636 fd=66 slot=66 connection from IPGUAC to IPofLDAPServer
> conn=9636 op=0 BIND dn="uid=guacadmin,ou=people,dc=main,dc=domain" method=128 version=3
> conn=9636 op=0 RESULT err=0 tag=97 nentries=0 etime=0.025927676 dn="uid=guacadmin,ou=people,dc=main,dc=domain"
> conn=9636 op=1 SRCH base="ou=people,dc=main,dc=domain" scope=2 filter="(&(&(objectClass=posixAccount)(memberOf=cn=guacamole_user,ou=permissions,dc=main,dc=domain))(|(uid=*)))" attrs=ALL
> conn=9636 op=1 RESULT err=0 tag=101 nentries=1 etime=0.000867371
> conn=9636 op=2 SRCH base="ou=guacamole,ou=permissions,dc=main,dc=domain" scope=2 filter="(&(objectClass=guacConfigGroup)(|(member=uid=guacadmin,ou=people,dc=main,dc=domain)))" attrs=ALL
> conn=9636 op=2 RESULT err=0 tag=101 nentries=0 etime=0.000194381
> conn=9636 op=-1 fd=66 closed - B1
>
> conn=9833 fd=66 slot=66 connection from IPGUAC to IPofLDAPServer
> conn=9833 op=0 BIND dn="uid=testuser,ou=people,dc=main,dc=domain" method=128 version=3
> conn=9833 op=0 RESULT err=0 tag=97 nentries=0 etime=0.181102656 dn="uid=testuser,ou=people,dc=main,dc=domain"
> conn=9833 op=-1 fd=66 closed - B1
> conn=9834 fd=66 slot=66 connection from IPGUAC to IPofLDAPServer
> conn=9834 op=0 BIND dn="uid=testuser,ou=people,dc=main,dc=domain" method=128 version=3
> conn=9834 op=0 RESULT err=0 tag=97 nentries=0 etime=0.023140709 dn="uid=testuser,ou=people,dc=main,dc=domain"
> conn=9834 op=1 SRCH base="ou=people,dc=main,dc=domain" scope=2 filter="(&(&(objectClass=posixAccount)(memberOf=cn=guacamole_user,ou=permissions,dc=main,dc=domain))(|(uid=*)))" attrs=ALL
> conn=9834 op=1 RESULT err=0 tag=101 nentries=2 etime=0.001377452
> conn=9834 op=2 SRCH base="ou=guacamole,ou=permissions,dc=main,dc=domain" scope=2 filter="(&(objectClass=guacConfigGroup)(|(member=uid=testuser,ou=people,dc=main,dc=domain)))" attrs=ALL
> conn=9834 op=2 RESULT err=0 tag=101 nentries=0 etime=0.000238315
> conn=9834 op=-1 fd=66 closed - B1
>
> conn=9856 fd=66 slot=66 connection from IPGUAC to IPofLDAPServer
> conn=9856 op=0 BIND dn="uid=normaluser,ou=people,dc=main,dc=domain" method=128 version=3
> conn=9856 op=0 RESULT err=0 tag=97 nentries=0 etime=0.022962337 dn="uid=normaluser,ou=people,dc=main,dc=domain"
> conn=9856 op=-1 fd=66 closed - B1
> conn=9857 fd=66 slot=66 connection from IPGUAC to IPofLDAPServer
> conn=9857 op=0 BIND dn="uid=normaluser,ou=people,dc=main,dc=domain" method=128 version=3
> conn=9857 op=0 RESULT err=0 tag=97 nentries=0 etime=0.022838888 dn="uid=normaluser,ou=people,dc=main,dc=domain"
> conn=9857 op=1 SRCH base="ou=people,dc=main,dc=domain" scope=2 filter="(&(&(objectClass=posixAccount)(memberOf=cn=guacamole_user,ou=permissions,dc=main,dc=domain))(|(uid=*)))" attrs=ALL
> conn=9857 op=1 RESULT err=0 tag=101 nentries=2 etime=0.001322204
> conn=9857 op=2 SRCH base="ou=guacamole,ou=permissions,dc=main,dc=domain" scope=2 filter="(&(objectClass=guacConfigGroup)(|(member=uid=normaluser,ou=people,dc=main,dc=domain)))" attrs=ALL
> conn=9857 op=2 RESULT err=0 tag=101 nentries=0 etime=0.000202359
> conn=9857 op=-1 fd=66 closed - B1
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: LDAP extension problems

vnick
On Wed, May 27, 2020 at 1:07 PM Fabio Corsi <[hidden email]> wrote:
Hi Samuel,

I have the same problem.

I was told that you need to enable the ldap-search-bind-dn (with the corresponding ldap-serach-bind-password), because guacamole will first query the LDAP directory using the search-bind-dn user (applying the ldap-user-search-filter) and then authenticate users against the returned list…

Probably similarly to you, I was expecting the filter to be applied directly to the authentication criteria, thus not requiring the bind-dn user...

I still have not had a chance to try if the solution actually works, but you could give it a try (I’d be happy to know if it actually works :))


Unless your users are all directly in the container specified by ldap-user-base-dn, this is correct, you will need to set the ldap-search-bind-dn and ldap-search-bind-password properties.  Otherwise, if no search DN and password are specified, the LDAP user will be computed as <USER ATTRIBUTE>=<USERNAME>,<USER BASE DN>.

-Nick
Reply | Threaded
Open this post in threaded view
|

Re: LDAP extension problems

Samuel Schumacher
I remember now why I have deactivated the bind-dn. I always get an error 53 on the ldap server. Have tried it with an user, an service account and even with the Directory Manager. I think I have to check the config of the ldap server again.
Nick Couchman <[hidden email]> hat am 27. Mai 2020 22:16 geschrieben:


On Wed, May 27, 2020 at 1:07 PM Fabio Corsi < [hidden email]> wrote:
Hi Samuel,

I have the same problem.

I was told that you need to enable the ldap-search-bind-dn (with the corresponding ldap-serach-bind-password), because guacamole will first query the LDAP directory using the search-bind-dn user (applying the ldap-user-search-filter) and then authenticate users against the returned list…

Probably similarly to you, I was expecting the filter to be applied directly to the authentication criteria, thus not requiring the bind-dn user...

I still have not had a chance to try if the solution actually works, but you could give it a try (I’d be happy to know if it actually works :))


Unless your users are all directly in the container specified by ldap-user-base-dn, this is correct, you will need to set the ldap-search-bind-dn and ldap-search-bind-password properties.  Otherwise, if no search DN and password are specified, the LDAP user will be computed as <USER ATTRIBUTE>=<USERNAME>,<USER BASE DN>.

-Nick