You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by vincemoya77 <vi...@outlook.com> on 2019/04/04 20:21:40 UTC
LDAP Auth successful, mysql backend fine, but unable to query list
from LDAP (I don't want this)
Hi all
I've tried searching for relevant info regarding LDAP and mysql
authentication, I believe I have everything set up accordingly (both plugins
work - guacadmin user able to get in and create users etc) and I just want
my LDAP user credentials to work with machines created in mysql database
instead.
I can validate via catalina.out regarding user authentication, the LDAP (AD)
user is able to authenticate successfully, nothing else in logs. but the
guacamole login page hesitates, then fails to log in stating Unable to query
list of objects from LDAP directory. My understanding is that it shouldn't
fail at that, I don't want machines/connection info pulled from LDAP, but
rather through mysql database instead.
Is there anything that I'm missing here to force the guacamole system to
just look through mysql for connections?
Version 1.0.0.
Alternately is there other logs that I can go and review to ensure
everything is working fine?
Thanks in advance!
V
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: LDAP Auth successful, mysql backend fine, but unable to query
list from LDAP (I don't want this)
Posted by vincemoya77 <vi...@outlook.com>.
Wanted to close this off on the LDAP authentication front.
Enabled debug logging so I can get more details on catalina.out, I found
that the ldap credentials for the user were working (auth successful) and it
matches to an entry in mysql, but fails when trying to query ldap, and
that's what Mike noted on the first reply. Nothing special about failures
though as the log didn't even show what it failed on, just stops.
A colleague noted that you can add additional search fields that taylor to
the users (active / full time users) and that helped narrow down the search
so it was successful. The ldap user logged in and showed what's available
via mysql database (permissions, connections etc) and now I'm good.
now to tweak it further with groups/lock down and seeing how to automate
user creation on mysql to correspond to ldap.
Thanks all!
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: LDAP Auth successful, mysql backend fine, but unable to query
list from LDAP (I don't want this)
Posted by vincemoya77 <vi...@outlook.com>.
So update since the last time I was here:
changed to the server name vs IP address, no difference. :(
authenticates on LDAP, fails after failure to query objects in LDAP.
catalina.out doesn't show any further data, I was hoping the LDAP failure
happens on another log.
I did try limiting items in LDAP, such as limit search query etc, and the
end result is that there is no timeout after logging in, it immediately
cites the error as described in the subject vs when I left it alone.
Is there any way to indicate on guacamole properties to go directly to mysql
for object/connection entries?
Does the order on how the guacamole properties matter (ie have mysql items
above, ldap items last?)
Thanks again
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: LDAP Auth successful, mysql backend fine, but unable to query
list from LDAP (I don't want this)
Posted by vincemoya77 <vi...@outlook.com>.
Thanks for this, I will try with the server name vs IP. The logs tell me that
authenticating is fine with AD account credentials, so that's what's
puzzling.
I did use another "admin" based AD account that has full privileges to read
the AD users and groups, and it behaved the same way (able to authenticate,
then fails at query list from LDAP)
Hopefully will get somewhere.
Thanks!
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: LDAP Auth successful, mysql backend fine, but unable to query
list from LDAP (I don't want this)
Posted by Zer0Cool <me...@gmail.com>.
O just noticed you have IP in hostname for guac.properties.
That may work, but I was under the impression it had to be FQDN of the AD
server, ex:
myserver.company.com
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: LDAP Auth successful, mysql backend fine, but unable to query
list from LDAP (I don't want this)
Posted by Zer0Cool <me...@gmail.com>.
A few things I found to help set this up.
First, the user you use for ldap-search-bind-dn MUST have the ability to
read other AD users and groups.
Next, I log in using the default/local Guacamole admin and create a new
user. This will be the first AD/LDAP user you want to have admin rights over
Guacamole.
So, if for example you have an AD account thats admin, you likely want to
use that as your admin account for Guac too. You simply create a new user,
give them the same exact name as its AD/LDAP counter part and then do
nothing else than check off all of the permissions boxes and hit save.
Log out and then login with that AD account. Presuming it works, you should
now see all the AD users under the parameters you provided in
guacamole.properties. You wont have to create (within Guac) users for other
admins, you simply go to the user in guac and give them admin rights by
checking off the boxes in guac for it.
When they sign in, they should have admin rights like your account does.
Presuming it all works, I would recommend:
- Create another local admin account with a different name than the default
and a secure password. This account should not match any account in
AD/LDAP...make it unique.
- Disable (or I prefer deleting) the default guac admin account.
Lastly, I found ADExplorer to be very helpful for navigating, understanding
and testing stuff around in a Windows AD server. It allows me to more easily
navigate the AD/LDAP structure, shows full paths in cn=,ou=,dc=,dc= syntax
and allows creating/testing queries, etc. Great tool.
Hope this helps.
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: LDAP Auth successful, mysql backend fine, but unable to query
list from LDAP (I don't want this)
Posted by vincemoya77 <vi...@outlook.com>.
Hi Nick
this is what I get in catalina.out (changing user names to generic)
INFO: Deployment of web application directory /var/lib/tomcat7/webapps/ROOT
has finished in 185 ms
Apr 05, 2019 9:38:21 AM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8080"]
Apr 05, 2019 9:38:21 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in 3930 ms
Fri Apr 05 09:38:40 EDT 2019 WARN: Establishing SSL connection without
server's identity verification is not recommended. According to MySQL
5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established
by default if explicit option isn't set. For compliance with existing
applications not using SSL the verifyServerCertificate property is set to
'false'. You need either to explicitly disable SSL by setting useSSL=false,
or set useSSL=true and provide truststore for server certificate
verification.
09:38:40.397 [http-bio-8080-exec-1] INFO o.a.g.r.auth.AuthenticationService
- User "aduser" successfully authenticated from 10.0.1.2
09:39:00.827 [http-bio-8080-exec-2] INFO o.a.g.r.auth.AuthenticationService
- User "guacadmin" successfully authenticated from 10.0.1.2
Fri Apr 05 09:39:00 EDT 2019 WARN: Establishing SSL connection without
server's identity verification is not recommended. According to MySQL
5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established
by default if explicit option isn't set. For compliance with existing
applications not using SSL the verifyServerCertificate property is set to
'false'. You need either to explicitly disable SSL by setting useSSL=false,
or set useSSL=true and provide truststore for server certificate
verification.
Fri Apr 05 09:39:01 EDT 2019 WARN: Establishing SSL connection without
server's identity verification is not recommended. According to MySQL
5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established
by default if explicit option isn't set. For compliance with existing
applications not using SSL the verifyServerCertificate property is set to
'false'. You need either to explicitly disable SSL by setting useSSL=false,
or set useSSL=true and provide truststore for server certificate
verification.
guacadmin is a mysql account, not an AD account, and is successful in
logging in, and from there I can see the guacamole interface and add
machines etc.
aduser is the AD account that is successful in logging in, the login page
stalls for 2 seconds, then throws the error about unable to query list from
LDAP.
just for testing, I created the same aduser in mysql database and assigned a
connection to it, thinking as per the other documentation I saw, as long as
the same user is present in mysql, it should use LDAP for authentication,
and link the mysql account over along with the connections. It doesn't do
that in my case.
I was wondering if there's any other log to check to see why this is.
Thanks
V
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: LDAP Auth successful, mysql backend fine, but unable to query
list from LDAP (I don't want this)
Posted by Nick Couchman <vn...@apache.org>.
>
> Is there anything else I'm missing here? It's an Active Directory setup.
> I've tried entering an LDAP user name and invalid password and immediately
> get Invalid Login. When I get the proper password, it stalls for a bit then
> it throws the error unable to query list. I don't believe I have anything
> enabled in the LDAP details above, but I could be wrong.
>
>
What does the catalina.out (Tomcat log) say during the failure?
-Nick
Re: LDAP Auth successful, mysql backend fine, but unable to query
list from LDAP (I don't want this)
Posted by vincemoya77 <vi...@outlook.com>.
Thanks Mike.
This is what I have under LDAP section in guacamole.properties
(provided generic info, the proper info validates connection)
# LDAP properties
ldap-hostname: 10.0.0.1
ldap-port: 389
ldap-encryption-method: none
ldap-user-base-dn: DC=company,DC=com
ldap-username-attribute: uid
ldap-search-bind-dn: CN=my ad reader account ,OU=Admin
Users,DC=company,DC=com
ldap-search-bind-password: my ad reader account password
ldap-username-attribute: sAMAccountname
Is there anything else I'm missing here? It's an Active Directory setup.
I've tried entering an LDAP user name and invalid password and immediately
get Invalid Login. When I get the proper password, it stalls for a bit then
it throws the error unable to query list. I don't believe I have anything
enabled in the LDAP details above, but I could be wrong.
Any help is much appreciated.
Thanks!
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: LDAP Auth successful, mysql backend fine, but unable to query
list from LDAP (I don't want this)
Posted by Mike Jumper <mj...@apache.org>.
On Thu, Apr 4, 2019 at 1:21 PM vincemoya77 <vi...@outlook.com> wrote:
> Hi all
>
> I've tried searching for relevant info regarding LDAP and mysql
> authentication, I believe I have everything set up accordingly (both
> plugins
> work - guacadmin user able to get in and create users etc) and I just want
> my LDAP user credentials to work with machines created in mysql database
> instead.
>
> I can validate via catalina.out regarding user authentication, the LDAP
> (AD)
> user is able to authenticate successfully, nothing else in logs. but the
> guacamole login page hesitates, then fails to log in stating Unable to
> query
> list of objects from LDAP directory. My understanding is that it shouldn't
> fail at that, I don't want machines/connection info pulled from LDAP, but
> rather through mysql database instead.
>
Unless you've configured it to query LDAP for connections, it won't. The
failure here is likely a failure to query the list of users.
- Mike