[Samba] Setup LDAPS or other solution for ldap

Andrew Bartlett abartlet at samba.org
Thu May 11 09:33:07 UTC 2023 

On Thu, 2023-05-11 at 10:51 +0200, matti.kaupenjohann via samba wrote:
> > The problem is, the OP doesn't want to join the domain with all
> > their 
> > computers. Now you and I know that, to get the best results, it is 
> > better to join a domain, somehow we have to convince people of
> > this.
> 
> I am convinced but do not understand everything yet:)
> 
> If I understand this correct, I join the domain with all our client 
> access machines and our servers. I limit the direct authentication to
> our servers via group policies. Now I have as example a guacamole 
> instance running on one of our servers. Only the domain-administrator
> and the server-auth-group has login access. For the guacamole service
> I 
> want that my users can connect to guacamole via ldap (or in this case
> via ldaps?). For my test scenario I would use my self signed 
> certificates but later in a real scenario we have access to real
> ones. 
> So with this example it sounds like the easiest and best approach
> with 
> kinit and not ldaps. Am I right?

As long as you supply and check your TLS certificates, the standard
guides for AD LDAP look good to me:

This one is using plaintext:
https://stackoverflow.com/questions/56136686/how-to-authenticate-to-
apache-guacamole-using-active-directory-authentication-by

This one is using SSL:
https://www.mogilowski.net/2020/05/06/setup-ldap-ad-authentication-for-
guacamole-1-1-0-part-3/

I wish you all the best and am sorry if there has been any confusion.
 The guacamole web application should probably just bind to AD via
LDAPS and simple binds.

Any end servers that this provides access to should probably be domain
joined (Samba or sssd) for the best experience, as this will be able to
use Kerberos and maintain the machine account etc for you.  Otherwise
you get into a pickle as, just as guacamole needs that 'search
account', every other server needs one two, and you may as well just be
standard and use a machine account for those.

Andrew Bartlett
-- 
Andrew Bartlett (he/him)        https://samba.org/~abartlet/
Samba Team Member (since 2001)  https://samba.org
Samba Developer, Catalyst IT    https://catalyst.net.nz/services/samba

More information about the samba mailing list