You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@guacamole.apache.org by lfzamora <me...@lennonzamora.com> on 2017/07/14 04:19:50 UTC

Docker + LDAP (Active Directory)

Deploying latest docker images (as of 07/13/2017) of guacamole, guacd, and
postgres with LDAP enabled in an Active Directory environment but getting
"Invalid Login" at login page and logs throwing the following:

04:06:02.351 [http-nio-8080-exec-10] ERROR
o.a.g.a.l.AuthenticationProviderService - Unable to bi
nd using search DN "CN=svc_Guacamole,OU=Guacamole,DC=corp,DC=contoso,DC=com"
04:06:02.352 [http-nio-8080-exec-10] WARN 
o.a.g.r.auth.AuthenticationService - Authentication at
tempt from 192.168.1.223 for user "tuser" failed.

Yep, those users exist and that is the correct DN double and triple checked
in ADUAC. Ditto for passwords. Don't think it's anything to do with DB as I
can login successfully with default 'guacadmin' account. But any attempt to
login with a valid (in any other context) AD/LDAP user fails with the
aforementioned errors.

Not a port a network issue as the docker box can nc to 389. Tried IP instead
of FQDN as well, no diff.

It shouldn't be necessary but I also made the LDAP_SEARCH_BIND_DN account a
domain admin. Should be able to search ldap tree as regular domain user but
tried it anyway.

Here is the full docker run command being used:

sudo docker run --name guacamole --link guacd:guacd \
--link postgres:postgres \
-e POSTGRES_DATABASE=guacamole_db \
-e POSTGRES_USER=guacamole_user \
-e POSTGRES_PASSWORD=*** \
-e LDAP_USER_BASE_DN=OU=Guacamole,DC=corp,DC=contoso,DC=com \
-e
LDAP_SEARCH_BIND_DN=CN=svc_Guacamole,OU=Guacamole,DC=corp,DC=contoso,DC=com
\
-e LDAP_SEARCH_BIND_PASSWORD=*** \
-e LDAP_USERNAME_ATTRIBUTE=sAMAccountName \
-e LDAP_HOSTNAME=dc-1.corp.contoso.com \
-e LDAP_PORT=389 \
-e LDAP_ENCRYPTION_METHOD=none -d -p 8080:8080 guacamole/guacamole

Any ideas? Maybe somewhere to get more detailed error feedback?

Thanks



--
View this message in context: http://apache-guacamole-incubating-users.2363388.n4.nabble.com/Docker-LDAP-Active-Directory-tp1296.html
Sent from the Apache Guacamole (incubating) - Users mailing list archive at Nabble.com.

Re: Docker + LDAP (Active Directory)

Posted by lfzamora <me...@lennonzamora.com>.

Yeah I fiddled with that too. At this point it's just plain alpha numeric.

When I get home I'm going to throw up wireshark on the DC and see if I can
dial in on the exact LDAP response. Nothing in Windows Event Logs which is
strange--could be looking in the wrong place though but no "failed login"
type alerts.



--
View this message in context: http://apache-guacamole-incubating-users.2363388.n4.nabble.com/Docker-LDAP-Active-Directory-tp1296p1307.html
Sent from the Apache Guacamole (incubating) - Users mailing list archive at Nabble.com.

Re: Docker + LDAP (Active Directory)

Posted by Mike Jumper <mi...@guac-dev.org>.

Are there any characters in the value for LDAP_SEARCH_BIND_PASSWORD
which might be being interpreted by your shell, and thus might not
make it into the environment variables of the Docker container as
expected?

- Mike


On Thu, Jul 13, 2017 at 9:19 PM, lfzamora <me...@lennonzamora.com> wrote:
> Deploying latest docker images (as of 07/13/2017) of guacamole, guacd, and
> postgres with LDAP enabled in an Active Directory environment but getting
> "Invalid Login" at login page and logs throwing the following:
>
> 04:06:02.351 [http-nio-8080-exec-10] ERROR
> o.a.g.a.l.AuthenticationProviderService - Unable to bi
> nd using search DN "CN=svc_Guacamole,OU=Guacamole,DC=corp,DC=contoso,DC=com"
> 04:06:02.352 [http-nio-8080-exec-10] WARN
> o.a.g.r.auth.AuthenticationService - Authentication at
> tempt from 192.168.1.223 for user "tuser" failed.
>
> Yep, those users exist and that is the correct DN double and triple checked
> in ADUAC. Ditto for passwords. Don't think it's anything to do with DB as I
> can login successfully with default 'guacadmin' account. But any attempt to
> login with a valid (in any other context) AD/LDAP user fails with the
> aforementioned errors.
>
> Not a port a network issue as the docker box can nc to 389. Tried IP instead
> of FQDN as well, no diff.
>
> It shouldn't be necessary but I also made the LDAP_SEARCH_BIND_DN account a
> domain admin. Should be able to search ldap tree as regular domain user but
> tried it anyway.
>
> Here is the full docker run command being used:
>
> sudo docker run --name guacamole --link guacd:guacd \
> --link postgres:postgres \
> -e POSTGRES_DATABASE=guacamole_db \
> -e POSTGRES_USER=guacamole_user \
> -e POSTGRES_PASSWORD=*** \
> -e LDAP_USER_BASE_DN=OU=Guacamole,DC=corp,DC=contoso,DC=com \
> -e
> LDAP_SEARCH_BIND_DN=CN=svc_Guacamole,OU=Guacamole,DC=corp,DC=contoso,DC=com
> \
> -e LDAP_SEARCH_BIND_PASSWORD=*** \
> -e LDAP_USERNAME_ATTRIBUTE=sAMAccountName \
> -e LDAP_HOSTNAME=dc-1.corp.contoso.com \
> -e LDAP_PORT=389 \
> -e LDAP_ENCRYPTION_METHOD=none -d -p 8080:8080 guacamole/guacamole
>
> Any ideas? Maybe somewhere to get more detailed error feedback?
>
> Thanks
>
>
>
> --
> View this message in context: http://apache-guacamole-incubating-users.2363388.n4.nabble.com/Docker-LDAP-Active-Directory-tp1296.html
> Sent from the Apache Guacamole (incubating) - Users mailing list archive at Nabble.com.