You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Maik Heinelt <ma...@servgate.co.jp.INVALID> on 2021/10/17 23:44:37 UTC
Difficulty to get LDAP working with Guacamole
I am trying to get the LDAP extension to work with our Guacamole 1.3 installation.
MySQL authentication is working just fine, but LDAP doesn't show up.
I did install our Windows AD server with the LDAP addon, installed the v1.3 LDAP .jar extension
and also added the configuration at guacamole.properties as explained at this [ https://guacamole.apache.org/doc/gug/ldap-auth.html | manual. ]
But when I login as user guacadmin and check the user, there is no LDAP tab and also no LDAP user.
Do I have to compile Guacamole with LDAP features to get it working?
Also, maybe someone has any hint how to debug and actually get logs about the Guacamole authentication.
Any help is much appreciated
Best Regards / Mit freundlichen Grüßen
Maik Heinelt
Geschäftsführer/CEO
----------------------------------------------------
Servgate Co., Ltd. (head office)
1-11-14 Azura, Ichinomiya-shi
491-0835 Aichi-ken, Japan
Tel.: 0586-81-7250
Fax: 0586-81-7251
Mobil: 070-3986-9807
Tokyo
MAC Ginza Building 3F, 1-7-15 Ginza, Chuo-ku,
104-0061 Tokyo
Tel.: 03-5524-5634
Germany:
Birkenkamp 14
33129 Delbrück, Deutschland
Tel.: 05246-8057586
SKYPE: daliose
https://www.servgate.jp
https://www.servgate.co.jp
.............................. .............................. ......
DISCLAIMER: This information is confidential and is intended only for
the use of the individual or entity named above. If the reader of this
message is not the intended recipient, please disregard and destroy this
email and its content. Thank you
LDAP authentication not working
Posted by Maik Heinelt <ma...@servgate.co.jp.INVALID>.
I am not getting LDAP authentication with my Windows 2019 server to work.
My guacamole.properties looks as following:
guacd-hostname: localhost
guacd-port: 4822
GUACAMOLE_HOME: /etc/guacamole
auth-provider: net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider
# LDAP properties
ldap-hostname: MyWin2019Server
ldap-port: 389
ldap-encryption-method: none
ldap-username-attribute: sAMAccountName
ldap-user-base-dn: OU=Users,DC=mydomain,DC=local
ldap-search-bind-dn: CN=Administrator,CN=Users,DC=mydomain,DC=local
ldap-search-bind-password: GoodPassword
I got the ldap-search-bind-dn from the server LDAP admin properties >> Attribute Editor >> distinguishedName , so I am pretty sure this should be correct.
I am able to reach the LDAP without errors with using SSL or also no encryption via Guacamole server command line using ldapsearch.
When looking at the catalina.out log file, there is no error or warning shown when I try to authenticate via LDAP.
Just a "WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from [ callto:153.156.182.53 | 153.156.182.53 ] for user "MyUser" failed."
Please correct me if I am wrong, but my understanding is, I should be able to authenticate with every user with its account name who is at the Users OU.
Maik
Re: Difficulty to get LDAP working with Guacamole
Posted by Maik Heinelt <ma...@servgate.co.jp.INVALID>.
From: "Maik Heinelt" <ma...@servgate.co.jp.INVALID>
To: user@guacamole.apache.org
Sent: Monday, October 18, 2021 9:01:17 AM
Subject: Re: Difficulty to get LDAP working with Guacamole
On Sun, Oct 17, 2021 at 7:45 PM Maik Heinelt <ma...@servgate.co.jp.invalid> wrote:
I am trying to get the LDAP extension to work with our Guacamole 1.3 installation.
MySQL authentication is working just fine, but LDAP doesn't show up.
I did install our Windows AD server with the LDAP addon, installed the v1.3 LDAP .jar extension
and also added the configuration at guacamole.properties as explained at this [ https://guacamole.apache.org/doc/gug/ldap-auth.html | manual. ]
But when I login as user guacadmin and check the user, there is no LDAP tab and also no LDAP user.
This is expected - unless you sign in with an LDAP users, you will not see the LDAP tab, any LDAP groups, or LDAP users. This is because the LDAP extension uses the LDAP username and password to do any/all LDAP searches (with the exception of the initial search), so a database user will not have access.
There are two ways around this:
* Manually create a matching user in the database for one of the LDAP users and assign it administrative privileges.
* Enable automatic JDBC account creation and then assign the auto-created user account(s) whatever privileges required.
-Nick
Hi Nick, thank you for the quick reply.
I tried to login with several AD users, but login fails. For testing, I have allowed the users OU to be able to login at Guacamole,
but since I don't know any log where I can actually see if the LDAP search actually works, it is difficult for me to debug if the issue is
in Guacamole or maybe at the communication with the AD.
Maik
I am still not getting LDAP authentication working.
My guacamole.properties looks as following:
# LDAP properties
ldap-hostname: MyWin2019Server
ldap-port: 389
ldap-encryption-method: none
ldap-username-attribute: sAMAccountName
ldap-user-base-dn: OU=Users,DC=mydomain,DC=local
ldap-search-bind-dn: CN=Administrator,CN=Users,DC=mydomain,DC=local
ldap-search-bind-password: GoodPassword
I got the ldap-search-bind-dn from the server LDAP admin properties >> Attribute Editor >> distinguishedName , so I am pretty sure this should be correct.
I am able to reach the LDAP without errors with using SSL or also no encryption via Guacamole server command line using ldapsearch.
When looking at the catalina.out log file, there is no error or warning shown when I try to authenticate via LDAP.
Just a "WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 153.156.182.53 for user "MyUser" failed."
Please correct me if I am wrong, but my understanding is, I should be able to authenticate with every user with its account name who is at the Users OU.
Maik
Re: Difficulty to get LDAP working with Guacamole
Posted by Maik Heinelt <ma...@servgate.co.jp.INVALID>.
On Sun, Oct 17, 2021 at 7:45 PM Maik Heinelt <ma...@servgate.co.jp.invalid> wrote:
I am trying to get the LDAP extension to work with our Guacamole 1.3 installation.
MySQL authentication is working just fine, but LDAP doesn't show up.
I did install our Windows AD server with the LDAP addon, installed the v1.3 LDAP .jar extension
and also added the configuration at guacamole.properties as explained at this [ https://guacamole.apache.org/doc/gug/ldap-auth.html | manual. ]
But when I login as user guacadmin and check the user, there is no LDAP tab and also no LDAP user.
This is expected - unless you sign in with an LDAP users, you will not see the LDAP tab, any LDAP groups, or LDAP users. This is because the LDAP extension uses the LDAP username and password to do any/all LDAP searches (with the exception of the initial search), so a database user will not have access.
There are two ways around this:
* Manually create a matching user in the database for one of the LDAP users and assign it administrative privileges.
* Enable automatic JDBC account creation and then assign the auto-created user account(s) whatever privileges required.
-Nick
Hi Nick, thank you for the quick reply.
I tried to login with several AD users, but login fails. For testing, I have allowed the users OU to be able to login at Guacamole,
but since I don't know any log where I can actually see if the LDAP search actually works, it is difficult for me to debug if the issue is
in Guacamole or maybe at the communication with the AD.
Maik
Re: Difficulty to get LDAP working with Guacamole
Posted by Nick Couchman <vn...@apache.org>.
On Sun, Oct 17, 2021 at 7:45 PM Maik Heinelt <ma...@servgate.co.jp.invalid>
wrote:
> I am trying to get the LDAP extension to work with our Guacamole 1.3
> installation.
> MySQL authentication is working just fine, but LDAP doesn't show up.
> I did install our Windows AD server with the LDAP addon, installed the
> v1.3 LDAP .jar extension
> and also added the configuration at guacamole.properties as explained at
> this manual. <https://guacamole.apache.org/doc/gug/ldap-auth.html>
> But when I login as user guacadmin and check the user, there is no LDAP
> tab and also no LDAP user.
>
This is expected - unless you sign in with an LDAP users, you will not see
the LDAP tab, any LDAP groups, or LDAP users. This is because the LDAP
extension uses the LDAP username and password to do any/all LDAP searches
(with the exception of the initial search), so a database user will not
have access.
There are two ways around this:
* Manually create a matching user in the database for one of the LDAP users
and assign it administrative privileges.
* Enable automatic JDBC account creation and then assign the auto-created
user account(s) whatever privileges required.
-Nick