[GUACAMOLE-1216] LDAP SearchRequest default atribute not overwriten by ldap-username-atribute parameter - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Invalid
Affects Version/s: 1.2.0, 1.3.0
Fix Version/s: None
Component/s: guacamole, guacamole-auth-ldap
Labels:
Environment:
HW: Raspberry PI 3B
OS: Raspberry Pi OS Lite (buster 5.4.72-v7+) up to date
SW: Guacamole server, client, ldap extension 1.2.0 (tested also 1.3.0 from github with same result), JVM 1.8.0_65-b17, Servlet Apache Tomcat/9.0.31 (Debian)

Description

When using ldap authentication against Microsoft Active Directory, the default attribute for username is "sAMAccountName" which needs to be set with ldap-username-attribute property in guacamole.properties. Even if its explicitly set, LDAP search request still use "uid" attribute instead, which is not set in Active Directory be default and search response ends with empty result. When "uid" manually set in AD, user is properly authenticated. Please fix this weird behavior. Thank you.

#### /etc/guacamole/guacamole.properties

enable-environment-properties: true
guacd-hostname: localhost
guacd-port:     4822
guacd-ssl:      true

# AD
ldap-hostname: winserv2019.rsdome.com
ldap-port: 389
ldap-encryption-method: none
ldap-user-base-dn: CN=Users,DC=rsdome,DC=com
ldap-username-atribute: sAMAccountName
ldap-search-bind-dn: CN=adtest,CN=Local,CN=Users,DC=rsdome,DC=com
ldap-search-bind-password: Test123
ldap-user-search-filter: (&(objectClass=user)(memberOf=CN=GuacamoleUsers,CN=Local,CN=Users,DC=rsdome,DC=com))

See end of the filter line in SearchRequest...

#### part of cataline.out

[2020-11-19 20:03:34] [info] 20:03:34.602 [http-nio-8001-exec-6] DEBUG o.a.d.l.c.api.LdapNetworkConnection - MSG_04104_SENDING_REQUEST (MessageType : SEARCH_REQUEST
[2020-11-19 20:03:34] [info] Message ID : 2
[2020-11-19 20:03:34] [info]     SearchRequest
[2020-11-19 20:03:34] [info]         baseDn : 'CN=Users,DC=rsdome,DC=com'
[2020-11-19 20:03:34] [info]         filter : '(&(&(objectClass=user)(memberOf=CN=GuacamoleUsers,CN=Local,CN=Users,DC=rsdome,DC=com))(|(uid=mspkt)))'
[2020-11-19 20:03:34] [info]         scope : whole subtree
[2020-11-19 20:03:34] [info]         typesOnly : false
[2020-11-19 20:03:34] [info]         Size Limit : 1000
[2020-11-19 20:03:34] [info]         Time Limit : 30
[2020-11-19 20:03:34] [info]         Deref Aliases : never Deref Aliases
[2020-11-19 20:03:34] [info]         attributes :
.
.
.
[2020-11-19 20:03:34] [info] 20:03:34.659 [NioProcessor-5] DEBUG o.a.d.l.c.api.LdapNetworkConnection - MSG_04131_SEARCH_SUCCESSFUL (MessageType : SEARCH_RESULT_DONE
[2020-11-19 20:03:34] [info] Message ID : 2
[2020-11-19 20:03:34] [info]     Search Result Done
[2020-11-19 20:03:34] [info]         Ldap Result
[2020-11-19 20:03:34] [info]             Result code : (SUCCESS) success
[2020-11-19 20:03:34] [info]             Matched Dn : '' #<<< EMPTY RESULT
[2020-11-19 20:03:34] [info]             Diagnostic message : ''
[2020-11-19 20:03:34] [info] )
.
.
.
[2020-11-19 20:03:34] [info] 20:03:34.663 [http-nio-8001-exec-6] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from 10.5.2.3 for user "mspkt" failed.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Robert

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 19/Nov/20 19:27

Updated:: 19/Nov/20 19:58

Resolved:: 19/Nov/20 19:33