You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by ℜ Christian Iuga <ro...@gmail.com> on 2017/04/26 14:00:44 UTC
multiple ldap server in guacamole
Hi,
i whould like to set several ldap server in the configuration of
guacamole to be sure the infra is always available.
It's look like, actually it's impossible :
https://guacamole.incubator.apache.org/doc/gug/ldap-auth.html
Configuring Guacamole for LDAP
Additional properties may be added to guacamole.properties to describe
how your LDAP directory is organized and how Guacamole should connect
(and bind) to your LDAP server. Among these properties, only the
ldap-user-base-dn property is required:
ldap-hostname
The hostname of your LDAP server. If omitted, "localhost" will be used
by default. You will need to use a different value if your LDAP server
is located elsewhere.
Thanks in advance
Re: multiple ldap server in guacamole
Posted by pburdine <pb...@gmail.com>.
The solution to this is to use an instance of haproxy in front of your
ldap(s)/AD servers. Here is an example config that works for me against an
AD server with ldaps (starttls), adjust your servers as required:
global
log /dev/log local6
pidfile /var/run/haproxy.pid
chroot /var/lib/haproxy
maxconn 8192
user haproxy
group haproxy
daemon
stats socket /var/lib/haproxy/stats.socket mode 660 level admin
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# LDAP and LDAP/STARTTLS
frontend ldap_service_front
mode tcp
log global
# Edit this line to bind to your local address (eg 127.0.0.1 or public
one)
bind local_bind_address:port
description LDAP Service
option tcplog
option logasap
option socket-stats
option tcpka
timeout client 5s
default_backend ldap_service_back
backend ldap_service_back
server ldap1 ldap1.domain.local:389 check fall 1 rise 1
inter 2s # Add first server
server ldap2 ldap2.domain.local:389 check fall 1 rise 1
inter 2s # Add second server, third, etc
mode tcp
balance leastconn
timeout server 2s
timeout connect 1s
option tcpka
# https://www.mail-archive.com/haproxy@formilux.org/msg17371.html
option tcp-check
tcp-check connect port 389
tcp-check send-binary 300c0201 # LDAP bind request
"<ROOT>" simple
tcp-check send-binary 01 # message ID
tcp-check send-binary 6007 # protocol Op
tcp-check send-binary 0201 # bind request
tcp-check send-binary 03 # LDAP v3
tcp-check send-binary 04008000 # name, simple
authentication
tcp-check expect binary 0a0100 # bind response +
result code: success
tcp-check send-binary 30050201034200 # unbind request
References
https://www.reddit.com/r/sysadmin/comments/46c1im/issue_configuring_haproxy_frontend_to_active/
http://ypbind.de/maus/ldap_ha_loadbalancing.html
https://www.haproxy.com/doc/aloha/7.0/haproxy/tls.html
https://gist.github.com/kevin39/3db2cb05e79fb752c80d
--
View this message in context: http://apache-guacamole-incubating-users.2363388.n4.nabble.com/multiple-ldap-server-in-guacamole-tp851p886.html
Sent from the Apache Guacamole (incubating) - Users mailing list archive at Nabble.com.