Re: LDAP_USER_BASE_DN pointing to an AD Security Group

[Marco Casavecchia Morganti]

Hello,
I developed a small patch for the guacamole-auth-ldap extension that allows you 
to specify in the guacamole.properties a new property: ldap-users-filter.

Basically if you apply the patch, you can add an LDAP condition that must be 
satisfied by the users to become guacamole users. So if you set it as something 
like this:
ldap-users-filter: memberOf=CN=Guacamole,OU=Service 
Gropus,OU=Domain,DC=my,DC=lan
only the users that belongs to the specified group will be listed in the 
guacamole interface and will be allowed to access Guacamole.

At that time I tried to submit the patch to the developers but I wasn’t able to 
set up the whole environment needed to do that, so I gave up, hoping that my 
patch would be added by someone else sooner or later.

The patch is very simple and you can find it attached to this mail.
I applied it successfully to the latest incubating releases (0.9.11 and 
0.9.12), I hope it will be helpful.

Best Regards

—
MCM

ldap-users-filter.patch
Description: ldap-users-filter.patch

On 7 Jun 2017, at 10:43, Andy Pattrick <andy.pattr...@horiba.com> wrote: Hi,    Good idea, but unfortunately that's not it. I discovered that if I'm specifying an OU with spaces, escaping is not necessary i.e.   this works...   LDAP_USER_BASE_DN="OU=External Demo Users,OU=Users,OU=MyBusiness,DC=MyCompany,DC=com"    ...but if a CN (security group) is specified it doesn't work, with or without escaped spaces.   Cheers Andy.   From: Der PCFreak [mailingli...@pcfreak.de] Sent: 07 June 2017 06:23 To: user@guacamole.incubator.apache.org Subject: Re: LDAP_USER_BASE_DN pointing to an AD Security Group Hi Andy, maybe you just have to escape the spaces? Like shown here: http://www.linuxquestions.org/questions/linux-general-1/how-to-specify-space-in-ou-name-in-ldap-search-835175/ e.g. LDAP_USER_BASE_DN="CN=GUACAMOLE\ Group,OU=Security\ Groups,OU=MyBusiness,DC=mycompany,DC=com" Cheers Peter On 06.06.2017 15:58, Andy Pattrick wrote: Hi,   I have LDAP authentication working using a BASE_DN pointing to an OU in my Active Directory. However I would like to point the BASE_DN at a security group so that I can simply add users to the group if I want to allow them to access Guacamole without moving them to a different OU.   When I try this I find it doesn't work. I suspect this is because CN's are not supported in LDAP_USER_BASE_DN. Can anyone confirm if they have managed to do this?   In summary:   This works - LDAP_USER_BASE_DN="OU=MyUsers,OU=Users,OU=MyBusiness,DC=mycompany,DC=com"   This does not work - LDAP_USER_BASE_DN="CN=GUACAMOLE Group,OU=Security Groups,OU=MyBusiness,DC=mycompany,DC=com"   Many thanks, Andy. Click here to report this email as spam.