rustdesk / rustdesk-server-pro

Some scripts for RustDesk Server Pro are hosted here.
149 stars 75 forks source link

How should LDAP be setup? #24

Closed dinger1986 closed 1 year ago

dinger1986 commented 1 year ago

LDAP – I’m not sure what’s needed here. I don’t have the option to set a bind DN/password, and regardless of what base DN I set I get the following error: LDAP operation result: rc=49 (invalidCredentials), dn: "", text: "80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563" I’ve tried several versions with DNs for groups, DNs for various user-containing OU, and just using the root DN but it’s all the same. Is there any way I could get some assistance or further information on this? Additionally, are there plans to implement (if it’s not already?) a more fleshed out filtering option? We generally utilize security group filtering for our LDAP-Enabled services to i.e., only allow users added to the “RustDesk Users” group to authenticate, and “RustDesk Admins” to administer?

rustdesk commented 1 year ago

Will add bind DN / password fields on LDAP settings page in next version.

rustdesk commented 1 year ago

a more fleshed out filtering option? We generally utilize security group filtering for our LDAP-Enabled services to i.e., only allow users added to the “RustDesk Users” group to authenticate, and “RustDesk Admins” to administer?

We need to collect more feedback from the other users before taking actions.

dinger1986 commented 1 year ago

Will add bind DN / password fields on LDAP settings page in next version.

Great, I am happy to test this with active directory later today if theres some rough guides

rustdesk commented 1 year ago

I tested with LDAP server on Linux, I do not know how to use it with Active Directory, though it should work, because AD is also LDAP.

dinger1986 commented 1 year ago

ok, do you have a rough guide for linux ldap? I can figure out AD hopefully :)

rustdesk commented 1 year ago

No guide, it is the most basic LDAP knowledge. I do not know what I can write for the guide.

dinger1986 commented 1 year ago

this is how freenas does it for Linux LDAP: image

This is how its done for Active Directory: image

Both needs passwords, this is simple to setup

rustdesk commented 1 year ago
image
rustdesk commented 1 year ago
image
dinger1986 commented 1 year ago

yeah I know that :) but yeah it needs a password

dinger1986 commented 1 year ago

thats all freenas is doing but calling it Active directory, LDAP after all is LDAP

rustdesk commented 1 year ago

Frankly, I have very limited knowledge on LDAP, the only my previous experience is to log in to company's computer with AD account.

dinger1986 commented 1 year ago

I am happy to help as always

rustdesk commented 1 year ago

Please test AD, and write a guide for AD user.

dinger1986 commented 1 year ago

so I have setup on a customers site which has AD, I have configured the cn, ou and dc as it should be, this command dsquery user -name test1 gets the correct details and I get this

image

dinger1986 commented 1 year ago

I have tested and it definitely checks the dns name and port but the cn, ou and dc can literally be anything and it doesnt verify, nothing in event logs on the AD server either

DMSnz commented 1 year ago

I would expect most if not all LDAP servers to demand authentication by default, this would then certainly need a password provided, else you are making an unauthenticated / anonymous call to LDAP which is not secure and therefore reasoning most of the time disabled. We run Samba emulating AD and it demands a user and pass, I can not see how to provide that in the web console LDAP set up

Also search filters could be beneficial if using LDAP, to filter by Users only, ignoring Groups or other use cases.

todaysoftware commented 1 year ago

Are you able to confirm that the LDAP connection is encrypted (using the STARTTLS extension)?

rustdesk commented 1 year ago

STARTTLS added in 1.1.9