You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@guacamole.apache.org by Tifaine RIVOIRE OPTI Sécurité <t....@optisecurite.fr> on 2023/06/14 12:26:39 UTC

Guacamole Extensions troubles

Hi,

I'm testing Guacamole and I want to configure some extensions.
I already set up guacamole with docker-compose and TOTP Extension.

I have some troubles with the LDAP extension. In fact, I follow a lot of tutorials that show me how I can set up this one.
I copy the .jar file in extension directory but after a restart I can't log in with an AD user. I'va seen that a new directory called ldap was created (just like totp) with .jar & .ldif file.
I also try to create a user with same AD name and blank password in guacamole, I make sure to select create connection permission.

When I connect, Guacamole tell me wrong password but this is the correct one in my AD.
I also see some forwarded communications (through firewall) from my Guacamole server to my AD.

Can you help me to understand why I can't log with an AD account ?

Here is a part of my docker-compose file :

 # guacamole
  guacamole:
    container_name: guacamole_compose
    depends_on:
    - guacd
    - postgres
    environment:
      ACCEPT_EULA: "Y"
      EXTENSIONS: auth-ldap,auth-totp
      GUACD_HOSTNAME: guacd
      POSTGRES_DATABASE: guacamole_db
      POSTGRES_HOSTNAME: postgres
      POSTGRES_PASSWORD: password
      POSTGRES_USER: guacamole_user
      TOTP_ENABLED: 'true'
      LDAP_ENABLED: 'true'

      # LDAP Connection
      LDAP_HOSTNAME: 192.168.87.20
      LDAP_PORT: 389
      LDAP_ENCRYPTION_METHOD: "none"

      # Mapping Guacamole usernames to LDAP DN's
      LDAP_USER_BASE_DN: "dc=AMG,dc=LAN"

      # Indirect Username Mapping
      LDAP_SEARCH_BIND_DN: "CN=admin,CN=Users,DC=AMG,DC=lan"
      LDAP_SEARCH_BIND_PASSWORD: "password"

      # Mapping Guacamole groups to LDAP DN's
      LDAP_USERNAME_ATTRIBUTE: "uid"
      LDAP_USER_SEARCH_FILTER: "(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=Utilisateurs,DC=AMG,DC=LAN))"
      LDAP_GROUP_BASE_DN: "dc=AMG,dc=LAN"
      LDAP_GROUP_NAME_ATTRIBUTE: "cn"

    image: guacamole/guacamole
    links:
    - guacd
    networks:
      guacnetwork_compose:
    ports:
    - 8080:8080/tcp
    restart: always
    privileged: true
    volumes:
      - NAS:/opt/guacamole/NAS



Cordialement,
T. RIVOIRE

Re: Guacamole Extensions troubles

Posted by Vincent Sherwood <vi...@itsolutions.ie>.

Take a look at your /var/log/messages (or equivalent for non-red-hat clones)

You probably have errors like

Jun 29 14:03:01 apps9 server[23692]: org.apache.guacamole.GuacamoleServerException: ""none"" is not a valid value for property "ldap-encryption-method". Valid values are: "none", "ssl", "starttls"

Jun 29 14:04:56 apps9 server[23765]: org.apache.guacamole.GuacamoleServerException: The DN ""dc=company,dc=country"" is invalid.


Try removing the quotes around the values in the

ldap-encryption-method:
ldap-user-base-dn:

fields. Our setup does not have them, and it authenticates correctly.  If I add the quotes around them in the config file I generate the errors above.

By the way, we also do use a user group filter which works correctly to limit the users who can login without causing any problems

ldap-user-search-filter: (memberOf=cn=GuacamoleUsers,cn=Users,dc=company,dc=country)


________________________________
From: Tifaine RIVOIRE OPTI Sécurité <t....@optisecurite.fr>
Sent: Thursday 29 June 2023 10:21
To: user@guacamole.apache.org <us...@guacamole.apache.org>
Subject: RE: Guacamole Extensions troubles


Hi,



After conducting further research following Nick's response, I discovered that I don't need a search filter, so I removed it. My goal is to allow all users in my Active Directory (AD) to connect to Guacamole.



However, I'm still encountering issues with LDAP authentication. Specifically, when I attempt to connect with a user named l.coelho from my AD, the following logs are generated:



08:29:44.881 [http-nio-8080-exec-2] INFO  o.a.g.a.l.AuthenticationProviderService - Unable to determine DN of user "l.coelho" using LDAP server "192.168.87.20". Proceeding with next server...

08:29:44.882 [http-nio-8080-exec-2] INFO  o.a.g.a.l.AuthenticationProviderService - User "l.coelho" did not successfully authenticate against any LDAP server.

08:29:44.883 [http-nio-8080-exec-2] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from [X.X.X.X, 192.168.254.10] for user "l.coelho" failed.





I have already verified that I can successfully telnet to port 389 of my LDAP server, the encryption method is set correctly as "none," and I tested the LDAP connectivity using the ldapsearch command, which worked fine.



Interestingly, my admin can connect to the AD without any issues, as confirmed by the successful log entries in my AD logs.



I suspect that there might be a problem with my LDAP configuration in the Docker Compose file. Could you assist me in resolving this issue?

My users are in :     OU=AMG,OU=Utilisateur,DC=AMG,DC=lan

My admin in :          OU=Users,DC=AMG,DC=lan



 # LDAP Connection

      LDAP_HOSTNAME: 192.168.87.20

      LDAP_PORT: 389

      LDAP_ENCRYPTION_METHOD: "none"



      # Mapping Guacamole usernames to LDAP DN’s

      LDAP_USER_BASE_DN: "dc=AMG,dc=LAN"



      # Indirect Username Mapping

      LDAP_SEARCH_BIND_DN: CN=admin,CN=Users,DC=AMG,DC=lan

      LDAP_SEARCH_BIND_PASSWORD: password

      LDAP-USERNAME-ATTRIBUTE: sAMAccountName





Best regards,

T. RIVOIRE



De : Nick Couchman <vn...@apache.org>
Envoyé : mercredi 14 juin 2023 14:46
À : user@guacamole.apache.org
Objet : Re: Guacamole Extensions troubles



On Wed, Jun 14, 2023 at 8:26 AM Tifaine RIVOIRE OPTI Sécurité <t....@optisecurite.fr>> wrote:

Hi,



I’m testing Guacamole and I want to configure some extensions.
I already set up guacamole with docker-compose and TOTP Extension.



I have some troubles with the LDAP extension. In fact, I follow a lot of tutorials that show me how I can set up this one.

I copy the .jar file in extension directory but after a restart I can’t log in with an AD user. I’va seen that a new directory called ldap was created (just like totp) with .jar & .ldif file.
I also try to create a user with same AD name and blank password in guacamole, I make sure to select create connection permission.

When I connect, Guacamole tell me wrong password but this is the correct one in my AD.
I also see some forwarded communications (through firewall) from my Guacamole server to my AD.



Can you help me to understand why I can’t log with an AD account ?



You'll need to take a look at the logs for the Guacamole Client container and see what errors might be logged to the container. You may also have to change the log level of Guacamole Client (LOGBACK_LEVEL environment variable) to get more useful information out of the system.



I do notice in the Docker Compose file you posted that you appear to be using a search filter that is supposed to make LDAP search nested AD groups. I'm not sure that this will actually work - I think there are some things that need to be implemented within Guacamole to support this, and I don't think those currently exist. You might, at the very least, try changing your search filter to something else - just create a single group with the users you want to have access and search that group, only - and see if that helps.



-Nick

IT Solutions Email Disclaimer - The information contained in this email message, including any files transmitted with it, is confidential and may be legally privileged.

This e-mail is intended only for the personal attention of the stated addressee(s). Any access to this email, including any files transmitted with it, by any other person is unauthorised. If you are not an addressee, you must not disclose, copy, circulate or in any other way use or rely on the accuracy or completeness of the information contained in this email or any files transmitted with it.

If you have received this email in error, please inform the sender immediately and delete it and all copies from your system. You may not forward this email without the permission of the authorised sender.

The views expressed in this email are those of the author, and do not necessarily represent the views of IT Solutions or its affiliates. Internet communications are not secure and IT Solutions cannot therefore accept legal responsibility for the contents of this message nor for any damage caused by viruses. This email has been scanned at the originating end. For further information on IT Solutions visit https://www.itsolutions.ie

AW: Guacamole Extensions troubles

Posted by Joachim Lindenberg <gu...@lindenberg.one>.

Imho you have a big issue already with authentication using no encryption at all.

Best Regards,

Joachim

Von: Tifaine RIVOIRE OPTI Sécurité <t....@optisecurite.fr>
Gesendet: Donnerstag, 29. Juni 2023 11:22
An: user@guacamole.apache.org
Betreff: RE: Guacamole Extensions troubles

Hi,

After conducting further research following Nick's response, I discovered that I don't need a search filter, so I removed it. My goal is to allow all users in my Active Directory (AD) to connect to Guacamole.

However, I'm still encountering issues with LDAP authentication. Specifically, when I attempt to connect with a user named l.coelho from my AD, the following logs are generated:

08:29:44.881 [http-nio-8080-exec-2] INFO o.a.g.a.l.AuthenticationProviderService - Unable to determine DN of user "l.coelho" using LDAP server "192.168.87.20". Proceeding with next server...

08:29:44.882 [http-nio-8080-exec-2] INFO o.a.g.a.l.AuthenticationProviderService - User "l.coelho" did not successfully authenticate against any LDAP server.

08:29:44.883 [http-nio-8080-exec-2] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from [X.X.X.X, 192.168.254.10] for user "l.coelho" failed.

I have already verified that I can successfully telnet to port 389 of my LDAP server, the encryption method is set correctly as "none," and I tested the LDAP connectivity using the ldapsearch command, which worked fine.

Interestingly, my admin can connect to the AD without any issues, as confirmed by the successful log entries in my AD logs.

I suspect that there might be a problem with my LDAP configuration in the Docker Compose file. Could you assist me in resolving this issue?

My users are in : OU=AMG,OU=Utilisateur,DC=AMG,DC=lan

My admin in : OU=Users,DC=AMG,DC=lan

# LDAP Connection

LDAP_HOSTNAME: 192.168.87.20

LDAP_PORT: 389

LDAP_ENCRYPTION_METHOD: "none"

# Mapping Guacamole usernames to LDAP DN’s

LDAP_USER_BASE_DN: "dc=AMG,dc=LAN"

# Indirect Username Mapping

LDAP_SEARCH_BIND_DN: CN=admin,CN=Users,DC=AMG,DC=lan

LDAP_SEARCH_BIND_PASSWORD: password

LDAP-USERNAME-ATTRIBUTE: sAMAccountName

Best regards,

T. RIVOIRE

De : Nick Couchman <vnick@apache.org <ma...@apache.org> >
Envoyé : mercredi 14 juin 2023 14:46
À : user@guacamole.apache.org <ma...@guacamole.apache.org>
Objet : Re: Guacamole Extensions troubles

On Wed, Jun 14, 2023 at 8:26 AM Tifaine RIVOIRE OPTI Sécurité <t.rivoire@optisecurite.fr <ma...@optisecurite.fr> > wrote:

Hi,

I’m testing Guacamole and I want to configure some extensions.
I already set up guacamole with docker-compose and TOTP Extension.

I have some troubles with the LDAP extension. In fact, I follow a lot of tutorials that show me how I can set up this one.

I copy the .jar file in extension directory but after a restart I can’t log in with an AD user. I’va seen that a new directory called ldap was created (just like totp) with .jar & .ldif file.
I also try to create a user with same AD name and blank password in guacamole, I make sure to select create connection permission.

When I connect, Guacamole tell me wrong password but this is the correct one in my AD.
I also see some forwarded communications (through firewall) from my Guacamole server to my AD.

Can you help me to understand why I can’t log with an AD account ?

You'll need to take a look at the logs for the Guacamole Client container and see what errors might be logged to the container. You may also have to change the log level of Guacamole Client (LOGBACK_LEVEL environment variable) to get more useful information out of the system.

I do notice in the Docker Compose file you posted that you appear to be using a search filter that is supposed to make LDAP search nested AD groups. I'm not sure that this will actually work - I think there are some things that need to be implemented within Guacamole to support this, and I don't think those currently exist. You might, at the very least, try changing your search filter to something else - just create a single group with the users you want to have access and search that group, only - and see if that helps.

-Nick

Re: Guacamole Extensions troubles

Posted by Nick Couchman <vn...@apache.org>.

>
> 08:29:44.881 [http-nio-8080-exec-2] INFO  o.a.g.a.l.AuthenticationProviderService - Unable to determine DN of user "l.coelho" using LDAP server "192.168.87.20". Proceeding with next server...

The LDAP search has failed to locate this user account, which is why
authentication is failing.

>
>  # LDAP Connection
>
>       LDAP_HOSTNAME: 192.168.87.20
>
>       LDAP_PORT: 389
>
>       LDAP_ENCRYPTION_METHOD: "none"
>
>
>
>       # Mapping Guacamole usernames to LDAP DN’s
>
>       LDAP_USER_BASE_DN: "dc=AMG,dc=LAN"
>
>
>
>       # Indirect Username Mapping
>
>       LDAP_SEARCH_BIND_DN: CN=admin,CN=Users,DC=AMG,DC=lan
>
>       LDAP_SEARCH_BIND_PASSWORD: password
>
>       LDAP-USERNAME-ATTRIBUTE: sAMAccountName
>

I'm not sure if this is exactly how it's configured in your file, or
if this is from copying/pasting into an e-mail, but
"LDAP-USERNAME-ATTRIBUTE" should be "LDAP_USERNAME_ATTRIBUTE" - it
looks like you switched from underscores to dashes?

If you still have trouble, you may want to bump up the log level
(LOGBACK_LEVEL) and see what is actually happening in the LDAP
conversation. Note that you will get a _LOT_ of log messages - the
LDAP debugging is very verbose, and you'll probably want to change the
level, try logging in once, and then change it back, else you'll end
up with unmanageable levels of logs.

-Nick

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

RE: Guacamole Extensions troubles

Posted by Luciano Oliveira <ol...@outlook.com>.

Hi,

Make sure that the user "admin" has read access to the OU=AMG and OU=Utilisateur.

Best regards,

Luciano de Oliveira
---------------------------------------------------
Técnico em Telecomunicações - CFT
Infraestrutura de Redes e Servidores
Certificado em Cabeamento Estruturado NEXANS

________________________________
De: Tifaine RIVOIRE OPTI Sécurité <t....@optisecurite.fr>
Enviado: quinta-feira, 29 de junho de 2023 06:21
Para: user@guacamole.apache.org <us...@guacamole.apache.org>
Assunto: RE: Guacamole Extensions troubles

Hi,

However, I'm still encountering issues with LDAP authentication. Specifically, when I attempt to connect with a user named l.coelho from my AD, the following logs are generated:

08:29:44.881 [http-nio-8080-exec-2] INFO o.a.g.a.l.AuthenticationProviderService - Unable to determine DN of user "l.coelho" using LDAP server "192.168.87.20". Proceeding with next server...

08:29:44.882 [http-nio-8080-exec-2] INFO o.a.g.a.l.AuthenticationProviderService - User "l.coelho" did not successfully authenticate against any LDAP server.

08:29:44.883 [http-nio-8080-exec-2] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from [X.X.X.X, 192.168.254.10] for user "l.coelho" failed.

Interestingly, my admin can connect to the AD without any issues, as confirmed by the successful log entries in my AD logs.

I suspect that there might be a problem with my LDAP configuration in the Docker Compose file. Could you assist me in resolving this issue?

My users are in : OU=AMG,OU=Utilisateur,DC=AMG,DC=lan

My admin in : OU=Users,DC=AMG,DC=lan

# LDAP Connection

LDAP_HOSTNAME: 192.168.87.20

LDAP_PORT: 389

LDAP_ENCRYPTION_METHOD: "none"

# Mapping Guacamole usernames to LDAP DN’s

LDAP_USER_BASE_DN: "dc=AMG,dc=LAN"

# Indirect Username Mapping

LDAP_SEARCH_BIND_DN: CN=admin,CN=Users,DC=AMG,DC=lan

LDAP_SEARCH_BIND_PASSWORD: password

LDAP-USERNAME-ATTRIBUTE: sAMAccountName

Best regards,

T. RIVOIRE

De : Nick Couchman <vn...@apache.org>
Envoyé : mercredi 14 juin 2023 14:46
À : user@guacamole.apache.org
Objet : Re: Guacamole Extensions troubles

On Wed, Jun 14, 2023 at 8:26 AM Tifaine RIVOIRE OPTI Sécurité <t....@optisecurite.fr>> wrote:

Hi,

I’m testing Guacamole and I want to configure some extensions.
I already set up guacamole with docker-compose and TOTP Extension.

I have some troubles with the LDAP extension. In fact, I follow a lot of tutorials that show me how I can set up this one.

When I connect, Guacamole tell me wrong password but this is the correct one in my AD.
I also see some forwarded communications (through firewall) from my Guacamole server to my AD.

Can you help me to understand why I can’t log with an AD account ?

-Nick

RE: Guacamole Extensions troubles

Posted by Tifaine RIVOIRE OPTI Sécurité <t....@optisecurite.fr>.

Hi,

However, I'm still encountering issues with LDAP authentication. Specifically, when I attempt to connect with a user named l.coelho from my AD, the following logs are generated:

08:29:44.881 [http-nio-8080-exec-2] INFO o.a.g.a.l.AuthenticationProviderService - Unable to determine DN of user "l.coelho" using LDAP server "192.168.87.20". Proceeding with next server...
08:29:44.882 [http-nio-8080-exec-2] INFO o.a.g.a.l.AuthenticationProviderService - User "l.coelho" did not successfully authenticate against any LDAP server.
08:29:44.883 [http-nio-8080-exec-2] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from [X.X.X.X, 192.168.254.10] for user "l.coelho" failed.

Interestingly, my admin can connect to the AD without any issues, as confirmed by the successful log entries in my AD logs.

I suspect that there might be a problem with my LDAP configuration in the Docker Compose file. Could you assist me in resolving this issue?
My users are in : OU=AMG,OU=Utilisateur,DC=AMG,DC=lan
My admin in : OU=Users,DC=AMG,DC=lan

# LDAP Connection
LDAP_HOSTNAME: 192.168.87.20
LDAP_PORT: 389
LDAP_ENCRYPTION_METHOD: "none"

# Mapping Guacamole usernames to LDAP DN’s
LDAP_USER_BASE_DN: "dc=AMG,dc=LAN"

# Indirect Username Mapping
LDAP_SEARCH_BIND_DN: CN=admin,CN=Users,DC=AMG,DC=lan
LDAP_SEARCH_BIND_PASSWORD: password
LDAP-USERNAME-ATTRIBUTE: sAMAccountName

Best regards,
T. RIVOIRE

De : Nick Couchman <vn...@apache.org>
Envoyé : mercredi 14 juin 2023 14:46
À : user@guacamole.apache.org
Objet : Re: Guacamole Extensions troubles

On Wed, Jun 14, 2023 at 8:26 AM Tifaine RIVOIRE OPTI Sécurité <t....@optisecurite.fr>> wrote:
Hi,

I’m testing Guacamole and I want to configure some extensions.
I already set up guacamole with docker-compose and TOTP Extension.

I have some troubles with the LDAP extension. In fact, I follow a lot of tutorials that show me how I can set up this one.
I copy the .jar file in extension directory but after a restart I can’t log in with an AD user. I’va seen that a new directory called ldap was created (just like totp) with .jar & .ldif file.
I also try to create a user with same AD name and blank password in guacamole, I make sure to select create connection permission.

When I connect, Guacamole tell me wrong password but this is the correct one in my AD.
I also see some forwarded communications (through firewall) from my Guacamole server to my AD.

Can you help me to understand why I can’t log with an AD account ?

-Nick

Re: Guacamole Extensions troubles

Posted by Michael Jumper <mj...@apache.org>.

On 6/14/23 05:45, Nick Couchman wrote:
> On Wed, Jun 14, 2023 at 8:26 AM Tifaine RIVOIRE OPTI Sécurité 
> <t.rivoire@optisecurite.fr <ma...@optisecurite.fr>> wrote:
> 
>     Hi,____
> 
>     __ __
> 
>     I’m testing Guacamole and I want to configure some extensions.
>     I already set up guacamole with docker-compose and TOTP Extension.____
> 
>     __ __
> 
>     I have some troubles with the LDAP extension. In fact, I follow a
>     lot of tutorials that show me how I can set up this one.____
> 
>     I copy the .jar file in extension directory but after a restart I
>     can’t log in with an AD user. I’va seen that a new directory called
>     ldap was created (just like totp) with .jar & .ldif file.
>     I also try to create a user with same AD name and blank password in
>     guacamole, I make sure to select create connection permission.____
> 
> 
>     When I connect, Guacamole tell me wrong password but this is the
>     correct one in my AD.
>     I also see some forwarded communications (through firewall) from my
>     Guacamole server to my AD.____
> 
>     __ __
> 
>     Can you help me to understand why I can’t log with an AD account ?
> 
> 
> You'll need to take a look at the logs for the Guacamole Client 
> container and see what errors might be logged to the container. You may 
> also have to change the log level of Guacamole Client (LOGBACK_LEVEL 
> environment variable) to get more useful information out of the system.
> 
> I do notice in the Docker Compose file you posted that you appear to be 
> using a search filter that is supposed to make LDAP search nested AD 
> groups. I'm not sure that this will actually work - I think there are 
> some things that need to be implemented within Guacamole to support 
> this, and I don't think those currently exist. You might, at the very 
> least, try changing your search filter to something else - just create a 
> single group with the users you want to have access and search that 
> group, only - and see if that helps.
> 

Using a recursive group membership query like this within the search 
filter should be fine. Active Directory will service such queries a bit 
slower, but it will work and will limit both the users visible in the 
admin UI and the users that can log in.

Guacamole itself will not perform recursive queries to determine group 
memberships from LDAP, so you will not be able to use recursive 
memberships to grant permissions, but you can definitely do this within 
the search filters.

- Mike


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

Re: Guacamole Extensions troubles

Posted by Nick Couchman <vn...@apache.org>.

On Wed, Jun 14, 2023 at 8:26 AM Tifaine RIVOIRE OPTI Sécurité <
t.rivoire@optisecurite.fr> wrote:

> Hi,
>
>
>
> I’m testing Guacamole and I want to configure some extensions.
> I already set up guacamole with docker-compose and TOTP Extension.
>
>
>
> I have some troubles with the LDAP extension. In fact, I follow a lot of
> tutorials that show me how I can set up this one.
>
> I copy the .jar file in extension directory but after a restart I can’t
> log in with an AD user. I’va seen that a new directory called ldap was
> created (just like totp) with .jar & .ldif file.
> I also try to create a user with same AD name and blank password in
> guacamole, I make sure to select create connection permission.
>
>
> When I connect, Guacamole tell me wrong password but this is the correct
> one in my AD.
> I also see some forwarded communications (through firewall) from my
> Guacamole server to my AD.
>
>
>
> Can you help me to understand why I can’t log with an AD account ?
>

You'll need to take a look at the logs for the Guacamole Client container
and see what errors might be logged to the container. You may also have to
change the log level of Guacamole Client (LOGBACK_LEVEL environment
variable) to get more useful information out of the system.

I do notice in the Docker Compose file you posted that you appear to be
using a search filter that is supposed to make LDAP search nested AD
groups. I'm not sure that this will actually work - I think there are some
things that need to be implemented within Guacamole to support this, and I
don't think those currently exist. You might, at the very least, try
changing your search filter to something else - just create a single group
with the users you want to have access and search that group, only - and
see if that helps.

-Nick

>