You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Sebastian Männling <se...@qubestack.org> on 2020/03/29 21:40:02 UTC
OpenID Connect Authentication with LDAP configuration
Hi,
i successfully set up guacamole with authenticating against ldap (active directory),
also the connection configuration is provided by ldap... everything is working as expected.
i now played a bit with openid (keycloak) and was wondring if it's possible to use openid connect authentication and also get the connection configuration from ldap...
because from the documentation its not clear to me, it says:
```
This module must be layered on top of other authentication extensions that provide connection information, such as the database authentication extension, as it only provides user authentication
```
from my understanding the ldap module provides connection information, but i cant get it working.
i can successfully authenticate against openid (keycloak) and i get redirected to the guacamole page, but i cant see any connections.
the log shows the exact same 'successfully authenticated' message when logging in with openid and ldap:
```
INFO o.a.g.r.auth.AuthenticationService - User "testuser" successfully authenticated from [192.168.124.1, 10.88.0.1].
```
but ldap only authentication also has the following log messages:
```
INFO o.a.d.a.l.c.o.DefaultLdapCodecService - MSG_06000_REGISTERED_CONTROL_FACTORY (1.3.6.1.4.1.18060.0.0.1)
INFO o.a.d.a.l.c.o.DefaultLdapCodecService - MSG_06000_REGISTERED_CONTROL_FACTORY (2.16.840.1.113730.3.4.7)
INFO o.a.d.a.l.c.o.DefaultLdapCodecService - MSG_06000_REGISTERED_CONTROL_FACTORY (2.16.840.1.113730.3.4.2)
INFO o.a.d.a.l.c.o.DefaultLdapCodecService - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.319)
INFO o.a.d.a.l.c.o.DefaultLdapCodecService - MSG_06000_REGISTERED_CONTROL_FACTORY (2.16.840.1.113730.3.4.3)
INFO o.a.d.a.l.c.o.DefaultLdapCodecService - MSG_06000_REGISTERED_CONTROL_FACTORY (2.16.840.1.113730.3.4.18)
INFO o.a.d.a.l.c.o.DefaultLdapCodecService - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.473)
INFO o.a.d.a.l.c.o.DefaultLdapCodecService - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.474)
INFO o.a.d.a.l.c.o.DefaultLdapCodecService - MSG_06000_REGISTERED_CONTROL_FACTORY (1.3.6.1.4.1.4203.1.10.1)
INFO o.a.d.a.l.c.StockCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.3.6.1.4.1.18060.0.0.1)
INFO o.a.d.a.l.c.StockCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (2.16.840.1.113730.3.4.7)
INFO o.a.d.a.l.c.StockCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (2.16.840.1.113730.3.4.2)
INFO o.a.d.a.l.c.StockCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.319)
INFO o.a.d.a.l.c.StockCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (2.16.840.1.113730.3.4.3)
INFO o.a.d.a.l.c.StockCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (2.16.840.1.113730.3.4.18)
INFO o.a.d.a.l.c.StockCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.473)
INFO o.a.d.a.l.c.StockCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.474)
INFO o.a.d.a.l.c.StockCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.3.6.1.4.1.4203.1.10.1)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.841)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.841)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.2239)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.417)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.528)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.3.6.1.4.1.42.2.27.8.5.1)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.3.6.1.4.1.42.2.27.8.5.1)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.1413)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.3.6.1.4.1.4203.1.9.1.3)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.3.6.1.4.1.4203.1.9.1.1)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.3.6.1.4.1.4203.1.9.1.2)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.3.6.1.1.21.2)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (2.16.840.1.113730.3.4.9)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (2.16.840.1.113730.3.4.10)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.1.8)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4.1.18060.0.1.8)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.1.21.3)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4.1.18060.0.1.5)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4.1.18060.0.1.3)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4.1.1466.20036)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4.1.4203.1.11.1)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4.1.1466.20037)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.1.21.1)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4.1.18060.0.1.6)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4.1.4203.1.11.3)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06002_REGISTERED_INTERMEDIATE_FACTORY (1.3.6.1.4.1.4203.1.9.1.4)
INFO o.a.g.r.auth.AuthenticationService - User "testuser" successfully authenticated from [192.168.124.1, 10.88.0.1].
```
my test setup looks like this (IPs are currently all manually searched and set...) :
# AD is set up using vagrant (https://github.com/maennlse/vagrant-guac-ad)
# podman create pod
`podman pod create --name test --share cgroup,ipc,uts`
# keycloak container:
`podman run -d --rm -p 8180:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -e PROXY_ADDRESS_FORWARDING=true --name keycloak --pod test jboss/keycloak`
# guacamole container (guacamole-auth-openid-1.1.0.jar patched with https://github.com/apache/guacamole-client/commit/0344ef30e45954d1252d44b9826c7eedad8b02f3)
`podman run -dt --rm --name guacamole --pod test -v /vagrant/guacamole-auth-openid-1.1.0.jar:/opt/guacamole/openid/guacamole-auth-openid-1.1.0.jar:ro,Z -v /etc/pki/ca-trust/extracted/java:/etc/ssl/certs/java:ro,Z -e OPENID_AUTHORIZATION_ENDPOINT="http://192.168.124.160/auth/realms/master/protocol/openid-connect/auth" -e OPENID_JWKS_ENDPOINT="http://192.168.124.160/auth/realms/master/protocol/openid-connect/certs" -e OPENID_ISSUER="http://192.168.124.160/auth/realms/master" -e OPENID_CLIENT_ID="guacamole" -e OPENID_REDIRECT_URI="http://192.168.124.160/guacamole/" -e OPENID_USERNAME_CLAIM_TYPE="preferred_username" -e OPENID_SCOPE="openid email username profile" -e OPENID_ALLOWED_CLOCK_SKEW=500 -e LDAP_HOSTNAME="dc01" -e LDAP_PORT=389 -e LDAP_ENCRYPTION_METHOD=none -e LDAP_SEARCH_BIND_DN="cn=guac,cn=users,DC=boxes,DC=test" -e LDAP_SEARCH_BIND_PASSWORD="P@ssW0rD!" -e LDAP_USERNAME_ATTRIBUTE="samaccountname" -e LDAP_USER_BASE_DN="cn=users,DC=boxes,DC=test" -e LDAP_GROUP_BASE_DN="ou=groups,DC=boxes,DC=test" -e LDAP_CONFIG_BASE_DN="ou=configs,DC=boxes,DC=test" -e GUACD_HOSTNAME="10.88.0.12" -p 8080:8080 guacamole/guacamole`
# guacd
`podman run -dt --rm --name guacd --pod guac guacamole/guacd`
# nginx 'port wrapper'
```
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name guacamole;
location /guacamole/ {
proxy_pass http://localhost:8080/guacamole/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_cookie_path /guacamole/ /guacamole/;
access_log off;
}
location / {
proxy_pass http://localhost:8180/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
```
i am afraid that the openid extension probably does not work with ldap configuration, but i hope its just a missconfiguration on my site... ;)
so any help/information is appreciated.
thanks.
Sebastian
Re: OpenID Connect Authentication with LDAP configuration
Posted by Nick Couchman <vn...@apache.org>.
On Tue, Mar 31, 2020 at 3:42 PM Sebastian Männling <
sebastian.maennling@qubestack.org> wrote:
> any comment if openid connect authentication with connection
> settings/options from ldap should or should not work at all?
>
>
This is unlikely to work, because the LDAP extension relies on successful
authentication by the user who logs in to the LDAP tree in order to
retrieve the LDAP objects. If you're using OpenID, or any other SSO
platform, you're unlikely to have that user's password in order to try the
authentication, and the LDAP extension will just silently fail. CAS can
potentially work around this by using the ClearPass feature to provide the
user's password back to Guacamole, but that feature is only implemented in
the CAS Authentication Extension, and I'm unsure if either OpenID or any
other SSO platform supports that.
If you're going to use OpenID you'd likely be better off storing
configurations for connections in the JDBC module.
-Nick
Re: OpenID Connect Authentication with LDAP configuration
Posted by Sebastian Männling <se...@qubestack.org>.
any comment if openid connect authentication with connection settings/options from ldap should or should not work at all?
On Sunday, March 29, 2020 23:40 CEST, Sebastian Männling <se...@qubestack.org> wrote:
Hi,
i successfully set up guacamole with authenticating against ldap (active directory),
also the connection configuration is provided by ldap... everything is working as expected.
i now played a bit with openid (keycloak) and was wondring if it's possible to use openid connect authentication and also get the connection configuration from ldap...
because from the documentation its not clear to me, it says:
```
This module must be layered on top of other authentication extensions that provide connection information, such as the database authentication extension, as it only provides user authentication
```
from my understanding the ldap module provides connection information, but i cant get it working.
i can successfully authenticate against openid (keycloak) and i get redirected to the guacamole page, but i cant see any connections.
the log shows the exact same 'successfully authenticated' message when logging in with openid and ldap:
```
INFO o.a.g.r.auth.AuthenticationService - User "testuser" successfully authenticated from [192.168.124.1, 10.88.0.1].
```
but ldap only authentication also has the following log messages:
```
INFO o.a.d.a.l.c.o.DefaultLdapCodecService - MSG_06000_REGISTERED_CONTROL_FACTORY (1.3.6.1.4.1.18060.0.0.1)
INFO o.a.d.a.l.c.o.DefaultLdapCodecService - MSG_06000_REGISTERED_CONTROL_FACTORY (2.16.840.1.113730.3.4.7)
INFO o.a.d.a.l.c.o.DefaultLdapCodecService - MSG_06000_REGISTERED_CONTROL_FACTORY (2.16.840.1.113730.3.4.2)
INFO o.a.d.a.l.c.o.DefaultLdapCodecService - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.319)
INFO o.a.d.a.l.c.o.DefaultLdapCodecService - MSG_06000_REGISTERED_CONTROL_FACTORY (2.16.840.1.113730.3.4.3)
INFO o.a.d.a.l.c.o.DefaultLdapCodecService - MSG_06000_REGISTERED_CONTROL_FACTORY (2.16.840.1.113730.3.4.18)
INFO o.a.d.a.l.c.o.DefaultLdapCodecService - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.473)
INFO o.a.d.a.l.c.o.DefaultLdapCodecService - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.474)
INFO o.a.d.a.l.c.o.DefaultLdapCodecService - MSG_06000_REGISTERED_CONTROL_FACTORY (1.3.6.1.4.1.4203.1.10.1)
INFO o.a.d.a.l.c.StockCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.3.6.1.4.1.18060.0.0.1)
INFO o.a.d.a.l.c.StockCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (2.16.840.1.113730.3.4.7)
INFO o.a.d.a.l.c.StockCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (2.16.840.1.113730.3.4.2)
INFO o.a.d.a.l.c.StockCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.319)
INFO o.a.d.a.l.c.StockCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (2.16.840.1.113730.3.4.3)
INFO o.a.d.a.l.c.StockCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (2.16.840.1.113730.3.4.18)
INFO o.a.d.a.l.c.StockCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.473)
INFO o.a.d.a.l.c.StockCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.474)
INFO o.a.d.a.l.c.StockCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.3.6.1.4.1.4203.1.10.1)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.841)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.841)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.2239)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.417)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.528)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.3.6.1.4.1.42.2.27.8.5.1)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.3.6.1.4.1.42.2.27.8.5.1)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.1413)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.3.6.1.4.1.4203.1.9.1.3)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.3.6.1.4.1.4203.1.9.1.1)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.3.6.1.4.1.4203.1.9.1.2)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (1.3.6.1.1.21.2)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (2.16.840.1.113730.3.4.9)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06000_REGISTERED_CONTROL_FACTORY (2.16.840.1.113730.3.4.10)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.1.8)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4.1.18060.0.1.8)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.1.21.3)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4.1.18060.0.1.5)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4.1.18060.0.1.3)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4.1.1466.20036)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4.1.4203.1.11.1)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4.1.1466.20037)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.1.21.1)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4.1.18060.0.1.6)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4.1.4203.1.11.3)
INFO o.a.d.a.l.e.ExtrasCodecFactoryUtil - MSG_06002_REGISTERED_INTERMEDIATE_FACTORY (1.3.6.1.4.1.4203.1.9.1.4)
INFO o.a.g.r.auth.AuthenticationService - User "testuser" successfully authenticated from [192.168.124.1, 10.88.0.1].
```
my test setup looks like this (IPs are currently all manually searched and set...) :
# AD is set up using vagrant (https://github.com/maennlse/vagrant-guac-ad)
# podman create pod
`podman pod create --name test --share cgroup,ipc,uts`
# keycloak container:
`podman run -d --rm -p 8180:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -e PROXY_ADDRESS_FORWARDING=true --name keycloak --pod test jboss/keycloak`
# guacamole container (guacamole-auth-openid-1.1.0.jar patched with https://github.com/apache/guacamole-client/commit/0344ef30e45954d1252d44b9826c7eedad8b02f3)
`podman run -dt --rm --name guacamole --pod test -v /vagrant/guacamole-auth-openid-1.1.0.jar:/opt/guacamole/openid/guacamole-auth-openid-1.1.0.jar:ro,Z -v /etc/pki/ca-trust/extracted/java:/etc/ssl/certs/java:ro,Z -e OPENID_AUTHORIZATION_ENDPOINT="http://192.168.124.160/auth/realms/master/protocol/openid-connect/auth" -e OPENID_JWKS_ENDPOINT="http://192.168.124.160/auth/realms/master/protocol/openid-connect/certs" -e OPENID_ISSUER="http://192.168.124.160/auth/realms/master" -e OPENID_CLIENT_ID="guacamole" -e OPENID_REDIRECT_URI="http://192.168.124.160/guacamole/" -e OPENID_USERNAME_CLAIM_TYPE="preferred_username" -e OPENID_SCOPE="openid email username profile" -e OPENID_ALLOWED_CLOCK_SKEW=500 -e LDAP_HOSTNAME="dc01" -e LDAP_PORT=389 -e LDAP_ENCRYPTION_METHOD=none -e LDAP_SEARCH_BIND_DN="cn=guac,cn=users,DC=boxes,DC=test" -e LDAP_SEARCH_BIND_PASSWORD="P@ssW0rD!" -e LDAP_USERNAME_ATTRIBUTE="samaccountname" -e LDAP_USER_BASE_DN="cn=users,DC=boxes,DC=test" -e LDAP_GROUP_BASE_DN="ou=groups,DC=boxes,DC=test" -e LDAP_CONFIG_BASE_DN="ou=configs,DC=boxes,DC=test" -e GUACD_HOSTNAME="10.88.0.12" -p 8080:8080 guacamole/guacamole`
# guacd
`podman run -dt --rm --name guacd --pod guac guacamole/guacd`
# nginx 'port wrapper'
```
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name guacamole;
location /guacamole/ {
proxy_pass http://localhost:8080/guacamole/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_cookie_path /guacamole/ /guacamole/;
access_log off;
}
location / {
proxy_pass http://localhost:8180/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
```
i am afraid that the openid extension probably does not work with ldap configuration, but i hope its just a missconfiguration on my site... ;)
so any help/information is appreciated.
thanks.
Sebastian