You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@guacamole.apache.org by ℜ Christian Iuga <ro...@gmail.com> on 2017/04/26 14:00:44 UTC

multiple ldap server in guacamole

Hi,
i whould like to set several ldap server in the configuration of
guacamole to be sure the infra is always available.



It's look like, actually it's impossible :


https://guacamole.incubator.apache.org/doc/gug/ldap-auth.html

Configuring Guacamole for LDAP

Additional properties may be added to guacamole.properties to describe
how your LDAP directory is organized and how Guacamole should connect
(and bind) to your LDAP server. Among these properties, only the
ldap-user-base-dn property is required:

ldap-hostname

The hostname of your LDAP server. If omitted, "localhost" will be used
by default. You will need to use a different value if your LDAP server
is located elsewhere.

Thanks in advance

Re: multiple ldap server in guacamole

Posted by pburdine <pb...@gmail.com>.

The solution to this is to use an instance of haproxy in front of your
ldap(s)/AD servers.  Here is an example config that works for me against an
AD server with ldaps (starttls), adjust your servers as required:

global
  log           /dev/log local6
  pidfile       /var/run/haproxy.pid
  chroot        /var/lib/haproxy
  maxconn       8192
  user          haproxy
  group         haproxy
  daemon
  stats socket /var/lib/haproxy/stats.socket mode 660 level admin
  # Default SSL material locations
  ca-base /etc/ssl/certs
  crt-base /etc/ssl/private

# LDAP and LDAP/STARTTLS
frontend ldap_service_front
  mode                  tcp
  log                   global
  # Edit this line to bind to your local address (eg 127.0.0.1 or public
one)
  bind                  local_bind_address:port   
  description           LDAP Service
  option                tcplog
  option                logasap
  option                socket-stats
  option                tcpka
  timeout client        5s
  default_backend       ldap_service_back

 
backend ldap_service_back
  server                ldap1 ldap1.domain.local:389 check fall 1 rise 1
inter 2s  # Add first server
  server                ldap2 ldap2.domain.local:389 check fall 1 rise 1
inter 2s  # Add second server, third, etc
  mode                  tcp
  balance               leastconn
  timeout server        2s
  timeout connect       1s
  option                tcpka
  # https://www.mail-archive.com/haproxy@formilux.org/msg17371.html
  option                tcp-check
  tcp-check             connect port 389
  tcp-check             send-binary 300c0201            # LDAP bind request
"<ROOT>" simple
  tcp-check             send-binary 01                  # message ID
  tcp-check             send-binary 6007                # protocol Op
  tcp-check             send-binary 0201                # bind request
  tcp-check             send-binary 03                  # LDAP v3
  tcp-check             send-binary 04008000            # name, simple
authentication
  tcp-check             expect binary 0a0100            # bind response +
result code: success
  tcp-check             send-binary 30050201034200      # unbind request

 
References
https://www.reddit.com/r/sysadmin/comments/46c1im/issue_configuring_haproxy_frontend_to_active/
http://ypbind.de/maus/ldap_ha_loadbalancing.html
https://www.haproxy.com/doc/aloha/7.0/haproxy/tls.html
https://gist.github.com/kevin39/3db2cb05e79fb752c80d




--
View this message in context: http://apache-guacamole-incubating-users.2363388.n4.nabble.com/multiple-ldap-server-in-guacamole-tp851p886.html
Sent from the Apache Guacamole (incubating) - Users mailing list archive at Nabble.com.