How should LDAP be setup?

[dinger1986]

LDAP – I’m not sure what’s needed here. I don’t have the option to set a bind DN/password, and regardless of what base DN I set I get the following error: LDAP operation result: rc=49 (invalidCredentials), dn: "", text: "80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563" I’ve tried several versions with DNs for groups, DNs for various user-containing OU, and just using the root DN but it’s all the same. Is there any way I could get some assistance or further information on this? Additionally, are there plans to implement (if it’s not already?) a more fleshed out filtering option? We generally utilize security group filtering for our LDAP-Enabled services to i.e., only allow users added to the “RustDesk Users” group to authenticate, and “RustDesk Admins” to administer?

[rustdesk]

Will add bind DN / password fields on LDAP settings page in next version.

[rustdesk]

a more fleshed out filtering option? We generally utilize security group filtering for our LDAP-Enabled services to i.e., only allow users added to the “RustDesk Users” group to authenticate, and “RustDesk Admins” to administer?

We need to collect more feedback from the other users before taking actions.

[dinger1986]

Will add bind DN / password fields on LDAP settings page in next version.

Great, I am happy to test this with active directory later today if theres some rough guides

[rustdesk]

I tested with LDAP server on Linux, I do not know how to use it with Active Directory, though it should work, because AD is also LDAP.

[dinger1986]

ok, do you have a rough guide for linux ldap? I can figure out AD hopefully :)

[rustdesk]

No guide, it is the most basic LDAP knowledge. I do not know what I can write for the guide.

[dinger1986]

this is how freenas does it for Linux LDAP:

This is how its done for Active Directory:

Both needs passwords, this is simple to setup

[rustdesk]

[rustdesk]

[dinger1986]

yeah I know that :) but yeah it needs a password

[dinger1986]

thats all freenas is doing but calling it Active directory, LDAP after all is LDAP

[rustdesk]

Frankly, I have very limited knowledge on LDAP, the only my previous experience is to log in to company's computer with AD account.

[dinger1986]

I am happy to help as always

[rustdesk]

Please test AD, and write a guide for AD user.

[dinger1986]

so I have setup on a customers site which has AD, I have configured the cn, ou and dc as it should be, this command dsquery user -name test1 gets the correct details and I get this

[dinger1986]

I have tested and it definitely checks the dns name and port but the cn, ou and dc can literally be anything and it doesnt verify, nothing in event logs on the AD server either

[DMSnz]

I would expect most if not all LDAP servers to demand authentication by default, this would then certainly need a password provided, else you are making an unauthenticated / anonymous call to LDAP which is not secure and therefore reasoning most of the time disabled. We run Samba emulating AD and it demands a user and pass, I can not see how to provide that in the web console LDAP set up

Also search filters could be beneficial if using LDAP, to filter by Users only, ignoring Groups or other use cases.

[todaysoftware]

Are you able to confirm that the LDAP connection is encrypted (using the STARTTLS extension)?

[rustdesk]

STARTTLS added in 1.1.9