You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by "Pluess, Tobias" <to...@iap.unibe.ch> on 2020/02/17 12:28:01 UTC
Problem with LDAP authentication
Hi,
I have sucessfully installed Guacamole on a Centos 7 server. I can log
in as user "guacadmin", create connections using RDP or SSH, and
connect to different hosts. So far it works fine.
However, I now would like to use LDAPS for use authentication. We do
have an Active Directory which can be accessed via LDAPS and I have
sucessfully managed to set up LDAPS authentication for some other
services we use (Gitea, Nextcloud). On those servers it works fine, but
I cannot make it work with Guacamole!
I use Guacamole 1.1.0 with the Guacamole LDAP authentication extension.
Following is my LDAPS configuration in the guacamole.properties file:
ldap-hostname: ldap.server.domain.ch
ldap-port: 636
ldap-encryption-method: ssl
ldap-search-bind-dn: username@server.domain.ch
ldap-search-bind-password: (some password)
ldap-user-base-dn: ou=MYOU,dc=server,dc=domain,dc=ch
ldap-username-attribute: sAMAccountName
ldap-user-search-filter: (samAccountType=805306368)
I enabled debug log level for guacd, and this is what I find in the
logs:
(see below)
especially interesting is the line where it says "user successfully authenticated",
so I would expect that I am able to login, but instead, I get an error
message in the browser, telling that Guacamole had an internal error.
On the very bottom line of the logs you can see that indeed the LDAP
authentication module seems to have some internal problem.
How can I find out what is going on? I tried to enable debug log level
for the LDAP authentication module, but I couldn't find any
documentation about this.
What I have already tried:
a) use different versions of Guacamole: I tried with 1.0.0, same
problem.
b) I manually queried the LDAP server from that machine using the
command "ldapsearch". This was successful and worked fine.
Any hints for that?
Many thanks in advance.
Tobias
Feb 17 13:17:04 guacamole server: 13:17:04.084 [http-bio-8080-exec-48] DEBUG o.a.g.a.ldap.LDAPConnectionService - Connecting to LDAP server using SSL/TLS.
Feb 17 13:17:04 guacamole server: 13:17:04.203 [http-bio-8080-exec-48] DEBUG o.a.g.auth.ldap.ObjectQueryService - Searching "ou=MYOU,dc=server,dc=domain,dc=ch" for objects matching "(&(samAccountType=805306368)(sAMAccountName=<username>))".
Feb 17 13:17:04 guacamole server: 13:17:04.210 [http-bio-8080-exec-48] DEBUG o.a.g.a.ldap.LDAPConnectionService - Connecting to LDAP server using SSL/TLS.
Feb 17 13:17:04 guacamole server: 13:17:04.319 [http-bio-8080-exec-48] INFO o.a.g.r.auth.AuthenticationService - User "<username>" successfully authenticated from <my IP address>.
Feb 17 13:17:04 guacamole server: 13:17:04.319 [http-bio-8080-exec-48] DEBUG o.a.i.t.jdbc.JdbcTransaction - Opening JDBC Connection
Feb 17 13:17:04 guacamole server: 13:17:04.319 [http-bio-8080-exec-48] DEBUG o.a.i.d.pooled.PooledDataSource - Checked out connection 1100486697 from pool.
Feb 17 13:17:04 guacamole server: 13:17:04.319 [http-bio-8080-exec-48] DEBUG o.a.i.d.pooled.PooledDataSource - Testing connection 1100486697 ...
Feb 17 13:17:04 guacamole server: 13:17:04.322 [http-bio-8080-exec-48] DEBUG o.a.i.d.pooled.PooledDataSource - Connection 1100486697 is GOOD!
Feb 17 13:17:04 guacamole server: 13:17:04.322 [http-bio-8080-exec-48] DEBUG o.a.i.t.jdbc.JdbcTransaction - Setting autocommit to false on JDBC Connection [com.mysql.cj.jdbc.ConnectionImpl@41981829]
Feb 17 13:17:04 guacamole server: 13:17:04.323 [http-bio-8080-exec-48] DEBUG o.a.g.a.j.user.UserMapper.selectOne - ==> Preparing: SELECT guacamole_user.user_id, guacamole_entity.entity_id, guacamole_entity.name, password_hash, password_salt, password_date, disabled, expired, access_window_start, access_window_end, valid_from, valid_until, timezone, full_name, email_address, organization, organizational_role, MAX(start_date) AS last_active FROM guacamole_user JOIN guacamole_entity ON guacamole_user.entity_id = guacamole_entity.entity_id LEFT JOIN guacamole_user_history ON guacamole_user_history.user_id = guacamole_user.user_id WHERE guacamole_entity.name = ? AND guacamole_entity.type = 'USER' GROUP BY guacamole_user.user_id, guacamole_entity.entity_id; SELECT guacamole_user_attribute.user_id, guacamole_user_attribute.attribute_name, guacamole_user_attribute.attribute_value FROM guacamole_user_attribute JOIN guacamole_user ON guacamole_user.user_id = guacamole_user_attribute.user_id JOIN guacamole_entity ON guacamole_user.entity_id = guacamole_entity.entity_id WHERE guacamole_entity.name = ? AND guacamole_entity.type = 'USER'
Feb 17 13:17:04 guacamole server: 13:17:04.323 [http-bio-8080-exec-48] DEBUG o.a.g.a.j.user.UserMapper.selectOne - ==> Parameters: <username>(String), <username>(String)
Feb 17 13:17:04 guacamole server: 13:17:04.328 [http-bio-8080-exec-48] DEBUG o.a.g.a.j.user.UserMapper.selectOne - <== Total: 0
Feb 17 13:17:04 guacamole server: 13:17:04.328 [http-bio-8080-exec-48] DEBUG o.a.i.t.jdbc.JdbcTransaction - Resetting autocommit to true on JDBC Connection [com.mysql.cj.jdbc.ConnectionImpl@41981829]
Feb 17 13:17:04 guacamole server: 13:17:04.329 [http-bio-8080-exec-48] DEBUG o.a.i.t.jdbc.JdbcTransaction - Closing JDBC Connection [com.mysql.cj.jdbc.ConnectionImpl@41981829]
Feb 17 13:17:04 guacamole server: 13:17:04.329 [http-bio-8080-exec-48] DEBUG o.a.i.d.pooled.PooledDataSource - Testing connection 1100486697 ...
Feb 17 13:17:04 guacamole server: 13:17:04.329 [http-bio-8080-exec-48] DEBUG o.a.i.d.pooled.PooledDataSource - Connection 1100486697 is GOOD!
Feb 17 13:17:04 guacamole server: 13:17:04.329 [http-bio-8080-exec-48] DEBUG o.a.i.d.pooled.PooledDataSource - Returned connection 1100486697 to pool.
Feb 17 13:17:04 guacamole server: 13:17:04.330 [http-bio-8080-exec-48] DEBUG o.a.i.t.jdbc.JdbcTransaction - Opening JDBC Connection
Feb 17 13:17:04 guacamole server: 13:17:04.330 [http-bio-8080-exec-48] DEBUG o.a.i.d.pooled.PooledDataSource - Checked out connection 1960179742 from pool.
Feb 17 13:17:04 guacamole server: 13:17:04.330 [http-bio-8080-exec-48] DEBUG o.a.i.d.pooled.PooledDataSource - Testing connection 1960179742 ...
Feb 17 13:17:04 guacamole server: 13:17:04.331 [http-bio-8080-exec-48] DEBUG o.a.i.d.pooled.PooledDataSource - Connection 1960179742 is GOOD!
Feb 17 13:17:04 guacamole server: 13:17:04.331 [http-bio-8080-exec-48] DEBUG o.a.i.t.jdbc.JdbcTransaction - Setting autocommit to false on JDBC Connection [com.mysql.cj.jdbc.ConnectionImpl@74d5f81e]
Feb 17 13:17:04 guacamole server: 13:17:04.331 [http-bio-8080-exec-48] DEBUG o.a.g.a.j.u.UserRecordMapper.insert - ==> Preparing: INSERT INTO guacamole_user_history ( remote_host, user_id, username, start_date, end_date ) VALUES ( ?, (SELECT user_id FROM guacamole_user JOIN guacamole_entity ON guacamole_user.entity_id = guacamole_entity.entity_id WHERE guacamole_entity.name = ? AND guacamole_entity.type = 'USER'), ?, ?, ? )
Feb 17 13:17:04 guacamole server: 13:17:04.331 [http-bio-8080-exec-48] DEBUG o.a.g.a.j.u.UserRecordMapper.insert - ==> Parameters: <my IP address>(String), <username>(String), <username>(String), 2020-02-17 13:17:04.33(Timestamp), null
Feb 17 13:17:04 guacamole server: 13:17:04.332 [http-bio-8080-exec-48] DEBUG o.a.g.a.j.u.UserRecordMapper.insert - <== Updates: 1
Feb 17 13:17:04 guacamole server: 13:17:04.332 [http-bio-8080-exec-48] DEBUG o.a.i.t.jdbc.JdbcTransaction - Committing JDBC Connection [com.mysql.cj.jdbc.ConnectionImpl@74d5f81e]
Feb 17 13:17:04 guacamole server: 13:17:04.369 [http-bio-8080-exec-48] DEBUG o.a.i.t.jdbc.JdbcTransaction - Resetting autocommit to true on JDBC Connection [com.mysql.cj.jdbc.ConnectionImpl@74d5f81e]
Feb 17 13:17:04 guacamole server: 13:17:04.369 [http-bio-8080-exec-48] DEBUG o.a.i.t.jdbc.JdbcTransaction - Closing JDBC Connection [com.mysql.cj.jdbc.ConnectionImpl@74d5f81e]
Feb 17 13:17:04 guacamole server: 13:17:04.369 [http-bio-8080-exec-48] DEBUG o.a.i.d.pooled.PooledDataSource - Testing connection 1960179742 ...
Feb 17 13:17:04 guacamole server: 13:17:04.369 [http-bio-8080-exec-48] DEBUG o.a.i.d.pooled.PooledDataSource - Connection 1960179742 is GOOD!
Feb 17 13:17:04 guacamole server: 13:17:04.369 [http-bio-8080-exec-48] DEBUG o.a.i.d.pooled.PooledDataSource - Returned connection 1960179742 to pool.
Feb 17 13:17:04 guacamole server: 13:17:04.370 [http-bio-8080-exec-48] DEBUG o.a.g.a.ldap.LDAPConnectionService - Connecting to LDAP server using SSL/TLS.
Feb 17 13:17:04 guacamole server: 13:17:04.453 [http-bio-8080-exec-48] DEBUG o.a.g.auth.ldap.ObjectQueryService - Searching "ou=MYOU,dc=server,dc=domain,dc=ch" for objects matching "(&(samAccountType=805306368)(sAMAccountName=<username>))".
Feb 17 13:17:04 guacamole server: 13:17:04.461 [http-bio-8080-exec-48] DEBUG o.a.g.a.ldap.LDAPConnectionService - Connecting to LDAP server using SSL/TLS.
Feb 17 13:17:04 guacamole server: 13:17:04.548 [http-bio-8080-exec-48] DEBUG o.a.g.auth.ldap.ObjectQueryService - Searching "ou=MYOU,dc=server,dc=domain,dc=ch" for objects matching "(&(samAccountType=805306368)(sAMAccountName=*))".
Feb 17 13:17:06 guacamole server: 13:17:06.507 [http-bio-8080-exec-48] WARN o.a.g.e.AuthenticationProviderFacade - The "ldap" authentication provider has encountered an internal error which will halt the authentication process. If this is unexpected or you are the developer of this authentication provider, you may wish to enable debug-level logging. If this is expected and you wish to ignore such failures in the future, please set "skip-if-unavailable: ldap" within your guacamole.properties.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
RE: Problem with LDAP authentication
Posted by to...@iap.unibe.ch.
Hi again Nick
OK so I tested it again and imported the LDAP certificate, even though I would expect that this is not necessary as it should be trusted (because it is not a self signed one).
On the Guacamole server, I did
openssl s_client -showcerts -connect ldap.campus.unibe.ch:636 </dev/null 2>/dev/null | openssl x509 -outform PEM > mycert.pem
to download the cert from the LDAP server. And then I added the cert to the keystore with
keytool -importcert -alias "ldaps" -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7.x86_64/jre/lib/security/cacerts -file mycert.pem
however, I have no success, it is still not possible to login with LDAP.
Fun fact: when I try to login via LDAP and enter a wrong password, the Guacamole does display a message that the password was wrong. However when I enter the correct password, I get the message about the unknown internal error.
I also tried different versions of the LDAP auth extension, so I used v1.0.0 as well as v1.1.0, both with the same result.
Best
Tobias
From: Nick Couchman [mailto:vnick@apache.org]
Sent: Saturday, 22 February 2020 19:19
To: user@guacamole.apache.org
Subject: Re: Problem with LDAP authentication
On Mon, Feb 17, 2020 at 7:28 AM Pluess, Tobias <to...@iap.unibe.ch>> wrote:
Hi,
I have sucessfully installed Guacamole on a Centos 7 server. I can log
in as user "guacadmin", create connections using RDP or SSH, and
connect to different hosts. So far it works fine.
However, I now would like to use LDAPS for use authentication. We do
have an Active Directory which can be accessed via LDAPS and I have
sucessfully managed to set up LDAPS authentication for some other
services we use (Gitea, Nextcloud). On those servers it works fine, but
I cannot make it work with Guacamole!
I use Guacamole 1.1.0 with the Guacamole LDAP authentication extension.
Following is my LDAPS configuration in the guacamole.properties file:
ldap-hostname: ldap.server.domain.ch<http://ldap.server.domain.ch>
ldap-port: 636
ldap-encryption-method: ssl
ldap-search-bind-dn: username@server.domain.ch<ma...@server.domain.ch>
ldap-search-bind-password: (some password)
ldap-user-base-dn: ou=MYOU,dc=server,dc=domain,dc=ch
ldap-username-attribute: sAMAccountName
ldap-user-search-filter: (samAccountType=805306368)
Is your LDAP server certificate trusted within the Java framework that is running Tomcat - that is, have you imported it into cacerts?
-Nick
Re: Problem with LDAP authentication
Posted by Nick Couchman <vn...@apache.org>.
On Mon, Feb 17, 2020 at 7:28 AM Pluess, Tobias <to...@iap.unibe.ch>
wrote:
> Hi,
> I have sucessfully installed Guacamole on a Centos 7 server. I can log
> in as user "guacadmin", create connections using RDP or SSH, and
> connect to different hosts. So far it works fine.
>
> However, I now would like to use LDAPS for use authentication. We do
> have an Active Directory which can be accessed via LDAPS and I have
> sucessfully managed to set up LDAPS authentication for some other
> services we use (Gitea, Nextcloud). On those servers it works fine, but
> I cannot make it work with Guacamole!
>
> I use Guacamole 1.1.0 with the Guacamole LDAP authentication extension.
> Following is my LDAPS configuration in the guacamole.properties file:
>
> ldap-hostname: ldap.server.domain.ch
> ldap-port: 636
> ldap-encryption-method: ssl
> ldap-search-bind-dn: username@server.domain.ch
> ldap-search-bind-password: (some password)
> ldap-user-base-dn: ou=MYOU,dc=server,dc=domain,dc=ch
> ldap-username-attribute: sAMAccountName
> ldap-user-search-filter: (samAccountType=805306368)
>
>
>
Is your LDAP server certificate trusted within the Java framework that is
running Tomcat - that is, have you imported it into cacerts?
-Nick