LDAP issue

[Justin Engwer <ju...@mautobu.com>]

 I reckon that LDAP broke some time ago, and some of my users aren't
showing up.  I've already popped my credentials and filter terms into an
LDAP browser, which successfully connects and pulls user data.

   - How should I go about troubleshooting?
   - Does my LDAP user need to be in any specific domain groups?
   - How frequently does Guacamole poll for new/updated users?

-- 

*Justin Engwer*

Re: LDAP issue

[Nick Couchman <vn...@apache.org>]

On Tue, Aug 24, 2021 at 1:13 PM Justin Engwer <ju...@mautobu.com> wrote:

> This has been resolved. I had thought the user I was logging in with was
> attached to AD, but apparently it was not. Thanks for your assistance!
>
>
Thanks for posting back with the solution!

-Nick

>

Re: LDAP issue

[Justin Engwer <ju...@mautobu.com>]

This has been resolved. I had thought the user I was logging in with was
attached to AD, but apparently it was not. Thanks for your assistance!

On Tue, Aug 24, 2021 at 9:48 AM Justin Engwer <ju...@mautobu.com> wrote:

> This is good information, I'll give it a shot. Thank you.
>
> On Tue, Aug 24, 2021 at 9:44 AM Nils Krabshuis <nk...@gmail.com>
> wrote:
>
>> A bit off-track maybe, but in part relevant -- what I am actually
>> experiencing is:
>>
>> - Login as a LDAP user.
>> - Logout as that LDAP user.
>> - Login as a non-LDAP Admin user.
>> - Set a (local) password on the Aforementioned LDAP user.
>> - Login again as the LDAP user.
>>
>> The "users" and "groups" tabs will now be populated with all users that
>> match the LDAP search query (provisioned). I can reproduce this (see my
>> earlier post where I actually asked about why my users weren't being
>> provisioned on a fresh installation).
>>
>> FWIW, I think LDAP provisioning should work - otherwise it's impossible
>> to assign connections to groups/users coming from LDAP (easily).
>>
>>
>>
>>
>> On Tue, Aug 24, 2021 at 6:13 PM Nick Couchman <vn...@apache.org> wrote:
>>
>>> On Tue, Aug 24, 2021 at 12:05 PM Justin Engwer <ju...@mautobu.com>
>>> wrote:
>>>
>>>> I reckon that LDAP broke some time ago, and some of my users aren't
>>>> showing up.  I've already popped my credentials and filter terms into an
>>>> LDAP browser, which successfully connects and pulls user data.
>>>>
>>>
>>> When you say "my users aren't showing up", what do you mean? Are users
>>> unable to log in? Or you simply cannot see them in the admin interface? How
>>> many users do you have in your environment? Are you logging in with an LDAP
>>> account when you try to see them? Can you post your guacamole.properties,
>>> minus any sensitive information?
>>>
>>>
>>>>
>>>>    - How should I go about troubleshooting?
>>>>
>>>> Log files, for one - the Tomcat output (either catalina.out, or
>>> journalctl, depending on how you installed it and how Tomcat is
>>> configured), or Docker output if you're using Docker, should help. You may
>>> need to turn up logging on Guacamole via the logback.xml file:
>>>
>>>
>>> http://guacamole.apache.org/doc/gug/configuring-guacamole.html#webapp-logging
>>>
>>>
>>>
>>>>
>>>>    -
>>>>    - Does my LDAP user need to be in any specific domain groups?
>>>>
>>>> This depends upon your LDAP configuration, and what that user is
>>> allowed to do. However, if you have copied the credentials into a LDAP
>>> browser and can see all of the objects you expect to see, this is probably
>>> not the case.
>>>
>>>
>>>>
>>>>    - How frequently does Guacamole poll for new/updated users?
>>>>
>>>> Guacamole does not "synchronize" LDAP user data. The LDAP tree is
>>> queried each time a user logs in for the information required for that user
>>> login. Essentially the flow looks something like this:
>>> * User logs in, providing username and password.
>>> * Guacamole uses the Search Bind DN and Password as configured in
>>> guacamole.properties to locate the user object in LDAP.
>>> * Guacamole disconnects from LDAP, then re-binds with the user object is
>>> has located and the provided password.
>>> * Guacamole uses this connection to search for users, groups, and
>>> connection objects, depending on which items you've configured in
>>> guacamole.properties
>>>
>>> This is slightly different from how many web applications implement LDAP
>>> authentication, where user data is synchronized into a database somewhere,
>>> and then the LDAP connection is only made for authentication. Guacamole
>>> relies on the LDAP connection and the security of LDAP itself for its
>>> functionality.
>>>
>>> Hope this helps - feel free to respond with further questions or
>>> information.
>>>
>>> -Nick
>>>
>>>>
>
> --
>
> *Justin Engwer*
> Mautobu Business Services
> 250-415-3709
>


-- 

*Justin Engwer*
Mautobu Business Services
250-415-3709

Re: LDAP issue

[Justin Engwer <ju...@mautobu.com>]

This is good information, I'll give it a shot. Thank you.

On Tue, Aug 24, 2021 at 9:44 AM Nils Krabshuis <nk...@gmail.com> wrote:

> A bit off-track maybe, but in part relevant -- what I am actually
> experiencing is:
>
> - Login as a LDAP user.
> - Logout as that LDAP user.
> - Login as a non-LDAP Admin user.
> - Set a (local) password on the Aforementioned LDAP user.
> - Login again as the LDAP user.
>
> The "users" and "groups" tabs will now be populated with all users that
> match the LDAP search query (provisioned). I can reproduce this (see my
> earlier post where I actually asked about why my users weren't being
> provisioned on a fresh installation).
>
> FWIW, I think LDAP provisioning should work - otherwise it's impossible to
> assign connections to groups/users coming from LDAP (easily).
>
>
>
>
> On Tue, Aug 24, 2021 at 6:13 PM Nick Couchman <vn...@apache.org> wrote:
>
>> On Tue, Aug 24, 2021 at 12:05 PM Justin Engwer <ju...@mautobu.com>
>> wrote:
>>
>>> I reckon that LDAP broke some time ago, and some of my users aren't
>>> showing up.  I've already popped my credentials and filter terms into an
>>> LDAP browser, which successfully connects and pulls user data.
>>>
>>
>> When you say "my users aren't showing up", what do you mean? Are users
>> unable to log in? Or you simply cannot see them in the admin interface? How
>> many users do you have in your environment? Are you logging in with an LDAP
>> account when you try to see them? Can you post your guacamole.properties,
>> minus any sensitive information?
>>
>>
>>>
>>>    - How should I go about troubleshooting?
>>>
>>> Log files, for one - the Tomcat output (either catalina.out, or
>> journalctl, depending on how you installed it and how Tomcat is
>> configured), or Docker output if you're using Docker, should help. You may
>> need to turn up logging on Guacamole via the logback.xml file:
>>
>>
>> http://guacamole.apache.org/doc/gug/configuring-guacamole.html#webapp-logging
>>
>>
>>
>>>
>>>    -
>>>    - Does my LDAP user need to be in any specific domain groups?
>>>
>>> This depends upon your LDAP configuration, and what that user is allowed
>> to do. However, if you have copied the credentials into a LDAP browser and
>> can see all of the objects you expect to see, this is probably not the case.
>>
>>
>>>
>>>    - How frequently does Guacamole poll for new/updated users?
>>>
>>> Guacamole does not "synchronize" LDAP user data. The LDAP tree is
>> queried each time a user logs in for the information required for that user
>> login. Essentially the flow looks something like this:
>> * User logs in, providing username and password.
>> * Guacamole uses the Search Bind DN and Password as configured in
>> guacamole.properties to locate the user object in LDAP.
>> * Guacamole disconnects from LDAP, then re-binds with the user object is
>> has located and the provided password.
>> * Guacamole uses this connection to search for users, groups, and
>> connection objects, depending on which items you've configured in
>> guacamole.properties
>>
>> This is slightly different from how many web applications implement LDAP
>> authentication, where user data is synchronized into a database somewhere,
>> and then the LDAP connection is only made for authentication. Guacamole
>> relies on the LDAP connection and the security of LDAP itself for its
>> functionality.
>>
>> Hope this helps - feel free to respond with further questions or
>> information.
>>
>> -Nick
>>
>>>

-- 

*Justin Engwer*
Mautobu Business Services
250-415-3709

Re: LDAP issue

[Nils Krabshuis <nk...@gmail.com>]

A bit off-track maybe, but in part relevant -- what I am actually
experiencing is:

- Login as a LDAP user.
- Logout as that LDAP user.
- Login as a non-LDAP Admin user.
- Set a (local) password on the Aforementioned LDAP user.
- Login again as the LDAP user.

The "users" and "groups" tabs will now be populated with all users that
match the LDAP search query (provisioned). I can reproduce this (see my
earlier post where I actually asked about why my users weren't being
provisioned on a fresh installation).

FWIW, I think LDAP provisioning should work - otherwise it's impossible to
assign connections to groups/users coming from LDAP (easily).




On Tue, Aug 24, 2021 at 6:13 PM Nick Couchman <vn...@apache.org> wrote:

> On Tue, Aug 24, 2021 at 12:05 PM Justin Engwer <ju...@mautobu.com> wrote:
>
>> I reckon that LDAP broke some time ago, and some of my users aren't
>> showing up.  I've already popped my credentials and filter terms into an
>> LDAP browser, which successfully connects and pulls user data.
>>
>
> When you say "my users aren't showing up", what do you mean? Are users
> unable to log in? Or you simply cannot see them in the admin interface? How
> many users do you have in your environment? Are you logging in with an LDAP
> account when you try to see them? Can you post your guacamole.properties,
> minus any sensitive information?
>
>
>>
>>    - How should I go about troubleshooting?
>>
>> Log files, for one - the Tomcat output (either catalina.out, or
> journalctl, depending on how you installed it and how Tomcat is
> configured), or Docker output if you're using Docker, should help. You may
> need to turn up logging on Guacamole via the logback.xml file:
>
>
> http://guacamole.apache.org/doc/gug/configuring-guacamole.html#webapp-logging
>
>
>
>>
>>    -
>>    - Does my LDAP user need to be in any specific domain groups?
>>
>> This depends upon your LDAP configuration, and what that user is allowed
> to do. However, if you have copied the credentials into a LDAP browser and
> can see all of the objects you expect to see, this is probably not the case.
>
>
>>
>>    - How frequently does Guacamole poll for new/updated users?
>>
>> Guacamole does not "synchronize" LDAP user data. The LDAP tree is queried
> each time a user logs in for the information required for that user login.
> Essentially the flow looks something like this:
> * User logs in, providing username and password.
> * Guacamole uses the Search Bind DN and Password as configured in
> guacamole.properties to locate the user object in LDAP.
> * Guacamole disconnects from LDAP, then re-binds with the user object is
> has located and the provided password.
> * Guacamole uses this connection to search for users, groups, and
> connection objects, depending on which items you've configured in
> guacamole.properties
>
> This is slightly different from how many web applications implement LDAP
> authentication, where user data is synchronized into a database somewhere,
> and then the LDAP connection is only made for authentication. Guacamole
> relies on the LDAP connection and the security of LDAP itself for its
> functionality.
>
> Hope this helps - feel free to respond with further questions or
> information.
>
> -Nick
>
>>

Re: LDAP issue

[Justin Engwer <ju...@mautobu.com>]

Thanks for the reply Nick.

By some users aren't showing up, I mean they are not being imported to the
Users tab in guacamole. For example, I went to assign a connection to a new
user this morning, but her user account didn't appear in Guacamole. She is
in an OU nested under the "ldap-user-base-dn" in AD, and is assigned to one
of the groups that is supposed to be imported (Finance). I am logging in
with an LDAP account. We have about 60 staff.

cat guacamole.properties
enable-websocket: true

mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
mysql-password: password


ldap-hostname: fqdn.site
ldap-port: 389
ldap-user-base-dn: OU=Staff,DC=site
ldap-search-bind-dn: CN=guacamoleldap,OU=Service Accounts,DC=site
ldap-search-bind-password: password
ldap-username-attribute: sAMAccountName
ldap-user-search-filter:
(|(memberof=CN=Administration,OU=Groups,OU=Administration,OU=Staff,DC=site)(memberof=CN=Building,OU=Groups,OU=Building,OU=Staff,DC=site)(memberof=CN=Engineering,OU=Groups,OU=Engineering,OU=Staff,DC=site)(memberof=CN=Finance,OU=Groups,OU=Finance,OU=Staff,DC=site)(memberof=CN=Fire
Department,OU=Groups,OU=Fire,OU=Staff,DC=site)(memberof=CN=Public
Works,OU=Groups,OU=Public Works,OU=Staff,DC=site)(memberof=CN=IT
Department,OU=Groups,OU=IT,OU=Staff,DC=site)(memberof=CN=GIS
Department,OU=Groups,OU=GIS,OU=Staff,DC=site))

I've now increased the logging verbosity, though I'm going to wait to
restart tomcat as there are users actively working from home right now.



On Tue, Aug 24, 2021 at 9:13 AM Nick Couchman <vn...@apache.org> wrote:

> On Tue, Aug 24, 2021 at 12:05 PM Justin Engwer <ju...@mautobu.com> wrote:
>
>> I reckon that LDAP broke some time ago, and some of my users aren't
>> showing up.  I've already popped my credentials and filter terms into an
>> LDAP browser, which successfully connects and pulls user data.
>>
>
> When you say "my users aren't showing up", what do you mean? Are users
> unable to log in? Or you simply cannot see them in the admin interface? How
> many users do you have in your environment? Are you logging in with an LDAP
> account when you try to see them? Can you post your guacamole.properties,
> minus any sensitive information?
>
>
>>
>>    - How should I go about troubleshooting?
>>
>> Log files, for one - the Tomcat output (either catalina.out, or
> journalctl, depending on how you installed it and how Tomcat is
> configured), or Docker output if you're using Docker, should help. You may
> need to turn up logging on Guacamole via the logback.xml file:
>
>
> http://guacamole.apache.org/doc/gug/configuring-guacamole.html#webapp-logging
>
>
>
>>
>>    -
>>    - Does my LDAP user need to be in any specific domain groups?
>>
>> This depends upon your LDAP configuration, and what that user is allowed
> to do. However, if you have copied the credentials into a LDAP browser and
> can see all of the objects you expect to see, this is probably not the case.
>
>
>>
>>    - How frequently does Guacamole poll for new/updated users?
>>
>> Guacamole does not "synchronize" LDAP user data. The LDAP tree is queried
> each time a user logs in for the information required for that user login.
> Essentially the flow looks something like this:
> * User logs in, providing username and password.
> * Guacamole uses the Search Bind DN and Password as configured in
> guacamole.properties to locate the user object in LDAP.
> * Guacamole disconnects from LDAP, then re-binds with the user object is
> has located and the provided password.
> * Guacamole uses this connection to search for users, groups, and
> connection objects, depending on which items you've configured in
> guacamole.properties
>
> This is slightly different from how many web applications implement LDAP
> authentication, where user data is synchronized into a database somewhere,
> and then the LDAP connection is only made for authentication. Guacamole
> relies on the LDAP connection and the security of LDAP itself for its
> functionality.
>
> Hope this helps - feel free to respond with further questions or
> information.
>
> -Nick
>
>>

-- 

*Justin Engwer*
Mautobu Business Services
250-415-3709

Re: LDAP issue

[Nick Couchman <vn...@apache.org>]

On Tue, Aug 24, 2021 at 12:05 PM Justin Engwer <ju...@mautobu.com> wrote:

> I reckon that LDAP broke some time ago, and some of my users aren't
> showing up.  I've already popped my credentials and filter terms into an
> LDAP browser, which successfully connects and pulls user data.
>

When you say "my users aren't showing up", what do you mean? Are users
unable to log in? Or you simply cannot see them in the admin interface? How
many users do you have in your environment? Are you logging in with an LDAP
account when you try to see them? Can you post your guacamole.properties,
minus any sensitive information?


>
>    - How should I go about troubleshooting?
>
> Log files, for one - the Tomcat output (either catalina.out, or
journalctl, depending on how you installed it and how Tomcat is
configured), or Docker output if you're using Docker, should help. You may
need to turn up logging on Guacamole via the logback.xml file:

http://guacamole.apache.org/doc/gug/configuring-guacamole.html#webapp-logging



>
>    -
>    - Does my LDAP user need to be in any specific domain groups?
>
> This depends upon your LDAP configuration, and what that user is allowed
to do. However, if you have copied the credentials into a LDAP browser and
can see all of the objects you expect to see, this is probably not the case.


>
>    - How frequently does Guacamole poll for new/updated users?
>
> Guacamole does not "synchronize" LDAP user data. The LDAP tree is queried
each time a user logs in for the information required for that user login.
Essentially the flow looks something like this:
* User logs in, providing username and password.
* Guacamole uses the Search Bind DN and Password as configured in
guacamole.properties to locate the user object in LDAP.
* Guacamole disconnects from LDAP, then re-binds with the user object is
has located and the provided password.
* Guacamole uses this connection to search for users, groups, and
connection objects, depending on which items you've configured in
guacamole.properties

This is slightly different from how many web applications implement LDAP
authentication, where user data is synchronized into a database somewhere,
and then the LDAP connection is only made for authentication. Guacamole
relies on the LDAP connection and the security of LDAP itself for its
functionality.

Hope this helps - feel free to respond with further questions or
information.

-Nick

>