You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Niubbo75 <a....@me.com.INVALID> on 2020/09/11 15:22:12 UTC
How to bind guacamole on a Synology Directory Server
Hello all, I'm getting troubles trying to bind guacamole using ldap extension
to a Synology Directory Service running as Active Directory, I got this
error:
BindSimple: Transport encryption required.
I've googled a lot but w/out any goals, anyone has experienced something
similar and know how to set it up the correct encryption method and port?
Thanks to all who will help, cheers,
Alessandro
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: How to bind guacamole on a Synology Directory Server
Posted by Niubbo75 <a....@me.com.INVALID>.
Hello all, I've done another check with gpresult, here what I had discovered:
https://pastebin.com/9jFQ5jRa
Hope this could help going deeper and solve my issue
Best regards,
Alessandro
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: How to bind guacamole on a Synology Directory Server
Posted by Niubbo75 <a....@me.com.INVALID>.
Hello Sebastian and thanks for your reply!I had try the way of gpresult but
unfortunately I got this:
<http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/file/t957/MicrosoftTeams-image.png>
I had also try to change ldap settings into guacamole.properties but the
still don't work.I don't know what to do now Best regards,Alessandro
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: How to bind guacamole on a Synology Directory Server
Posted by Sebastian Männling <se...@qubestack.org>.
hi,
from your previously posted config, my guess is that there is some missconfiguration
ldap-search-bind-dn: CN=guacbind,CN=users,DC=mydomain,DC=local
as far as i know (and i'm definetly not an ldap expert), the CN (Common Name) can only be once in the DN...
so probably/maybe you should chnage it to
ldap-search-bind-dn: CN=guacbind,OU=users,DC=mydomain,DC=local
and
ldap-user-base-dn: CN=RDP,CN=users,DC=mydomain,DC=local
same on the ldap-user-base-dn... this is (iirc) the ou (organization unit/"directory") where all your users are in that will be found by guacamole.
so you can try to change to:
ldap-user-base-dn: OU=RDP,OU=users,DC=mydomain,DC=local
or
ldap-user-base-dn: OU=users,DC=mydomain,DC=local
one more thing that might help to determinate the correct bind-dn:
on your windows host (that is joined to a domain) you might get some information using gpresult (this at least works on Microsoft Active Directory joined hosts)
e.g:
PS C:\Users\<logged in user>> gpresult /user <logged in user> /v
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
© 2020 Microsoft Corporation. All rights reserved.
Created on 9/19/2020 at 9:13:58 AM
RSOP data for <your domain>\<logged in user> on <your hostname> : Logging Mode
---------------------------------------------
OS Configuration: Member Workstation
OS Version: 10.0.19041
Site Name: N/A
Roaming Profile: N/A
Local Profile: C:\Users\<logged in user>
Connected over a slow link?: No
USER SETTINGS
--------------
CN=<your name>,OU=XXX,OU=XXX,OU=XXX,DC=XXX,DC=XXX,DC=XXX
Last time Group Policy was applied: 9/19/2020 at 9:04:08 AM
Group Policy was applied from: <FQDN of you domain controller>
Group Policy slow link threshold: 500 kbps
Domain Name: <SQDN domain name>
Domain Type: ...
hope that helps,
Sebastian
On Friday, September 18, 2020 17:05 CEST, Niubbo75 <a....@me.com.INVALID> wrote:
Hello Mike, thanks for your reply!
I've try to find a way to get what you ask, but unfortunately I haven't find
any
Do you have something to suggest?
I have Windows 10 and a Debian Buster (where Guacamole is running), W10 are
registered into Synology Directory Server (just to be clear, it was not
configured as LDAP but it works like a Windows AD), what can I use (and how)
to get LDIF?
Thanks, best regards,
Alessandro
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: How to bind guacamole on a Synology Directory Server
Posted by Niubbo75 <a....@me.com.INVALID>.
Hello Mike, thanks for your reply!
I've try to find a way to get what you ask, but unfortunately I haven't find
any
Do you have something to suggest?
I have Windows 10 and a Debian Buster (where Guacamole is running), W10 are
registered into Synology Directory Server (just to be clear, it was not
configured as LDAP but it works like a Windows AD), what can I use (and how)
to get LDIF?
Thanks, best regards,
Alessandro
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: How to bind guacamole on a Synology Directory Server
Posted by Mike Jumper <mj...@apache.org>.
Can you provide the LDIF of a user that is failing?
- Mike
On Tue, Sep 15, 2020 at 6:46 AM Niubbo75 <a....@me.com.invalid> wrote:
> Hello Stefan, thanks for your reply!
> I have try changing samAccountName with uid but nothing has changed.
> Best regards,
> Alessandro
>
>
>
> --
> Sent from:
> http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> For additional commands, e-mail: user-help@guacamole.apache.org
>
>
Re: How to bind guacamole on a Synology Directory Server
Posted by Niubbo75 <a....@me.com.INVALID>.
Hello Stefan, thanks for your reply!
I have try changing samAccountName with uid but nothing has changed.
Best regards,
Alessandro
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: How to bind guacamole on a Synology Directory Server
Posted by Stefan Bogdan Cimpeanu <bo...@cimpeanu.org>.
As far as I kow, samaccountname is an active directory specific attribute.
Try using uid instead.
Bogdan
> On 14 Sep 2020, at 16:45, Niubbo75 <a....@me.com.INVALID> wrote:
>
> Ok, I have try to change some things but I still get this:
> https://pastebin.com/fYdnytvC the first time I try to login with an AD's
> user (guacbind in this case, the one I have create to bind guacamole), if I
> try a second time, I get only:
>
> [2020-09-14 15:35:18] [info] 15:35:18.908 [http-nio-8080-exec-9] WARN
> o.a.g.r.auth.AuthenticationService - Authentication attempt from
> ***.***.***.*** for user "guacbind" failed.
>
> How can I check the correct paremethers in Synology Directory Server?
> ATM I can't login on a local PC to try to use dsquery, if anyone know how
> Synology ADS works and could tell me how to configure correct paramethers,
> will be very apprecaite, thanks!
>
> Here a sample on how I have set guacamole.properties for LDAP section:
> https://pastebin.com/U3niSrk7
>
> I have add RDP group because I need to let login only users that are members
> of that group.
> Thanks, best regards,
> Alessandro
>
>
>
> --
> Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> For additional commands, e-mail: user-help@guacamole.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: How to bind guacamole on a Synology Directory Server
Posted by Niubbo75 <a....@me.com.INVALID>.
Ok, I have try to change some things but I still get this:
https://pastebin.com/fYdnytvC the first time I try to login with an AD's
user (guacbind in this case, the one I have create to bind guacamole), if I
try a second time, I get only:
[2020-09-14 15:35:18] [info] 15:35:18.908 [http-nio-8080-exec-9] WARN
o.a.g.r.auth.AuthenticationService - Authentication attempt from
***.***.***.*** for user "guacbind" failed.
How can I check the correct paremethers in Synology Directory Server?
ATM I can't login on a local PC to try to use dsquery, if anyone know how
Synology ADS works and could tell me how to configure correct paramethers,
will be very apprecaite, thanks!
Here a sample on how I have set guacamole.properties for LDAP section:
https://pastebin.com/U3niSrk7
I have add RDP group because I need to let login only users that are members
of that group.
Thanks, best regards,
Alessandro
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: How to bind guacamole on a Synology Directory Server
Posted by Niubbo75 <a....@me.com.INVALID>.
Thanks maennlse, this fix my issue, now my CACert is accepted, now I need to
understand how to compile with correct paramethers because now I do not have
any error message that said it can't bind, but now users can't login, so I
suppose my LDAP paramethers aren't ok.
I have to see if dsquery could help me doing that.
Best regards,
Alessandro
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: How to bind guacamole on a Synology Directory Server
Posted by Sebastian Männling <se...@qubestack.org>.
you need to import the `syno-ca-cert.pem` to your system,
depending on what linux distribution you are on, this slightly differs:
debian/ubuntu see e.g.: https://askubuntu.com/a/649463
centos/rhel see e.g.: https://stackoverflow.com/a/31124750
btw. `syno-ca-privkey.pem` is not required in this case, and you should never share the private key ;)
On Monday, September 14, 2020 11:40 CEST, Niubbo75 <a....@me.com.INVALID> wrote:
I've googled but I have no found what I'm looking for (or maybe I have not
understand what I need for...), I try to ask here.
I've exported from Synology NAS a file.zip, I have 2 files in:
- syno-ca-cert.pem
- syno-ca-privkey.pem
now, what I have to do to have things working?
Thanks, best regards,
Alessandro
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: How to bind guacamole on a Synology Directory Server
Posted by Niubbo75 <a....@me.com.INVALID>.
I've googled but I have no found what I'm looking for (or maybe I have not
understand what I need for...), I try to ask here.
I've exported from Synology NAS a file.zip, I have 2 files in:
- syno-ca-cert.pem
- syno-ca-privkey.pem
now, what I have to do to have things working?
Thanks, best regards,
Alessandro
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: How to bind guacamole on a Synology Directory Server
Posted by Niubbo75 <a....@me.com.INVALID>.
Hello Nick!
Sure, it was a typo, I had set it to 636 but with no luck, I had to set up a
thruststore and try if it work.
Besta regards,
Alessandro
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: How to bind guacamole on a Synology Directory Server
Posted by Nick Couchman <vn...@apache.org>.
On Sun, Sep 13, 2020 at 1:25 PM Niubbo75 <a....@me.com.invalid> wrote:
> Hello Sven and thanks for your reply!
> I've try to bind it use unencrypted connection (port 389 and none as
> encryption method) but seems Synology Directory Server accept only
> encrypted
> connections, so I've try 686 and SSL as encryption method but with no luck,
> so I'll try to cfreate a thruststore for tomcat and import there Synology's
> cert file (I can easy export it from Synology Security > Certs under
> control
> panel and then import into my Buster's Guacamole server, I had never done
> this before, but I think google will help me out and if not, I know I can
> still asking in this great community!
>
Make sure you're using port 636 (as opposed to 686).
-NIck
Re: How to bind guacamole on a Synology Directory Server
Posted by Niubbo75 <a....@me.com.INVALID>.
Hello Sven and thanks for your reply!
I've try to bind it use unencrypted connection (port 389 and none as
encryption method) but seems Synology Directory Server accept only encrypted
connections, so I've try 686 and SSL as encryption method but with no luck,
so I'll try to cfreate a thruststore for tomcat and import there Synology's
cert file (I can easy export it from Synology Security > Certs under control
panel and then import into my Buster's Guacamole server, I had never done
this before, but I think google will help me out and if not, I know I can
still asking in this great community!
Thanks again,
best regards,
Alessandro
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: How to bind guacamole on a Synology Directory Server
Posted by Sven Specker <sp...@rz.uni-frankfurt.de>.
On 2020-09-11 17:22, Niubbo75 wrote:
> Hello all, I'm getting troubles trying to bind guacamole using ldap extension
> to a Synology Directory Service running as Active Directory, I got this
> error:
> BindSimple: Transport encryption required.
> I've googled a lot but w/out any goals, anyone has experienced something
> similar and know how to set it up the correct encryption method and port?
> Thanks to all who will help, cheers,
> Alessandro
>
Hi!
Synology LDAP Servers use standard ports. AFAIK, they support
unencrypted LDAP via port 389 and LDAPS via port 636.
In the guacamole config, the two things to set in guacamole.properties are
ldap-port: 636 (not actually needed, since we choose ssl and it is default)
ldap-encryption-method: ssl
There is one more pickle, you are in. I do not suppose that the
LDAP-Server uses a certificate that is known to the tomcat server of
guacamole and I never found an option to ignore checking it in the config.
Therefore, you will have to "teach" tomcat to accept the certificate by
making a truststore and telling tomcat to use that one. If you use a
certitificate of a known CA, it should just work.
I am not sure if the synology DS can be configured to talk
"unencrypted". If yes, you should only do that if the traffic is
confined to a private, unrouted network. And even then, only if you are
desperate to get it working.
In that case, you can try
ldap-port: 389
ldap-encryption-method: none
Best regards,
Sven Specker
--
__________________________________________________________________
*** Sven Specker -- University of Frankfurt Computing Center ***
*********** UNIX System Administration (Auth/IDM) ****************
***** specker@rz.uni-frankfurt.de [Phone (+49)-69-798-15188] *****
******************************************************************
__________________________________________________________________
Johann Wolfgang Goethe Universitaet
- Hochschulrechenzentrum -
Theodor W. Adorno-Platz 1 (PA-1P16)
D-60323 Frankfurt/Main
__________________________________________________________________
______________ TeX-users do it in {groups}________________________