You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Vieri <re...@yahoo.com> on 2019/04/24 09:16:56 UTC
LDAP authentication and connection settings
Hi,
I am trying to configure LDAP authentication with connection details within the LDAP directory. Actually, I'm using AD instead of standard LDAP, but I'm pretty sure the obects have been created properly on the AD server (guacConfigParameter, guacConfigProtocol, guacConfigGroup).
I created a test "telnet" group called AlcatelPBXtelnet (objectClass: guacConfigGroup, guacConfigProtocol: telnet, etc.), and added my user as a member.
These are my config files:
# cat guacd.conf
[daemon]
log_level = debug
[server]
bind_host = 10.215.144.124
# cat guacamole.properties
guacd-hostname: 10.215.144.124
guacd-port: 4822
# LDAP
# auth-provider: net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider
ldap-hostname: 10.215.144.35
ldap-port: 389
ldap-encryption-method: none
ldap-user-base-dn: cn=Users,dc=mydomain,dc=org
ldap-username-attribute: cn
ldap-user-search-filter: (&(objectClass=user)(sAMAccountName=*)(memberOf=cn=VPN,cn=Users,dc=mydomain,dc=org))
ldap-max-search-results: 4000
# ls extensions/
guacamole-auth-ldap-1.0.0.jar
I can log into the Guacamole web UI, but I cannot see my configured connection (telnet).
I'm totally new to Tomcat so please bear with me. My /var/log/tomcat has several files:
catalina.*.log
localhost.*.log
localhost_access_log.*.txt
host-manager.*.log
manager.*.log
I'm expecting to see LDAP debug messages in catalina.*.log files, but I see none.
I enabled a few things in /etc/tomcat/logging.properties, but it doesn't seem to make any difference regarding the LDAP extension.
Anyway, I resorted to grabbing a tcpdump on port 389 to see what guacamole was doing.
I can see a successful bindResponse, followed by a searchRequest wholeSubtree.
I can then see a list of all the users who actually belong to the VPN group. One of these is my user (CN=myuser,CN=Users,DC=mydomain,DC=org).
After the searchResEntry results I get an unbindRequest, and the connection finishes.
I'm guessing Guacamole is not finding the guac* objects.
I then added this to my guacamole.properties:
ldap-config-base-dn: cn=Schema,cn=Configuration,dc=mydomain,dc=org
The tcpdump shows a searchRequest on cn=Schema,cn=Configuration,dc=mydomain,dc=org and a searchResDone with 30 results.
However, when my user enters the Guacamole web UI there's no connection available.
A quick manual search shows this:
# ldapsearch -b 'cn=Schema,cn=Configuration,dc=mydomain,dc=org' -x -D admin-w passwd -x -h10.215.144.35 | grep guac
# guacConfigParameter, Schema, Configuration, mydomain.org
dn: CN=guacConfigParameter,CN=Schema,CN=Configuration,DC=mydomain,DC=or
cn: guacConfigParameter
distinguishedName: CN=guacConfigParameter,CN=Schema,CN=Configuration,DC=mydoma
adminDisplayName: guacConfigParameter
adminDescription: guacConfigParameter
lDAPDisplayName: guacConfigParameter
name: guacConfigParameter
# guacConfigProtocol, Schema, Configuration, mydomain.org
dn: CN=guacConfigProtocol,CN=Schema,CN=Configuration,DC=mydomain,DC=org
cn: guacConfigProtocol
distinguishedName: CN=guacConfigProtocol,CN=Schema,CN=Configuration,DC=mydomai
adminDisplayName: guacConfigProtocol
adminDescription: guacConfigProtocol
lDAPDisplayName: guacConfigProtocol
name: guacConfigProtocol
# guacConfigGroup, Schema, Configuration, mydomain.org
dn: CN=guacConfigGroup,CN=Schema,CN=Configuration,DC=mydomain,DC=org
cn: guacConfigGroup
distinguishedName: CN=guacConfigGroup,CN=Schema,CN=Configuration,DC=mydomain
mustContain: guacConfigProtocol
mayContain: guacConfigParameter
adminDisplayName: guacConfigGroup
adminDescription: guacConfigGroup
lDAPDisplayName: guacConfigGroup
name: guacConfigGroup
defaultObjectCategory: CN=guacConfigGroup,CN=Schema,CN=Configuration,DC=mydoma
# ldapsearch -b 'cn=Users,dc=mydomain,dc=org' -x -D admin -w passwd -x -h10.215.144.35 | grep telnet
# AlcatelPBXtelnet, Users, mydomain.org
dn: CN=AlcatelPBXtelnet,CN=Users,DC=mydomain,DC=org
cn: AlcatelPBXtelnet
distinguishedName: CN=AlcatelPBXtelnet,CN=Users,DC=mydomain,DC=org
name: AlcatelPBXtelnet
guacConfigProtocol: telnet
What can I try?
Thanks,
Vieri
Re: LDAP authentication and connection settings
Posted by Vieri <re...@yahoo.com>.
On Wednesday, April 24, 2019, 8:56:20 PM GMT+2, Nick Couchman <vn...@apache.org> wrote:
>
> In order for the LDAP module to load connections from LDAP you need to specify the "ldap-config-base-dn" option in the guacamole.properties.file.
Hi Nick,
You may not have seen the rest of my message as it appears truncated in yor reply, but I did specify the "ldap-config-base-dn" option. The problem was that I had two issues:
1) its value was wrong. I used cn=Schema,cn=Configuration,dc=mydomain,dc=org when it should have been cn=Users,dc=mydomain,dc=org
2) Since the AD tree is very big and the searchResults can lead to Guacamole client issuing the error "Unable to query list of objects from LDAP directory.", I had applied an excessively restrictive filter. I now apply the following, and it seems to work fine:
ldap-user-search-filter: (|(&(objectClass=user)(sAMAccountName=*)(memberOf=cn=VPN,cn=Users,dc=mydomain,dc=org))(objectClass=guac*))
ldap-max-search-results: 4000
I can now properly authenticate *and* connect to RDP, telnet, ssh services by using LDAP/AD alone.
Thanks for the great software,
Vieri
Re: LDAP authentication and connection settings
Posted by Nick Couchman <vn...@apache.org>.
On Wed, Apr 24, 2019 at 5:17 AM Vieri <re...@yahoo.com> wrote:
> Hi,
>
> I am trying to configure LDAP authentication with connection details
> within the LDAP directory. Actually, I'm using AD instead of standard LDAP,
> but I'm pretty sure the obects have been created properly on the AD server
> (guacConfigParameter, guacConfigProtocol, guacConfigGroup).
>
> I created a test "telnet" group called AlcatelPBXtelnet (objectClass:
> guacConfigGroup, guacConfigProtocol: telnet, etc.), and added my user as a
> member.
>
> These are my config files:
>
> # cat guacd.conf
> [daemon]
> log_level = debug
>
> [server]
> bind_host = 10.215.144.124
>
> # cat guacamole.properties
> guacd-hostname: 10.215.144.124
> guacd-port: 4822
>
> # LDAP
> # auth-provider: net.sourceforge.guacamole.net
> .auth.ldap.LDAPAuthenticationProvider
> ldap-hostname: 10.215.144.35
> ldap-port: 389
> ldap-encryption-method: none
> ldap-user-base-dn: cn=Users,dc=mydomain,dc=org
> ldap-username-attribute: cn
> ldap-user-search-filter:
> (&(objectClass=user)(sAMAccountName=*)(memberOf=cn=VPN,cn=Users,dc=mydomain,dc=org))
> ldap-max-search-results: 4000
>
> # ls extensions/
> guacamole-auth-ldap-1.0.0.jar
>
> I can log into the Guacamole web UI, but I cannot see my configured
> connection (telnet).
>
In order for the LDAP module to load connections from LDAP you need to
specify the "ldap-config-base-dn" option in the guacamole.properties.file.
-Nick