Details

    • Type: Story
    • Status: Done
    • Priority: Critical
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: 0.9.9
    • Component/s: guacamole-auth-ldap
    • Labels:
    • Sprint:
      DEV 2015-10-30
    • Story Points:
      5

      Description

      The current LDAP authentication module in Guacamole is very basic. It takes the username and adds the LDAP base DN. This is not sufficient for a directory where users are scattered across multiple distinct OUs under the base DN.

      The LDAP module should instead:

      1. Perform a search for the parameter which identifies the user (uid/samaccountname) under the ENTIRE subtree from the base DN
      2. Use just the uid/samaccountname to identify the user

        Attachments

          Issue Links

            Expenses

              Activity

              Hide
              88fingerslukee LB added a comment - - edited

              I'm not sure if I should post this here or what. I installed from the latest source (11/16/2015) and it works when authenticating from the base OU of Users. However, when I try and limit the logins to only those of a certain Group within the Users OU, it doesn't work and there is no error reported.

              Here is the guacamole.properties file that works:

              guacd-hostname: localhost
              guacd-port:     4822
               
              #MySQL Auth
              mysql-hostname: localhost
              mysql-port: 3306
              mysql-database: guacamole_db
              mysql-username: guacamole_user
              mysql-password: db_password
              mysql-disallow-duplicate-connections: false
               
              #LDAP Auth
              ldap-hostname: AD.domain.com
              ldap-port: 389
              ldap-user-base-dn: CN=Users,DC=domain,DC=com
              ldap-search-bind-dn: CN=binduser,CN=Users,DC=domain,DC=com
              ldap-search-bind-password: password
              ldap-username-attribute: sAMAccountName

              And here is the one that doesn't:

              guacd-hostname: localhost
              guacd-port:     4822
               
              #MySQL Auth
              mysql-hostname: localhost
              mysql-port: 3306
              mysql-database: guacamole_db
              mysql-username: guacamole_user
              mysql-password: db_password
              mysql-disallow-duplicate-connections: false
               
              #LDAP Auth
              ldap-hostname: AD.domain.com
              ldap-port: 389
              ldap-user-base-dn: CN=GuacUsers, CN=Users,DC=domain,DC=com
              ldap-search-bind-dn: CN=binduser,CN=Users,DC=domain,DC=com
              ldap-search-bind-password: password
              ldap-username-attribute: sAMAccountName

              Is this a bug or am I doing something that isn't currently allowed?

              Show
              88fingerslukee LB added a comment - - edited I'm not sure if I should post this here or what. I installed from the latest source (11/16/2015) and it works when authenticating from the base OU of Users. However, when I try and limit the logins to only those of a certain Group within the Users OU, it doesn't work and there is no error reported. Here is the guacamole.properties file that works: guacd-hostname: localhost guacd-port: 4822   #MySQL Auth mysql-hostname: localhost mysql-port: 3306 mysql-database: guacamole_db mysql-username: guacamole_user mysql-password: db_password mysql-disallow-duplicate-connections: false   #LDAP Auth ldap-hostname: AD.domain.com ldap-port: 389 ldap-user-base-dn: CN=Users,DC=domain,DC=com ldap-search-bind-dn: CN=binduser,CN=Users,DC=domain,DC=com ldap-search-bind-password: password ldap-username-attribute: sAMAccountName And here is the one that doesn't: guacd-hostname: localhost guacd-port: 4822   #MySQL Auth mysql-hostname: localhost mysql-port: 3306 mysql-database: guacamole_db mysql-username: guacamole_user mysql-password: db_password mysql-disallow-duplicate-connections: false   #LDAP Auth ldap-hostname: AD.domain.com ldap-port: 389 ldap-user-base-dn: CN=GuacUsers, CN=Users,DC=domain,DC=com ldap-search-bind-dn: CN=binduser,CN=Users,DC=domain,DC=com ldap-search-bind-password: password ldap-username-attribute: sAMAccountName Is this a bug or am I doing something that isn't currently allowed?
              Hide
              mike.jumper Michael Jumper added a comment -

              Here is the guacamole.properties file that works:

              ...
              ldap-user-base-dn: CN=Users,DC=domain,DC=com
              ...

              And here is the one that doesn't:

              ...
              ldap-user-base-dn: CN=GuacUsers, CN=Users,DC=domain,DC=com
              ...

              Is this a bug or am I doing something that isn't currently allowed?

              Are those users actually within "CN=GuacUsers,CN=Users,DC=domain,DC=com", as in they are within that subtree, are are they simply members of that group?

              In the case of the latter, that will not work. Guacamole does not perform a search for membership of the group specified by "ldap-user-base-dn". It performs a search for users within the subtree of "ldap-user-base-dn".

              Show
              mike.jumper Michael Jumper added a comment - Here is the guacamole.properties file that works: ... ldap-user-base-dn: CN=Users,DC=domain,DC=com ... And here is the one that doesn't: ... ldap-user-base-dn: CN=GuacUsers, CN=Users,DC=domain,DC=com ... Is this a bug or am I doing something that isn't currently allowed? Are those users actually within "CN=GuacUsers,CN=Users,DC=domain,DC=com", as in they are within that subtree, are are they simply members of that group? In the case of the latter, that will not work. Guacamole does not perform a search for membership of the group specified by "ldap-user-base-dn". It performs a search for users within the subtree of "ldap-user-base-dn".
              Hide
              mike.jumper Michael Jumper added a comment -

              If you intend to limit access to Guacamole by requiring membership in a particular group, you might be able to achieve this by:

              1. Restoring the original value of "ldap-user-base-dn" such that the correct subtree is searched
              2. Modifying the permissions of "CN=binduser,CN=Users,DC=domain,DC=com" within your LDAP server such that he can only list users which are members of the "GuacUsers" group.

              If the "ldap-search-bind-dn" user cannot find the DN of a user attempting to authenticate (because the LDAP server does not list their DN due to an ACL), then authentication will stop there and access will be denied. Authentication cannot occur if the DN cannot be determined.

              I do not know offhand how such permissions could be applied within Active Directory, nor any other LDAP server for that matter, but I presume that it is possible. Limiting the visibility of objects within a directory via ACLs seems a rather core feature of LDAP.

              Show
              mike.jumper Michael Jumper added a comment - If you intend to limit access to Guacamole by requiring membership in a particular group, you might be able to achieve this by: Restoring the original value of "ldap-user-base-dn" such that the correct subtree is searched Modifying the permissions of "CN=binduser,CN=Users,DC=domain,DC=com" within your LDAP server such that he can only list users which are members of the "GuacUsers" group. If the "ldap-search-bind-dn" user cannot find the DN of a user attempting to authenticate (because the LDAP server does not list their DN due to an ACL), then authentication will stop there and access will be denied. Authentication cannot occur if the DN cannot be determined. I do not know offhand how such permissions could be applied within Active Directory, nor any other LDAP server for that matter, but I presume that it is possible. Limiting the visibility of objects within a directory via ACLs seems a rather core feature of LDAP.
              Hide
              tirili Thomas Baumann added a comment - - edited

              If I try to authenticate against Active Directory, the initial Bind works, but I cannot login with my Active Directory User Account.

              Wireshark says:

              TCP 74 41290 > ldap [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=4032129 TSecr=0 WS=128
              TCP 74 ldap > 41290 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1380 WS=256 SACK_PERM=1 TSval=65279458 TSecr=4032129
              TCP 66 41290 > ldap [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=4032129 TSecr=65279458
              LDAP 153 bindRequest(4) "CN=2syslogldap,OU=Users,OU=Administration,DC=tiri,DC=local" simple
              LDAP 88 bindResponse(4) success
              TCP 66 41290 > ldap [ACK] Seq=88 Ack=23 Win=29312 Len=0 TSval=4032136 TSecr=65279458
              LDAP 147 searchRequest(5) "dc=tiri,dc=local" wholeSubtree
              LDAP 318 searchResRef(5)  | searchResRef(5)  | searchResRef(5)  | searchResDone(5) success
              LDAP 73 unbindRequest(6)
              TCP 66 41290 > ldap [FIN, ACK] Seq=176 Ack=275 Win=30336 Len=0 TSval=4032138 TSecr=65279458
              TCP 66 ldap > 41290 [ACK] Seq=275 Ack=177 Win=65536 Len=0 TSval=65279459 TSecr=4032138
              TCP 60 ldap > 41290 [RST, ACK] Seq=275 Ack=177 Win=0 Len=0
               TCP 74 41291 > ldap [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=4045235 TSecr=0 WS=128
               TCP 74 ldap > 41291 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1380 WS=256 SACK_PERM=1 TSval=65280768 TSecr=4045235
               TCP 66 41291 > ldap [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=4045236 TSecr=65280768
               LDAP 153 bindRequest(7) "CN=2syslogldap,OU=Users,OU=Administration,DC=tiri,DC=local" simple
               LDAP 88 bindResponse(7) success
               TCP 66 41291 > ldap [ACK] Seq=88 Ack=23 Win=29312 Len=0 TSval=4045242 TSecr=65280769
               LDAP 150 searchRequest(8) "dc=tiri,dc=local" wholeSubtree
               TCP 1434 [TCP segment of a reassembled PDU]
               LDAP 1186 searchResEntry(8) "CN=Baumann\,Thomas,OU=Users,DC=tiri,DC=local"
               TCP 66 41291 > ldap [ACK] Seq=172 Ack=2511 Win=35072 Len=0 TSval=4045244 TSecr=65280769
               LDAP 73 unbindRequest(9)
               TCP 66 41291 > ldap [FIN, ACK] Seq=179 Ack=2511 Win=35072 Len=0 TSval=4045250 TSecr=65280769
               TCP 66 ldap > 41291 [ACK] Seq=2511 Ack=180 Win=65536 Len=0 TSval=65280770 TSecr=4045250
               TCP 60 ldap > 41291 [RST, ACK] Seq=2511 Ack=180 Win=0 Len=0

              Show
              tirili Thomas Baumann added a comment - - edited If I try to authenticate against Active Directory, the initial Bind works, but I cannot login with my Active Directory User Account. Wireshark says: TCP 74 41290 > ldap [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=4032129 TSecr=0 WS=128 TCP 74 ldap > 41290 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1380 WS=256 SACK_PERM=1 TSval=65279458 TSecr=4032129 TCP 66 41290 > ldap [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=4032129 TSecr=65279458 LDAP 153 bindRequest(4) "CN=2syslogldap,OU=Users,OU=Administration,DC=tiri,DC=local" simple LDAP 88 bindResponse(4) success TCP 66 41290 > ldap [ACK] Seq=88 Ack=23 Win=29312 Len=0 TSval=4032136 TSecr=65279458 LDAP 147 searchRequest(5) "dc=tiri,dc=local" wholeSubtree LDAP 318 searchResRef(5) | searchResRef(5) | searchResRef(5) | searchResDone(5) success LDAP 73 unbindRequest(6) TCP 66 41290 > ldap [FIN, ACK] Seq=176 Ack=275 Win=30336 Len=0 TSval=4032138 TSecr=65279458 TCP 66 ldap > 41290 [ACK] Seq=275 Ack=177 Win=65536 Len=0 TSval=65279459 TSecr=4032138 TCP 60 ldap > 41290 [RST, ACK] Seq=275 Ack=177 Win=0 Len=0 TCP 74 41291 > ldap [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=4045235 TSecr=0 WS=128 TCP 74 ldap > 41291 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1380 WS=256 SACK_PERM=1 TSval=65280768 TSecr=4045235 TCP 66 41291 > ldap [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=4045236 TSecr=65280768 LDAP 153 bindRequest(7) "CN=2syslogldap,OU=Users,OU=Administration,DC=tiri,DC=local" simple LDAP 88 bindResponse(7) success TCP 66 41291 > ldap [ACK] Seq=88 Ack=23 Win=29312 Len=0 TSval=4045242 TSecr=65280769 LDAP 150 searchRequest(8) "dc=tiri,dc=local" wholeSubtree TCP 1434 [TCP segment of a reassembled PDU] LDAP 1186 searchResEntry(8) "CN=Baumann\,Thomas,OU=Users,DC=tiri,DC=local" TCP 66 41291 > ldap [ACK] Seq=172 Ack=2511 Win=35072 Len=0 TSval=4045244 TSecr=65280769 LDAP 73 unbindRequest(9) TCP 66 41291 > ldap [FIN, ACK] Seq=179 Ack=2511 Win=35072 Len=0 TSval=4045250 TSecr=65280769 TCP 66 ldap > 41291 [ACK] Seq=2511 Ack=180 Win=65536 Len=0 TSval=65280770 TSecr=4045250 TCP 60 ldap > 41291 [RST, ACK] Seq=2511 Ack=180 Win=0 Len=0
              Hide
              mike.jumper Michael Jumper added a comment -

              All, this is the bug/issue tracking system we use for development, not a forum, and this issue has been completed and closed. Please ask any questions in the forums:

              https://sourceforge.net/p/guacamole/discussion/

              If you believe you've found a bug, the proper place for that is in a new JIRA issue. Otherwise, if you're looking for assistance troubleshooting, the forums would be best.

              Show
              mike.jumper Michael Jumper added a comment - All, this is the bug/issue tracking system we use for development, not a forum, and this issue has been completed and closed. Please ask any questions in the forums: https://sourceforge.net/p/guacamole/discussion/ If you believe you've found a bug, the proper place for that is in a new JIRA issue. Otherwise, if you're looking for assistance troubleshooting, the forums would be best.

                People

                • Assignee:
                  mike.jumper Michael Jumper
                  Reporter:
                  darkpila Andrea Ghirardini
                • Votes:
                  6 Vote for this issue
                  Watchers:
                  9 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Time Tracking

                    Estimated:
                    Original Estimate - 4h
                    4h
                    Remaining:
                    Time Spent - 3.5h Remaining Estimate - 0.5h
                    0.5h
                    Logged:
                    Time Spent - 3.5h Remaining Estimate - 0.5h
                    3.5h