You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by ha...@faa.gov on 2017/12/01 16:11:09 UTC
RE: Configuring LDAP
Just wondering if anyone has any ideas on how the LDAP is configured below? This still isn’t working for me and I’d like to know why.
Thanks,
Harry
From: Devine, Harry (FAA)
Sent: Monday, November 27, 2017 1:49 PM
To: user@guacamole.apache.org
Subject: RE: Configuring LDAP
Here’s my current /etc/guacamole/guacamole.properties file:
#MySQL properties
mysql-hostname: localhost
mysql-port:3306
mysql-database: guacdb
mysql-username: guacuser
mysql-password: guacadmin
mysql-default-max-connections-per-user: 0
mysql-default-max-group-connections-per-user:0
#LDAP properties
ldap-hostname:my.hostname
ldap-port:389
ldap-encryption-method:none
ldap-dereference-aliases:never
ldap-search-bind-dn:cn=Directory Manager
ldap-search-bind-password:pass123
ldap-user-base-dn:dc=example,dc=com
#ldap-username-attribute=cn=users,cn=accounts,dc=example,dc=com
ldap-username-attribute:cn
ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com
When I use the ldap-username-attribute:cn setting, I get the error where the Multiple DNs are what’s being complained about. If I use the other one (the commented out one above), I simply get “Authentication attempted …… failed”. We use the “cn=users,cn=accounts” string in other projects where we communicate with our LDAP server, so I’m pretty sure that’s correct.
Thanks,
Harry
From: Jonathan Hankins [mailto:jhankins@homewood.k12.al.us]
Sent: Monday, November 27, 2017 12:38 PM
To: user@guacamole.apache.org<ma...@guacamole.apache.org>
Subject: Re: Configuring LDAP
Harry, you said you tried "modifying ldap-username-attribute to be cn=users,cn=accounts,dc=example,dc=com" - just wanted to confirm. Ldap-username-attribute should be an LDAP attribute name like cn. Could you post your complete (redacted) guacamole.properties as you have it currently?
Also, I saw that on a previous attempt today you got the log message:
Nov 27 09:42:01 access server: 09:42:01.909 [http-bio-8080-exec-6] WARN o.a.g.a.l.AuthenticationProviderService - Multiple DNs possible for user "harry.devine": [uid=harry.devine,cn=users,cn=compat,dc=example,dc=com, uid=harry.devine,cn=users,cn=accounts,dc=example,dc=com]
If you have two users under your search base with uid (or cn, or whatever you are using for ldap-username-attribute) "harry.devine" you are going to have to use a more specific search base or a more unique ldap-username-attribute or a more restrictive search filter so that you don't get multiple matches for the username you are typing into the username field on the login page.
I.e., the attribute you match against has to uniquely identify the user beneath your search base for your query.
-Jonathan Hankins
On Mon, Nov 27, 2017, 10:10 AM Nick Couchman <vn...@apache.org>> wrote:
On Mon, Nov 27, 2017 at 10:02 AM, <ha...@faa.gov>> wrote:
OK, so I tried that, including modifying ldap-username-attribute to be cn=users,cn=accounts,dc=example,dc=com, and now I get a 403 error in the Developer Tools, and the following error in /var/log/messages:
Nov 27 10:00:34 access server: 10:00:34.766 [http-bio-8080-exec-8] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from xxx.xxx.xxx.xxx for user "harry.devine" failed.
However, I know that the password is 100% correct. Where to look now? I feel we’re getting very close.
What LDAP server are you running? You probably mentioned it already somewhere in this thread, and I'm going to guess Active Directory, but just want to make sure? If it's OpenLDAP then it is quite possible it is configured to disallow logins without some form of encryption (although I wouldn't expect the search bind to work in this case, but who knows). AD doesn't usually have those restrictions, but depending on the environment, it actually might require encryption, as well. Other than that, it would be useful to get a log from the LDAP server that indicates why it is failing authentication - if it believes the password is wrong, or if it is throwing some other sort of error. I realize that you might be in an organization where you don't have access to that server or those logs, but, if you do, that would be helpful.
-Nick
This e-mail is intended only for the recipient and may contain confidential or proprietary information. If you are not the intended recipient, the review, distribution, duplication or retention of this message and its attachments is prohibited. Please notify the sender of this error immediately by reply e-mail, and permanently delete this message and its attachments in any form in which they may have been preserved.
RE: Configuring LDAP
Posted by ha...@faa.gov.
OK, I was able to get it working better now. In our system, cn is the Common Name, but the user id is retrieved by the uid property. Once I set it to that, I was able to get in fine. Now onto trying to get port 636 to work.
Thanks,
Harry
From: Mike Jumper [mailto:mike.jumper@guac-dev.org]
Sent: Friday, December 01, 2017 2:59 PM
To: user@guacamole.apache.org
Subject: Re: Configuring LDAP
On Fri, Dec 1, 2017 at 10:37 AM, <ha...@faa.gov>> wrote:
OK I was able to get it to log in. Here’s what I changed in my guacamole.properties to make it work:
ldap-search-bind-dn:cn=”Directory Manager”
ldap-user-base-dn:cn=users,cn=accounts,dc=example,dc=com
So the user logs in fine, but in /var/log/messages, I get the following errors that I’m not sure are relevant or not:
Dec 1 13:34:34 access server: 13:34:34.157 [http-bio-8080-exec-6] INFO o.a.g.r.auth.AuthenticationService - User "harry.devine" successfully authenticated from 172.31.26.216.
Dec 1 13:34:35 access server: 13:34:35.644 [http-bio-8080-exec-6] WARN o.a.g.auth.ldap.user.UserService - Possibly ambiguous user account: "Jon Moen".
Dec 1 13:34:36 access server: 13:34:36.122 [http-bio-8080-exec-6] WARN o.a.g.auth.ldap.user.UserService - Possibly ambiguous user account: "Steve Smith".
Dec 1 13:34:36 access server: 13:34:36.146 [http-bio-8080-exec-6] WARN o.a.g.auth.ldap.user.UserService - Could not query list of all users for attribute "cn": Error while querying users.
Guacamole is warning you that you have multiple users which map to the same username. Those users will likely be unable to log in, as Guacamole will not be able to determine with certainty which DN corresponds to those usernames.
You need to double-check your LDAP directory structure with respect to the configuration within guacamole.properties to determine why multiple users (multiple, distinct DNs) map to the same username. Something within the LDAP directory structure, the configuration, or both, is causing sanity checks for username uniqueness to fail, and the underlying problem needs to be corrected for things to work as expected.
- Mike
Re: Configuring LDAP
Posted by Mike Jumper <mi...@guac-dev.org>.
On Fri, Dec 1, 2017 at 10:37 AM, <ha...@faa.gov> wrote:
> OK I was able to get it to log in. Here’s what I changed in my
> guacamole.properties to make it work:
>
> ldap-search-bind-dn:cn=”Directory Manager”
>
> ldap-user-base-dn:cn=users,cn=accounts,dc=example,dc=com
>
>
>
> So the user logs in fine, but in /var/log/messages, I get the following
> errors that I’m not sure are relevant or not:
>
> Dec 1 13:34:34 access server: 13:34:34.157 [http-bio-8080-exec-6] INFO
> o.a.g.r.auth.AuthenticationService - User "harry.devine" successfully
> authenticated from 172.31.26.216.
>
> Dec 1 13:34:35 access server: 13:34:35.644 [http-bio-8080-exec-6] WARN
> o.a.g.auth.ldap.user.UserService - Possibly ambiguous user account: "Jon
> Moen".
>
> Dec 1 13:34:36 access server: 13:34:36.122 [http-bio-8080-exec-6] WARN
> o.a.g.auth.ldap.user.UserService - Possibly ambiguous user account:
> "Steve Smith".
>
> Dec 1 13:34:36 access server: 13:34:36.146 [http-bio-8080-exec-6] WARN
> o.a.g.auth.ldap.user.UserService - Could not query list of all users for
> attribute "cn": Error while querying users.
>
>
Guacamole is warning you that you have multiple users which map to the same
username. Those users will likely be unable to log in, as Guacamole will
not be able to determine with certainty which DN corresponds to those
usernames.
You need to double-check your LDAP directory structure with respect to the
configuration within guacamole.properties to determine why multiple users
(multiple, distinct DNs) map to the same username. Something within the
LDAP directory structure, the configuration, or both, is causing sanity
checks for username uniqueness to fail, and the underlying problem needs to
be corrected for things to work as expected.
- Mike
Re: Configuring LDAP
Posted by Erik Berndt <er...@superiorpaving.net>.
>Dec 1 13:34:35 access server: 13:34:35.644 [http-bio-8080-exec-6] WARN
o.a.g.auth.ldap.user.UserService - Possibly ambiguous user account: "Jon
Moen".
>Dec 1 13:34:36 access server: 13:34:36.122 [http-bio-8080-exec-6] WARN
o.a.g.auth.ldap.user.UserService - Possibly ambiguous user account: "Steve
Smith".
Are these users able to login successfully? Do they appear in the user list
when logged in to the admin console?
Double check that the ldap-user-base-dn is at the root of the AD structure
and the ldap-search-bind-dn user is correctly qualified. As Mike said, try
fully qualifying the base-dn attribute and post results. It may be that the
ldap-auth module is querying your AD and returning incomplete information
do this not being fully qualified.
Erik Berndt / Systems Administrator
5551 Wellington Rd, Gainesville, VA 20155
703.631.0004 x520 (Phone) / 703.257.1725 (Fax)
http://www.superiorpaving.net
Need to open an IT support ticket?
http://FixIT.superiorpaving.net/portal or FixIT@superiorpaving.net
On Fri, Dec 1, 2017 at 1:37 PM, <ha...@faa.gov> wrote:
> OK I was able to get it to log in. Here’s what I changed in my
> guacamole.properties to make it work:
>
> ldap-search-bind-dn:cn=”Directory Manager”
>
> ldap-user-base-dn:cn=users,cn=accounts,dc=example,dc=com
>
>
>
> So the user logs in fine, but in /var/log/messages, I get the following
> errors that I’m not sure are relevant or not:
>
> Dec 1 13:34:34 access server: 13:34:34.157 [http-bio-8080-exec-6] INFO
> o.a.g.r.auth.AuthenticationService - User "harry.devine" successfully
> authenticated from 172.31.26.216.
>
> Dec 1 13:34:35 access server: 13:34:35.644 [http-bio-8080-exec-6] WARN
> o.a.g.auth.ldap.user.UserService - Possibly ambiguous user account: "Jon
> Moen".
>
> Dec 1 13:34:36 access server: 13:34:36.122 [http-bio-8080-exec-6] WARN
> o.a.g.auth.ldap.user.UserService - Possibly ambiguous user account:
> "Steve Smith".
>
> Dec 1 13:34:36 access server: 13:34:36.146 [http-bio-8080-exec-6] WARN
> o.a.g.auth.ldap.user.UserService - Could not query list of all users for
> attribute "cn": Error while querying users.
>
>
>
> VERY close now! Thoughts?
>
> Harry
>
>
>
> *From:* Erik Berndt [mailto:erikberndt@superiorpaving.net]
> *Sent:* Friday, December 01, 2017 12:19 PM
> *To:* user@guacamole.apache.org
> *Subject:* Re: Configuring LDAP
>
>
>
> I don't know if you paraphrased the config file, but I noticed the
> ldap-search-bind-dn common name doesn't have the space escaped. I wonder if
> guacd is treating the ldap-search-bind-dn cn as two separate entries, hence
> the "Multiple DNs possible" error?
>
>
>
> I'm not sure if it's required or not, but I fully qualified each LDAP
> parameter i.e. ldap-search-bind-dn: CN="Directory
> Manager",OU=foo,DC=faa,DC=gov" and it's working successfully for us. The
> search-bind-dn user should be part of the base-dn in case it isn't already.
>
>
>
> The relevant LDAP attributes from our working configuration are below.
>
>
>
> ldap-hostname: dc.local
> ldap-port: 389
> ldap-user-base-dn: OU="Superior Paving Employees",DC=superiorpaving,DC=net
> ldap-search-bind-dn: CN=guacamole,OU="Information
> Technology",OU=Office,OU="Superior Paving Employees",DC=superiorpaving,
> DC=net
> ldap-search-bind-password: XXXXX
>
>
>
>
> Erik Berndt / Systems Administrator
> 5551 Wellington Rd, Gainesville, VA 20155
> <https://maps.google.com/?q=5551+Wellington+Rd,+Gainesville,+VA+20155+%0D+703&entry=gmail&source=g>
> 703.631.0004 x520 (Phone) / 703.257.1725 (Fax)
> http://www.superiorpaving.net
>
> Need to open an IT support ticket?
> http://FixIT.superiorpaving.net/portal or FixIT@superiorpaving.net
>
>
>
> On Fri, Dec 1, 2017 at 11:11 AM, <ha...@faa.gov> wrote:
>
> Just wondering if anyone has any ideas on how the LDAP is configured
> below? This still isn’t working for me and I’d like to know why.
>
>
>
> Thanks,
>
> Harry
>
>
>
> *From:* Devine, Harry (FAA)
> *Sent:* Monday, November 27, 2017 1:49 PM
> *To:* user@guacamole.apache.org
> *Subject:* RE: Configuring LDAP
>
>
>
> Here’s my current /etc/guacamole/guacamole.properties file:
>
>
>
> #MySQL properties
>
> mysql-hostname: localhost
>
> mysql-port:3306
>
> mysql-database: guacdb
>
> mysql-username: guacuser
>
> mysql-password: guacadmin
>
> mysql-default-max-connections-per-user: 0
>
> mysql-default-max-group-connections-per-user:0
>
>
>
> #LDAP properties
>
> ldap-hostname:my.hostname
>
> ldap-port:389
>
> ldap-encryption-method:none
>
> ldap-dereference-aliases:never
>
> ldap-search-bind-dn:cn=Directory Manager
>
> ldap-search-bind-password:pass123
>
> ldap-user-base-dn:dc=example,dc=com
>
> #ldap-username-attribute=cn=users,cn=accounts,dc=example,dc=com
>
> ldap-username-attribute:cn
>
> ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com
>
>
>
>
>
> When I use the ldap-username-attribute:cn setting, I get the error where
> the Multiple DNs are what’s being complained about. If I use the other one
> (the commented out one above), I simply get “Authentication attempted ……
> failed”. We use the “cn=users,cn=accounts” string in other projects where
> we communicate with our LDAP server, so I’m pretty sure that’s correct.
>
>
>
> Thanks,
>
> Harry
>
>
>
> *From:* Jonathan Hankins [mailto:jhankins@homewood.k12.al.us
> <jh...@homewood.k12.al.us>]
> *Sent:* Monday, November 27, 2017 12:38 PM
> *To:* user@guacamole.apache.org
> *Subject:* Re: Configuring LDAP
>
>
>
> Harry, you said you tried "modifying ldap-username-attribute to be
> cn=users,cn=accounts,dc=example,dc=com" - just wanted to confirm.
> Ldap-username-attribute should be an LDAP attribute name like cn. Could you
> post your complete (redacted) guacamole.properties as you have it currently?
>
>
>
> Also, I saw that on a previous attempt today you got the log message:
>
>
>
> Nov 27 09:42:01 access server: 09:42:01.909 [http-bio-8080-exec-6] WARN
> o.a.g.a.l.AuthenticationProviderService - Multiple DNs possible for user
> "harry.devine": [uid=harry.devine,cn=users,cn=compat,dc=example,dc=com,
> uid=harry.devine,cn=users,cn=accounts,dc=example,dc=com]
>
>
>
> If you have two users under your search base with uid (or cn, or whatever
> you are using for ldap-username-attribute) "harry.devine" you are going to
> have to use a more specific search base or a more unique
> ldap-username-attribute or a more restrictive search filter so that you
> don't get multiple matches for the username you are typing into the
> username field on the login page.
>
>
>
> I.e., the attribute you match against has to uniquely identify the user
> beneath your search base for your query.
>
>
>
> -Jonathan Hankins
>
>
>
> On Mon, Nov 27, 2017, 10:10 AM Nick Couchman <vn...@apache.org> wrote:
>
> On Mon, Nov 27, 2017 at 10:02 AM, <ha...@faa.gov> wrote:
>
> OK, so I tried that, including modifying ldap-username-attribute to be
> cn=users,cn=accounts,dc=example,dc=com, and now I get a 403 error in the
> Developer Tools, and the following error in /var/log/messages:
>
>
>
> Nov 27 10:00:34 access server: 10:00:34.766 [http-bio-8080-exec-8] WARN
> o.a.g.r.auth.AuthenticationService - Authentication attempt from
> xxx.xxx.xxx.xxx for user "harry.devine" failed.
>
>
>
> However, I know that the password is 100% correct. Where to look now? I
> feel we’re getting very close.
>
>
>
>
>
> What LDAP server are you running? You probably mentioned it already
> somewhere in this thread, and I'm going to guess Active Directory, but just
> want to make sure? If it's OpenLDAP then it is quite possible it is
> configured to disallow logins without some form of encryption (although I
> wouldn't expect the search bind to work in this case, but who knows). AD
> doesn't usually have those restrictions, but depending on the environment,
> it actually might require encryption, as well. Other than that, it would
> be useful to get a log from the LDAP server that indicates why it is
> failing authentication - if it believes the password is wrong, or if it is
> throwing some other sort of error. I realize that you might be in an
> organization where you don't have access to that server or those logs, but,
> if you do, that would be helpful.
>
>
>
> -Nick
>
>
> This e-mail is intended only for the recipient and may contain
> confidential or proprietary information. If you are not the intended
> recipient, the review, distribution, duplication or retention of this
> message and its attachments is prohibited. Please notify the sender of this
> error immediately by reply e-mail, and permanently delete this message and
> its attachments in any form in which they may have been preserved.
>
>
>
RE: Configuring LDAP
Posted by ha...@faa.gov.
OK I was able to get it to log in. Here’s what I changed in my guacamole.properties to make it work:
ldap-search-bind-dn:cn=”Directory Manager”
ldap-user-base-dn:cn=users,cn=accounts,dc=example,dc=com
So the user logs in fine, but in /var/log/messages, I get the following errors that I’m not sure are relevant or not:
Dec 1 13:34:34 access server: 13:34:34.157 [http-bio-8080-exec-6] INFO o.a.g.r.auth.AuthenticationService - User "harry.devine" successfully authenticated from 172.31.26.216.
Dec 1 13:34:35 access server: 13:34:35.644 [http-bio-8080-exec-6] WARN o.a.g.auth.ldap.user.UserService - Possibly ambiguous user account: "Jon Moen".
Dec 1 13:34:36 access server: 13:34:36.122 [http-bio-8080-exec-6] WARN o.a.g.auth.ldap.user.UserService - Possibly ambiguous user account: "Steve Smith".
Dec 1 13:34:36 access server: 13:34:36.146 [http-bio-8080-exec-6] WARN o.a.g.auth.ldap.user.UserService - Could not query list of all users for attribute "cn": Error while querying users.
VERY close now! Thoughts?
Harry
From: Erik Berndt [mailto:erikberndt@superiorpaving.net]
Sent: Friday, December 01, 2017 12:19 PM
To: user@guacamole.apache.org
Subject: Re: Configuring LDAP
I don't know if you paraphrased the config file, but I noticed the ldap-search-bind-dn common name doesn't have the space escaped. I wonder if guacd is treating the ldap-search-bind-dn cn as two separate entries, hence the "Multiple DNs possible" error?
I'm not sure if it's required or not, but I fully qualified each LDAP parameter i.e. ldap-search-bind-dn: CN="Directory Manager",OU=foo,DC=faa,DC=gov" and it's working successfully for us. The search-bind-dn user should be part of the base-dn in case it isn't already.
The relevant LDAP attributes from our working configuration are below.
ldap-hostname: dc.local
ldap-port: 389
ldap-user-base-dn: OU="Superior Paving Employees",DC=superiorpaving,DC=net
ldap-search-bind-dn: CN=guacamole,OU="Information Technology",OU=Office,OU="Superior Paving Employees",DC=superiorpaving,DC=net
ldap-search-bind-password: XXXXX
Erik Berndt / Systems Administrator
5551 Wellington Rd, Gainesville, VA 20155
703.631.0004 x520 (Phone) / 703.257.1725 (Fax)
http://www.superiorpaving.net
Need to open an IT support ticket?
http://FixIT.superiorpaving.net/portal or FixIT@superiorpaving.net<ma...@superiorpaving.net>
On Fri, Dec 1, 2017 at 11:11 AM, <ha...@faa.gov>> wrote:
Just wondering if anyone has any ideas on how the LDAP is configured below? This still isn’t working for me and I’d like to know why.
Thanks,
Harry
From: Devine, Harry (FAA)
Sent: Monday, November 27, 2017 1:49 PM
To: user@guacamole.apache.org<ma...@guacamole.apache.org>
Subject: RE: Configuring LDAP
Here’s my current /etc/guacamole/guacamole.properties file:
#MySQL properties
mysql-hostname: localhost
mysql-port:3306
mysql-database: guacdb
mysql-username: guacuser
mysql-password: guacadmin
mysql-default-max-connections-per-user: 0
mysql-default-max-group-connections-per-user:0
#LDAP properties
ldap-hostname:my.hostname
ldap-port:389
ldap-encryption-method:none
ldap-dereference-aliases:never
ldap-search-bind-dn:cn=Directory Manager
ldap-search-bind-password:pass123
ldap-user-base-dn:dc=example,dc=com
#ldap-username-attribute=cn=users,cn=accounts,dc=example,dc=com
ldap-username-attribute:cn
ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com
When I use the ldap-username-attribute:cn setting, I get the error where the Multiple DNs are what’s being complained about. If I use the other one (the commented out one above), I simply get “Authentication attempted …… failed”. We use the “cn=users,cn=accounts” string in other projects where we communicate with our LDAP server, so I’m pretty sure that’s correct.
Thanks,
Harry
From: Jonathan Hankins [mailto:jhankins@homewood.k12.al.us]
Sent: Monday, November 27, 2017 12:38 PM
To: user@guacamole.apache.org<ma...@guacamole.apache.org>
Subject: Re: Configuring LDAP
Harry, you said you tried "modifying ldap-username-attribute to be cn=users,cn=accounts,dc=example,dc=com" - just wanted to confirm. Ldap-username-attribute should be an LDAP attribute name like cn. Could you post your complete (redacted) guacamole.properties as you have it currently?
Also, I saw that on a previous attempt today you got the log message:
Nov 27 09:42:01 access server: 09:42:01.909 [http-bio-8080-exec-6] WARN o.a.g.a.l.AuthenticationProviderService - Multiple DNs possible for user "harry.devine": [uid=harry.devine,cn=users,cn=compat,dc=example,dc=com, uid=harry.devine,cn=users,cn=accounts,dc=example,dc=com]
If you have two users under your search base with uid (or cn, or whatever you are using for ldap-username-attribute) "harry.devine" you are going to have to use a more specific search base or a more unique ldap-username-attribute or a more restrictive search filter so that you don't get multiple matches for the username you are typing into the username field on the login page.
I.e., the attribute you match against has to uniquely identify the user beneath your search base for your query.
-Jonathan Hankins
On Mon, Nov 27, 2017, 10:10 AM Nick Couchman <vn...@apache.org>> wrote:
On Mon, Nov 27, 2017 at 10:02 AM, <ha...@faa.gov>> wrote:
OK, so I tried that, including modifying ldap-username-attribute to be cn=users,cn=accounts,dc=example,dc=com, and now I get a 403 error in the Developer Tools, and the following error in /var/log/messages:
Nov 27 10:00:34 access server: 10:00:34.766 [http-bio-8080-exec-8] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from xxx.xxx.xxx.xxx for user "harry.devine" failed.
However, I know that the password is 100% correct. Where to look now? I feel we’re getting very close.
What LDAP server are you running? You probably mentioned it already somewhere in this thread, and I'm going to guess Active Directory, but just want to make sure? If it's OpenLDAP then it is quite possible it is configured to disallow logins without some form of encryption (although I wouldn't expect the search bind to work in this case, but who knows). AD doesn't usually have those restrictions, but depending on the environment, it actually might require encryption, as well. Other than that, it would be useful to get a log from the LDAP server that indicates why it is failing authentication - if it believes the password is wrong, or if it is throwing some other sort of error. I realize that you might be in an organization where you don't have access to that server or those logs, but, if you do, that would be helpful.
-Nick
This e-mail is intended only for the recipient and may contain confidential or proprietary information. If you are not the intended recipient, the review, distribution, duplication or retention of this message and its attachments is prohibited. Please notify the sender of this error immediately by reply e-mail, and permanently delete this message and its attachments in any form in which they may have been preserved.
Re: Configuring LDAP
Posted by Erik Berndt <er...@superiorpaving.net>.
I don't know if you paraphrased the config file, but I noticed the
ldap-search-bind-dn common name doesn't have the space escaped. I wonder if
guacd is treating the ldap-search-bind-dn cn as two separate entries, hence
the "Multiple DNs possible" error?
I'm not sure if it's required or not, but I fully qualified each LDAP
parameter i.e. ldap-search-bind-dn: CN="Directory
Manager",OU=foo,DC=faa,DC=gov" and it's working successfully for us. The
search-bind-dn user should be part of the base-dn in case it isn't already.
The relevant LDAP attributes from our working configuration are below.
ldap-hostname: dc.local
ldap-port: 389
ldap-user-base-dn: OU="Superior Paving Employees",DC=superiorpaving,DC=net
ldap-search-bind-dn: CN=guacamole,OU="Information
Technology",OU=Office,OU="Superior Paving
Employees",DC=superiorpaving,DC=net
ldap-search-bind-password: XXXXX
Erik Berndt / Systems Administrator
5551 Wellington Rd, Gainesville, VA 20155
703.631.0004 x520 (Phone) / 703.257.1725 (Fax)
http://www.superiorpaving.net
Need to open an IT support ticket?
http://FixIT.superiorpaving.net/portal or FixIT@superiorpaving.net
On Fri, Dec 1, 2017 at 11:11 AM, <ha...@faa.gov> wrote:
> Just wondering if anyone has any ideas on how the LDAP is configured
> below? This still isn’t working for me and I’d like to know why.
>
>
>
> Thanks,
>
> Harry
>
>
>
> *From:* Devine, Harry (FAA)
> *Sent:* Monday, November 27, 2017 1:49 PM
> *To:* user@guacamole.apache.org
> *Subject:* RE: Configuring LDAP
>
>
>
> Here’s my current /etc/guacamole/guacamole.properties file:
>
>
>
> #MySQL properties
>
> mysql-hostname: localhost
>
> mysql-port:3306
>
> mysql-database: guacdb
>
> mysql-username: guacuser
>
> mysql-password: guacadmin
>
> mysql-default-max-connections-per-user: 0
>
> mysql-default-max-group-connections-per-user:0
>
>
>
> #LDAP properties
>
> ldap-hostname:my.hostname
>
> ldap-port:389
>
> ldap-encryption-method:none
>
> ldap-dereference-aliases:never
>
> ldap-search-bind-dn:cn=Directory Manager
>
> ldap-search-bind-password:pass123
>
> ldap-user-base-dn:dc=example,dc=com
>
> #ldap-username-attribute=cn=users,cn=accounts,dc=example,dc=com
>
> ldap-username-attribute:cn
>
> ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com
>
>
>
>
>
> When I use the ldap-username-attribute:cn setting, I get the error where
> the Multiple DNs are what’s being complained about. If I use the other one
> (the commented out one above), I simply get “Authentication attempted ……
> failed”. We use the “cn=users,cn=accounts” string in other projects where
> we communicate with our LDAP server, so I’m pretty sure that’s correct.
>
>
>
> Thanks,
>
> Harry
>
>
>
> *From:* Jonathan Hankins [mailto:jhankins@homewood.k12.al.us
> <jh...@homewood.k12.al.us>]
> *Sent:* Monday, November 27, 2017 12:38 PM
> *To:* user@guacamole.apache.org
> *Subject:* Re: Configuring LDAP
>
>
>
> Harry, you said you tried "modifying ldap-username-attribute to be
> cn=users,cn=accounts,dc=example,dc=com" - just wanted to confirm.
> Ldap-username-attribute should be an LDAP attribute name like cn. Could you
> post your complete (redacted) guacamole.properties as you have it currently?
>
>
>
> Also, I saw that on a previous attempt today you got the log message:
>
>
>
> Nov 27 09:42:01 access server: 09:42:01.909 [http-bio-8080-exec-6] WARN
> o.a.g.a.l.AuthenticationProviderService - Multiple DNs possible for user
> "harry.devine": [uid=harry.devine,cn=users,cn=compat,dc=example,dc=com,
> uid=harry.devine,cn=users,cn=accounts,dc=example,dc=com]
>
>
>
> If you have two users under your search base with uid (or cn, or whatever
> you are using for ldap-username-attribute) "harry.devine" you are going to
> have to use a more specific search base or a more unique
> ldap-username-attribute or a more restrictive search filter so that you
> don't get multiple matches for the username you are typing into the
> username field on the login page.
>
>
>
> I.e., the attribute you match against has to uniquely identify the user
> beneath your search base for your query.
>
>
>
> -Jonathan Hankins
>
>
>
> On Mon, Nov 27, 2017, 10:10 AM Nick Couchman <vn...@apache.org> wrote:
>
> On Mon, Nov 27, 2017 at 10:02 AM, <ha...@faa.gov> wrote:
>
> OK, so I tried that, including modifying ldap-username-attribute to be
> cn=users,cn=accounts,dc=example,dc=com, and now I get a 403 error in the
> Developer Tools, and the following error in /var/log/messages:
>
>
>
> Nov 27 10:00:34 access server: 10:00:34.766 [http-bio-8080-exec-8] WARN
> o.a.g.r.auth.AuthenticationService - Authentication attempt from
> xxx.xxx.xxx.xxx for user "harry.devine" failed.
>
>
>
> However, I know that the password is 100% correct. Where to look now? I
> feel we’re getting very close.
>
>
>
>
>
> What LDAP server are you running? You probably mentioned it already
> somewhere in this thread, and I'm going to guess Active Directory, but just
> want to make sure? If it's OpenLDAP then it is quite possible it is
> configured to disallow logins without some form of encryption (although I
> wouldn't expect the search bind to work in this case, but who knows). AD
> doesn't usually have those restrictions, but depending on the environment,
> it actually might require encryption, as well. Other than that, it would
> be useful to get a log from the LDAP server that indicates why it is
> failing authentication - if it believes the password is wrong, or if it is
> throwing some other sort of error. I realize that you might be in an
> organization where you don't have access to that server or those logs, but,
> if you do, that would be helpful.
>
>
>
> -Nick
>
>
> This e-mail is intended only for the recipient and may contain
> confidential or proprietary information. If you are not the intended
> recipient, the review, distribution, duplication or retention of this
> message and its attachments is prohibited. Please notify the sender of this
> error immediately by reply e-mail, and permanently delete this message and
> its attachments in any form in which they may have been preserved.
>