You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Ferron Nijland - Switch IT Solutions <f....@switch.nl> on 2018/02/02 13:25:24 UTC
LDAP Guacamole 9.14
Hello Everyone,
I've installed a new installation of Guacamole 9.14.
I can access the GUI and login with sql authentication.
Now I've added LDAP authentication, but it doesn't seem to work.
The guacd service starts without problems, so I've no idea where to look.
My guacamole.properties in /etc/guacamole contains is like:
# Hostname and port of guacamole proxy
guacd-hostname: localhost
guacd-port: 4822
# Location to read extra .jar's from
lib-directory: /etc/guacamole/lib
# Authentication provider class
#auth-provider: net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider
auth-provider: net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider
#LDAP Properties
ldap-hostname: 10.75.10.12
ldap-port: 3268
ldap-user-base-dn: DC=domain,DC=local
ldap-search-bind-dn: CN=sa_ ldap_guac,OU=Service Accounts,DC=domain,DC=local
ldap-search-bind-password: password
ldap-username-attribute: sAMAccountName
# Properties used by BasicFileAuthenticationProvider
basic-user-mapping: /etc/guacamole/user-mapping.xml
# MySQL properties
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
mysql-password: mypassword
Met vriendelijke groet,
Ferron Nijland
Re: LDAP Guacamole 9.14
Posted by Nick Couchman <vn...@apache.org>.
>
> I also noticed that your running LDAP on port 3268. That's not the port
> that LDAP usually runs on, did you double check that your LDAP server is
> really running on port 3268?
>
>
Port 3268 is standard when running Active Directory - it is the global
catalog port. There was a referral bug in the LDAP authentication
extension for a while that required you to point at this port to avoid
hitting a LDAP referral - that bug has since been resolved and it is safe
to point at the standard LDAP port.
-Nick
Re: LDAP Guacamole 9.14
Posted by Aaron Newsome <aa...@gmail.com>.
Hello Ferron. I've got 0.9.14 running with LDAP authentication. I've
actually used an identical config since 0.9.12 without any problems. Here's
the LDAP section of my guacamole.properties file:
ldap-hostname: ads-001.swiftlab.local
ldap-port: 389
ldap-max-search-results: 3000
ldap-search-bind-dn: CN=administrator,CN=Users,dc=swiftlab,dc=local
ldap-search-bind-password: password
ldap-username-attribute: sAMAccountName
ldap-user-base-dn: CN=Users,DC=swiftlab,DC=local
ldap-group-base-dn: CN=Users,DC=swiftlab,DC=local
I also noticed that your running LDAP on port 3268. That's not the port
that LDAP usually runs on, did you double check that your LDAP server is
really running on port 3268?
--Aaron
On Fri, Feb 2, 2018 at 5:25 AM, Ferron Nijland - Switch IT Solutions <
f.nijland@switch.nl> wrote:
> Hello Everyone,
>
>
>
> I’ve installed a new installation of Guacamole 9.14.
>
> I can access the GUI and login with sql authentication.
>
> Now I’ve added LDAP authentication, but it doesn’t seem to work.
>
> The guacd service starts without problems, so I’ve no idea where to look.
>
>
>
> My guacamole.properties in /etc/guacamole contains is like:
>
>
>
> # Hostname and port of guacamole proxy
>
> guacd-hostname: localhost
>
> guacd-port: 4822
>
>
>
> # Location to read extra .jar's from
>
> lib-directory: /etc/guacamole/lib
>
>
>
> # Authentication provider class
>
> #auth-provider: net.sourceforge.guacamole.net.basic.
> BasicFileAuthenticationProvider
>
>
>
> auth-provider: net.sourceforge.guacamole.net.auth.ldap.
> LDAPAuthenticationProvider
>
>
>
> #LDAP Properties
>
> ldap-hostname: 10.75.10.12
>
> ldap-port: 3268
>
> ldap-user-base-dn: DC=domain,DC=local
>
> ldap-search-bind-dn: CN=sa_ ldap_guac,OU=Service
> Accounts,DC=domain,DC=local
>
> ldap-search-bind-password: password
>
> ldap-username-attribute: sAMAccountName
>
>
>
> # Properties used by BasicFileAuthenticationProvider
>
> basic-user-mapping: /etc/guacamole/user-mapping.xml
>
>
>
> # MySQL properties
>
> mysql-hostname: localhost
>
> mysql-port: 3306
>
> mysql-database: guacamole_db
>
> mysql-username: guacamole_user
>
> mysql-password: mypassword
>
>
>
> Met vriendelijke groet,
>
>
>
> *Ferron Nijland *
>
>
>
Re: LDAP Guacamole 9.14
Posted by Nick Couchman <vn...@apache.org>.
On Fri, Feb 2, 2018 at 5:00 PM, Jerry <tr...@gmail.com> wrote:
> For what it's worth, using ldap-username-attribute sAMAccountname never
> worked for me on 0.9.13-incubating (though it seemed to work for other
> people based on my googling), but CN worked fine.
>
I have no issue with using sAMAccountName against an Active Directory
back-end.
-Nick
Re: LDAP Guacamole 9.14
Posted by Jerry <tr...@gmail.com>.
For what it's worth, using ldap-username-attribute sAMAccountname never
worked for me on 0.9.13-incubating (though it seemed to work for other
people based on my googling), but CN worked fine.
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
RE: LDAP Guacamole 9.14
Posted by Ferron Nijland - Switch IT Solutions <f....@switch.nl>.
Hello Mike,
Thanks for all the information!
After reading your mail thoroughly I moved the LDAP extension to the /etc/guacamole/extensions folder.
After restarting everything worked 😊 I’ve also cleaned my guacamole.properties, so there are no more deprecated properties.
- Ferron Nijland
Van: Mike Jumper [mailto:mike.jumper@guac-dev.org]
Verzonden: vrijdag 2 februari 2018 18:29
Aan: user@guacamole.apache.org
Onderwerp: Re: LDAP Guacamole 9.14
On Fri, Feb 2, 2018 at 5:25 AM, Ferron Nijland - Switch IT Solutions <f....@switch.nl>> wrote:
Hello Everyone,
Hello Ferron,
I’ve installed a new installation of Guacamole 9.14.
I can access the GUI and login with sql authentication.
Now I’ve added LDAP authentication, but it doesn’t seem to work.
The guacd service starts without problems, so I’ve no idea where to look.
guacd actually has nothing to do with the authentication mechanism in use; it handles only the low-level remote desktop connection. If the LDAP authentication isn't working for you, the first thing to check would be the logs from the web application. Assuming you are using Tomcat, these will be logged to Tomcat's logs, most likely "catalina.out".
My guacamole.properties in /etc/guacamole contains is like:
# Hostname and port of guacamole proxy
guacd-hostname: localhost
guacd-port: 4822
Beware that these property values are actually the defaults. Having them will not hurt anything, but Guacamole will assume these values if these properties are omitted.
# Location to read extra .jar's from
lib-directory: /etc/guacamole/lib
The "lib-directory" property has actually been deprecated since 0.9.7, and as of 0.9.10-incubating no longer has any effect:
http://guacamole.apache.org/releases/0.9.10-incubating/#removal-of-deprecated-lib-directory-and-auth-provider-properties
The lib directory used by Guacamole is now always GUACAMOLE_HOME/lib/, which matches the value you are trying to use here.
# Authentication provider class
#auth-provider: net.sourceforge.guacamole.net<http://net.sourceforge.guacamole.net>.basic.BasicFileAuthenticationProvider
auth-provider: net.sourceforge.guacamole.net<http://net.sourceforge.guacamole.net>.auth.ldap.LDAPAuthenticationProvider
Like the "lib-directory" property, the "auth-provider" property has been deprecated since 0.9.7 and as of 0.9.10-incubating no longer has any effect:
The "lib-directory" property has actually been deprecated since 0.9.7, and as of 0.9.10-incubating no longer has any effect:
http://guacamole.apache.org/releases/0.9.10-incubating/#removal-of-deprecated-lib-directory-and-auth-provider-properties
In prior releases which followed 0.9.7, attempting to use this property would have resulted in a warning in the logs. With the property having now been fully removed, it is simply silently ignored. The authentication mechanism in use is dictated purely by the extensions installed within GUACAMOLE_HOME/extensions/.
#LDAP Properties
ldap-hostname: 10.75.10.12
ldap-port: 3268
ldap-user-base-dn: DC=domain,DC=local
ldap-search-bind-dn: CN=sa_ ldap_guac,OU=Service Accounts,DC=domain,DC=local
ldap-search-bind-password: password
ldap-username-attribute: sAMAccountName
Depending on what you see in the Tomcat logs from Guacamole, I suggest trying a few searches against your LDAP directory, binding to the LDAP directory using the search DN and password you've specified here, making sure you can execute queries against the "DC=domain,DC=local" tree. If you cannot execute such searches, that is probably why things are failing, and there should be corresponding errors in the logs.
# Properties used by BasicFileAuthenticationProvider
basic-user-mapping: /etc/guacamole/user-mapping.xml
The "basic-user-mapping" property has been deprecated since 0.9.10-incubating:
http://guacamole.apache.org/releases/0.9.10-incubating/#deprecation-of-the-basic-user-mapping-property
Its use would have resulted in a warning regarding its deprecation in the logs. Though still supported in 0.9.14, support for this property has recently been removed entirely. It will no longer be supported in future releases:
https://issues.apache.org/jira/browse/GUACAMOLE-494
- Mike
Re: LDAP Guacamole 9.14
Posted by Mike Jumper <mi...@guac-dev.org>.
On Fri, Feb 2, 2018 at 5:25 AM, Ferron Nijland - Switch IT Solutions <
f.nijland@switch.nl> wrote:
> Hello Everyone,
>
>
>
Hello Ferron,
I’ve installed a new installation of Guacamole 9.14.
>
> I can access the GUI and login with sql authentication.
>
> Now I’ve added LDAP authentication, but it doesn’t seem to work.
>
> The guacd service starts without problems, so I’ve no idea where to look.
>
>
>
guacd actually has nothing to do with the authentication mechanism in use;
it handles only the low-level remote desktop connection. If the LDAP
authentication isn't working for you, the first thing to check would be the
logs from the web application. Assuming you are using Tomcat, these will be
logged to Tomcat's logs, most likely "catalina.out".
My guacamole.properties in /etc/guacamole contains is like:
>
>
>
> # Hostname and port of guacamole proxy
>
> guacd-hostname: localhost
>
> guacd-port: 4822
>
>
Beware that these property values are actually the defaults. Having them
will not hurt anything, but Guacamole will assume these values if these
properties are omitted.
>
> # Location to read extra .jar's from
>
> lib-directory: /etc/guacamole/lib
>
>
The "lib-directory" property has actually been deprecated since 0.9.7, and
as of 0.9.10-incubating no longer has any effect:
http://guacamole.apache.org/releases/0.9.10-incubating/#removal-of-deprecated-lib-directory-and-auth-provider-properties
The lib directory used by Guacamole is now always GUACAMOLE_HOME/lib/,
which matches the value you are trying to use here.
>
> # Authentication provider class
>
> #auth-provider: net.sourceforge.guacamole.net.basic.
> BasicFileAuthenticationProvider
>
>
>
> auth-provider: net.sourceforge.guacamole.net.auth.ldap.
> LDAPAuthenticationProvider
>
>
>
Like the "lib-directory" property, the "auth-provider" property has been
deprecated since 0.9.7 and as of 0.9.10-incubating no longer has any effect:
The "lib-directory" property has actually been deprecated since 0.9.7, and
as of 0.9.10-incubating no longer has any effect:
http://guacamole.apache.org/releases/0.9.10-incubating/#removal-of-deprecated-lib-directory-and-auth-provider-properties
In prior releases which followed 0.9.7, attempting to use this property
would have resulted in a warning in the logs. With the property having now
been fully removed, it is simply silently ignored. The authentication
mechanism in use is dictated purely by the extensions installed within
GUACAMOLE_HOME/extensions/.
> #LDAP Properties
>
> ldap-hostname: 10.75.10.12
>
> ldap-port: 3268
>
> ldap-user-base-dn: DC=domain,DC=local
>
> ldap-search-bind-dn: CN=sa_ ldap_guac,OU=Service
> Accounts,DC=domain,DC=local
>
> ldap-search-bind-password: password
>
> ldap-username-attribute: sAMAccountName
>
>
>
Depending on what you see in the Tomcat logs from Guacamole, I suggest
trying a few searches against your LDAP directory, binding to the LDAP
directory using the search DN and password you've specified here, making
sure you can execute queries against the "DC=domain,DC=local" tree. If you
cannot execute such searches, that is probably why things are failing, and
there should be corresponding errors in the logs.
# Properties used by BasicFileAuthenticationProvider
>
> basic-user-mapping: /etc/guacamole/user-mapping.xml
>
>
The "basic-user-mapping" property has been deprecated since
0.9.10-incubating:
http://guacamole.apache.org/releases/0.9.10-incubating/#deprecation-of-the-basic-user-mapping-property
Its use would have resulted in a warning regarding its deprecation in the
logs. Though still supported in 0.9.14, support for this property has
recently been removed entirely. It will no longer be supported in future
releases:
https://issues.apache.org/jira/browse/GUACAMOLE-494
- Mike