You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@guacamole.apache.org by Çağdaş Baş <ca...@gmail.com> on 2019/03/04 20:24:55 UTC

Docker Guacamole doesn't integrate LDAP with Postgresql

Hi everyone,

I'm using guacamole and guacd 1.0 on a docker image and having some trouble
with LDAP integration. The summary is, LDAP users can login to the system,
but does not up in the user list. Also, I have totp extension and LDAP
users bypass the totp but it works fine for guacadmin. It seems everything
except the authentication ignores the LDAP users.

My environment:
Centos 7.6 + Docker version 1.13.1, build 07f3374/1.13.1 as a host
Freeipa 4.6.4.10 on a Centos 7.6 KVM VM on the same host with a NAT
network.

I've installed the guacamole, guacd and postgresql 9.3 with docker-compose
and guacamole environment as follows:
GUACAMOLE_HOME: /guacamole
GUACD_HOSTNAME: guacd
POSTGRES_DATABASE: guacamole_db
POSTGRES_HOSTNAME: postgres
POSTGRES_PASSWORD: Crb7&w
POSTGRES_USER: guacamole
LDAP_HOSTNAME: 192.168.122.2
LDAP_PORT: 389
LDAP_ENCRYPTION_METHOD: none
LDAP_USER_BASE_DN: cn=users,cn=accounts,dc=mobil,dc=local
LDAP_USERNAME_ATTRIBUTE: uid

My IPA server supports anonym bind and I've tried both with a user-dn and
password and anonym, result is the same. I checked the parameters with
ldapsearch and bind user can fetch the users.

You can find the guacamole debug log from here:
https://pastebin.com/BUndLEBC

What would be the problem? What can I provide you with to solve the issue?

Thanks,
Cagdas

Re: Docker Guacamole doesn't integrate LDAP with Postgresql

Posted by Nick Couchman <vn...@apache.org>.

On Mon, Mar 4, 2019 at 3:27 PM Çağdaş Baş <ca...@gmail.com> wrote:

> Hi everyone,
>
> I'm using guacamole and guacd 1.0 on a docker image and having some trouble
> with LDAP integration. The summary is, LDAP users can login to the system,
> but does not up in the user list. Also, I have totp extension and LDAP
> users bypass the totp but it works fine for guacadmin. It seems everything
> except the authentication ignores the LDAP users.
>

I'm not entirely sure I understand the configuration/issue, but from what
you've described I suspect that you need to do two things:
1) Make sure that all of the LDAP users are defined in the JDBC module.
You need to actually create JDBC user accounts for each of the users.
2) Make sure that the JDBC users that match your LDAP accounts have
permissions to update their own account/password.  This is a specific
permission
that must be checked for the users - by default users will likely not have
this permission.  This is required for the TOTP enrollment to succeed.

-Nick