Authenticate ldap for different OU in AD Neth nethserver

france · November 1, 2020, 9:45am

Hi everyone, I use an ubuntu server with guacamole. I installed the ldap module to authenticate users on neth 7 and everything works!
Noin I am able to authenticate users who are on additional OUs eg. OU = employees OU = guests etc.
If I connect windows linux machines to log into the whole AD tree including the OU it works. Unfortunately on the guacamole server I am limited only to OU users.
The bind diu guacamole is this:
ldap-user-base-dn: CN = Users, DC = ad, DC = internal2, DC = lan
ldap-search-bind-dn: CN = admin, CN = Users, DC = ad, DC = internal2, DC = lan
ldap-search-bind-password: pwd

How do I add the other OUs ??

mrmarkuz · November 1, 2020, 11:48am

Did you try without Users like

DC=ad,DC=internal2,DC=lan ?

I think it’s also possible to set more OUs with ldap-user-search-filter but I didn’t test…

france · November 1, 2020, 3:13pm

I tried as you told me and restart of guacd, without systemctl daemon reload. You see all the groups and users alike but those belonging to the other OUs nothing to do …

dnutan · November 1, 2020, 4:20pm

Check if any of these examples help:

You can still choose who should have access and who shouldn’t by using an ldap filter via the guacamole.properties file with something like:
ldap-user-search-filter:(memberOf=CN=GuacUsers,OU=Security Groups,OU=SomeOtherContainer,DC=companydomain,DC=local)
That’s effectively limiting login to only members of that group by only searching against that group’s membership.

Source

Another example.

france · November 1, 2020, 5:47pm

Thanks for your directions, I’ll try to see if I can get user queries to work in other OUs

robb · November 1, 2020, 6:41pm

If you keep your LDAP search 1 level up then LDAPsearch should find any other OU’s, right? (more or less what @mrmarkuz suggested.

france · November 1, 2020, 7:09pm

The windows, linux client stations accredited on AD neth server login username from different OUs without any problem. On the ubuntu server only the User of the server, the OUs are ignored.
I don’t understand why the entire tree including the additional OUs is not processed.Also I noticed that my pfsense also has the same problem regarding the other OUs.
Here is the basic cfg:
base
If as of Markuz I can actually see and select all OUs:
base2
However, if I select all the context of the OU, the authentic ones don’t work !!!

france · November 2, 2020, 5:44pm

hi Markuz I have tried the user base dn only with the domino (ad.internal2.lan). I had to leave the rest for the binding. Users of other OUs are now authenticated.