Windows AD LDAP Guacamole

["Odwald, Andrzej" <An...@kldiscovery.com>]

Hi,
I've been fighting with getting Guacamole LDAP extension to work with our active directory which is hosted on a Windows Server. All help I could find relates to OpenLDAP which is not an option.
I've managed to get the LDAP to authenticate the user, though what's weird is the fact in the logs I can see it doing three queries to LDAP with a single logon.
Connection to LDAP server without encryption.
Searching "OU=x,DC=y,DC=z" for objects matching "(userPrincipalName=myLoginName)"
Connection to LDAP server without encryption.
User "myLoginName" successfully authenticated from xxx.xxx.xxx.xxx
Connection to LDAP server without encryption.
Searching "OU=x,DC=y,DC=z" for objects matching "(userPrincipalName=myLoginName)"
Connection to LDAP server without encryption.
Searching "OU=x,DC=y,DC=z" for objects matching(userPrincipalName=*)

I never make it past the login screen but I've got an error pop up on top of the login pane "Unable to query list of objects from LDAP directory."
I was unable to alter the database due to the simple fact I have no idea what properties to put or anything like that as I can only find OpenLDAP related stuff.
If it isn't obvious enough, I'm in no way an IT guy; I'm a Software Engineer who is setting this up for the team as IT has other priorities so I apologise for any silly questions or statements I might make.
What my questions are:

  *   Why is the LDAP querying basically the identical thing twice and finally with a * wildcard?
  *   How can I create a Guac config on a Windows AD (as in, what does it require etc)
Thanks
Andrew

Re: Windows AD LDAP Guacamole

[Nick Couchman <vn...@apache.org>]

On Thu, Sep 19, 2019 at 1:14 PM Odwald, Andrzej <
Andrzej.Odwald@kldiscovery.com> wrote:

> *Hi,*
>
> I’ve been fighting with getting Guacamole LDAP extension to work with our
> active directory which is hosted on a Windows Server. All help I could find
> relates to OpenLDAP which is not an option.
>
What version of Guacamole?


> I’ve managed to get the LDAP to authenticate the user, though what’s weird
> is the fact in the logs I can see it doing three queries to LDAP with a
> single logon.
>
> Connection to LDAP server without encryption.
> Searching “OU=x,DC=y,DC=z” for objects matching
> “(userPrincipalName=myLoginName)”
> Connection to LDAP server without encryption.
> User “myLoginName” successfully authenticated from xxx.xxx.xxx.xxx
> Connection to LDAP server without encryption.
> Searching “OU=x,DC=y,DC=z” for objects matching
> “(userPrincipalName=myLoginName)”
> Connection to LDAP server without encryption.
> Searching “OU=x,DC=y,DC=z” for objects matching(userPrincipalName=*)
>
>
This is expected behavior - the server first binds with the bind user
specified in the file to get the DN of the user who is logging in, then it
re-binds as the user logging in with a search for that user, then it
searches to see what other users are available in the directory.


> I never make it past the login screen but I’ve got an error pop up on top
> of the login pane “Unable to query list of objects from LDAP directory.”
> I was unable to alter the database due to the simple fact I have no idea
> what properties to put or anything like that as I can only find OpenLDAP
> related stuff.
>
> Is there anything else in the log file past the above errors that would
indicate what's going on?  Have you tried putting the Guacamole application
into Debug mode:

http://guacamole.apache.org/doc/gug/configuring-guacamole.html#webapp-logging



> If it isn’t obvious enough, I’m in no way an IT guy; I’m a Software
> Engineer who is setting this up for the team as IT has other priorities so
> I apologise for any silly questions or statements I might make.
>
> What my questions are:
>
>    - Why is the LDAP querying basically the identical thing twice and
>    finally with a * wildcard?
>    - How can I create a Guac config on a Windows AD (as in, what does it
>    require etc)
>
>
Have you tried pointing at port 3268 on your domain controller instead of
389, or disabling referral following?  This is known to cause issues with
Guacamole searches against AD directories, and, depending on the version of
Guacamole you're running one of those may do the trick.

-Nick

>