You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by ha...@faa.gov on 2017/11/09 20:45:35 UTC
Configuring LDAP
I'm trying to configure LDAP to work on our new Guacamole installation. I followed Chapter 7 in the user guide, but I still can't get it to work. When I enter a user name and the password that I know exists in our LDAP (which is running on RHEL 7 using IDM), and click the Login button, nothing happens. No errors, no visual clues, nothing. I look at the logs on the server and get zero errors or indications that it even attempted it.
So how do I go about debugging this and getting it working?
Thanks,
Harry
Harry Devine
DOT/FAA/AJM-2412
Common ARTS Software Development
Terminal Server (NASDAC) Adminstrator
Red Hat Certfied System Adminstrator (RHCSA)
harry.devine@faa.gov<ma...@faa.gov>
(609)485-4218
Building 300, 3rd Floor, Column L20 (3L20)
Re: Configuring LDAP
Posted by Nick Couchman <vn...@apache.org>.
On Tue, Nov 21, 2017 at 8:10 AM, <ha...@faa.gov> wrote:
> I set SELinux to permissive and put the LDAP extension back (its under
> /usr/share/tomcat/.guacamole/extensions), restarted tomcat and guacd, and
> try to log in using an LDAP user. I click Login and on the Network tab, it
> shows tokens (/guacamole/api/tokens) as having a “pending” status. Never
> gets any further.
>
>
>
> Harry
>
>
>
> *From:* Nick Couchman [mailto:vnick@apache.org]
> *Sent:* Monday, November 20, 2017 2:04 PM
> *To:* user@guacamole.apache.org
> *Subject:* Re: Configuring LDAP
>
>
>
> On Mon, Nov 20, 2017 at 1:52 PM, <ha...@faa.gov> wrote:
>
> We’re using Red Hat Enterprise Linux 7.4 with SELinux set to enforcing. I
> disabled the LDAP extension and just used MySQL for the guacadmin user and
> could log in. I do see the following information in /var/log/messages:
>
>
>
>
>
> This sounds like the server-side, but are you able to temporarily disable
> SELinux (set it to permissive mode, "setenforce 0") and then restart Tomcat
> and see if it works with LDAP? I'm not suggesting this as a long-term fix,
> just long enough to validate whether SELinux is, indeed, blocking LDAP
> traffic, or if it's still something else?
>
>
>
> -Nick
>
RE: Configuring LDAP
Posted by "Hawkins, Richard" <ri...@medctrbarbour.org>.
Here is mine.. see if it helps.. the DC is a windows server 2012 r2 server.
ldap-hostname: dc01.mydomain.org
ldap-port: 3268
ldap-user-base-dn: DC=mydomain, DC=org
ldap-search-bind-dn: CN=mysecretlookupuser, CN=Users, DC= mydomain, DC=org
ldap-search-bind-password: Mysecret password
ldap-username-attribute: sAMAccountName
In the past I have had issues with using something other than the Base DN. Also, In my configs the spacing DOES Matter..
r
From: harry.devine@faa.gov [mailto:harry.devine@faa.gov]
Sent: Tuesday, November 21, 2017 2:01 PM
To: user@guacamole.apache.org
Subject: RE: Configuring LDAP
OK, took me a little bit to weed through some OpenLDAP config issues (it wasn’t installed on the server I have guacamole installed on; didn’t realize that at first), but I got the ldapsearch working. So I re-enabled the LDAP parameters and tried again. The page shows “Invalid Login”, but the following is displayed in the /var/log/messages:
Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR o.a.g.a.ldap.LDAPConnectionService - Unable to connect to LDAP server: Connect Error
Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN ""cn=My User""
Nov 21 14:56:15 access server: 14:56:15.496 [http-bio-8080-exec-9] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 172.31.26.216 for user "harry.devine" failed.
I have the LDAP parameters defined as follows in guacamole properties (I am masking the usernames and such):
ldap-hostname="my-host"
ldap-port=636
ldap-search-bind-dn="cn=My User"
ldap-search-bind-password="Pass123"
ldap-user-base-dn="dc=my,dc=example,dc=com"
ldap-username-attribute="cn=users,cn=accounts,dc=my,dc=example,dc=com"
ldap-group-base-dn="cn=groups,cn=accounts,dc=my,dc=example,dc=com"
Ideas?
Harry
From: Nick Couchman [mailto:vnick@apache.org]
Sent: Tuesday, November 21, 2017 9:20 AM
To: user@guacamole.apache.org
Subject: Re: Configuring LDAP
On Tue, Nov 21, 2017 at 8:10 AM, <ha...@faa.gov> wrote:
I set SELinux to permissive and put the LDAP extension back (its under /usr/share/tomcat/.guacamole/extensions), restarted tomcat and guacd, and try to log in using an LDAP user. I click Login and on the Network tab, it shows tokens (/guacamole/api/tokens) as having a “pending” status. Never gets any further.
Okay...on the system where you're running Tomcat, can you make sure the OpenLDAP client utilities are installed and then use "ldapsearch" to query the same LDAP server that you're trying to use in Guacamole? Something like this:
ldapsearch -H ldap://<server> -D <Search User> -W -b <base dn> cn=<Some User In LDAP>
...substituting in the above parameters and make sure you get a response?
-Nick
Re: Configuring LDAP
Posted by Jonathan Hankins <jh...@homewood.k12.al.us>.
Harry,
Can you try ldapsearch from the command line against your LDAP server with
the same parameters you're using with guacamole and see if your bind still
fails?
On Mon, Nov 27, 2017, 9:32 AM <ha...@faa.gov> wrote:
> OK, I just tried it again with both 389/none and 636/ssl for those
> parameters, and both times I get the following errors:
>
>
>
> Nov 27 09:30:31 access server: 09:30:31.838 [http-bio-8080-exec-9] ERROR
> o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN
> "cn=Directory Manager,dc=example,dc=com"
>
> Nov 27 09:30:31 access server: 09:30:31.839 [http-bio-8080-exec-9] WARN
> o.a.g.r.auth.AuthenticationService - Authentication attempt from
> 172.31.26.216 for user "harry.devine" failed.
>
>
>
> Thanks,
>
> Harry
>
> *From:* Jonathan Hankins [mailto:jhankins@homewood.k12.al.us]
> *Sent:* Monday, November 27, 2017 9:27 AM
>
>
> *To:* user@guacamole.apache.org
> *Subject:* Re: Configuring LDAP
>
>
>
> Harry, if you are using ldap-port:636, you probably need to specify:
>
> ldap-encryption-method: ssl
>
> I believe the default is "none" .
>
> Assuming you are able to temporarily configure your LDAP server to allow
> unencrypted binds(if it isn't already), you may want to test with
> ldap-port: 389 and ldap-encryption-method: none to make sure you have all
> of your LDAP settings correct before enabling encryption, then tackle the
> encryption.
>
> -Jonathan Hankins
>
>
>
> On Mon, Nov 27, 2017, 8:23 AM <ha...@faa.gov> wrote:
>
> I just got back into the office and tried what you suggested. Whenever I
> don’t have quotes around the ldap-search-bind-dn value, the login button
> doesn’t seem to respond. In the Network tab in Chrome’s Developer Tools,
> the /guacamole/api/tokens call always shows “(pending)” as the status
> instead of 200 or 403.
>
>
>
> Here’s what I have for my LDAP values in guacamole.properties (again,
> masking out the real values):
>
>
>
> ldap-hostname:ldap.hostname
>
> ldap-port:636
>
> ldap-search-bind-dn:cn=Directory Manager,dc=example,dc=com
>
> ldap-search-bind-password:pass123
>
> ldap-user-base-dn:dc=example,dc=com
>
> ldap-username-attribute:cn
>
> ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com
>
>
>
> Thanks,
>
> Harry
>
>
>
> *From:* Jonathan Hankins [mailto:jhankins@homewood.k12.al.us]
> *Sent:* Wednesday, November 22, 2017 1:41 PM
>
>
> *To:* user@guacamole.apache.org
> *Subject:* Re: Configuring LDAP
>
>
>
> Harry,
>
>
>
> I believe you need to fully qualify your ldap-search-bind-dn:
>
>
>
> ldap-search-bind-dn: cn=My User,dc=my,dc=example,dc=com
>
>
>
> And your ldap-username-attribute should be the name of an ldap attribute
> that you want to match usernames against, such as cn:
>
>
>
> ldap-username-attribute: cn
>
>
>
> Also, unsure if the config you posted was pseudo-code, but the
> guacamole.properties file should look like:
>
>
>
> varname: this is the value to end of line
>
>
>
> See my examples above.
>
>
>
> -Jonathan Hankins
>
>
>
>
>
> On Tue, Nov 21, 2017, 3:41 PM Hawkins, Richard <
> richard.hawkins@medctrbarbour.org> wrote:
>
>
>
> Restart tomcat
>
>
>
> Service tomcat restart..
>
>
>
> Tail –f /var/log/messages
>
>
>
>
>
> Authenticated
>
>
>
>
>
>
>
> *From:* harry.devine@faa.gov [mailto:harry.devine@faa.gov]
> *Sent:* Tuesday, November 21, 2017 2:01 PM
> *To:* user@guacamole.apache.org
> *Subject:* RE: Configuring LDAP
>
>
>
> OK, took me a little bit to weed through some OpenLDAP config issues (it
> wasn’t installed on the server I have guacamole installed on; didn’t
> realize that at first), but I got the ldapsearch working. So I re-enabled
> the LDAP parameters and tried again. The page shows “Invalid Login”, but
> the following is displayed in the /var/log/messages:
>
>
>
> Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR
> o.a.g.a.ldap.LDAPConnectionService - Unable to connect to LDAP server:
> Connect Error
>
> Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR
> o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN
> ""cn=My User""
>
> Nov 21 14:56:15 access server: 14:56:15.496 [http-bio-8080-exec-9] WARN
> o.a.g.r.auth.AuthenticationService - Authentication attempt from
> 172.31.26.216 for user "harry.devine" failed.
>
>
>
> I have the LDAP parameters defined as follows in guacamole properties (I
> am masking the usernames and such):
>
> ldap-hostname="my-host"
>
> ldap-port=636
>
> ldap-search-bind-dn="cn=My User"
>
> ldap-search-bind-password="Pass123"
>
> ldap-user-base-dn="dc=my,dc=example,dc=com"
>
> ldap-username-attribute="cn=users,cn=accounts,dc=my,dc=example,dc=com"
>
> ldap-group-base-dn="cn=groups,cn=accounts,dc=my,dc=example,dc=com"
>
>
>
> Ideas?
>
> Harry
>
>
>
> *From:* Nick Couchman [mailto:vnick@apache.org]
> *Sent:* Tuesday, November 21, 2017 9:20 AM
> *To:* user@guacamole.apache.org
> *Subject:* Re: Configuring LDAP
>
>
>
> On Tue, Nov 21, 2017 at 8:10 AM, <ha...@faa.gov> wrote:
>
> I set SELinux to permissive and put the LDAP extension back (its under
> /usr/share/tomcat/.guacamole/extensions), restarted tomcat and guacd, and
> try to log in using an LDAP user. I click Login and on the Network tab, it
> shows tokens (/guacamole/api/tokens) as having a “pending” status. Never
> gets any further.
>
>
>
>
>
> Okay...on the system where you're running Tomcat, can you make sure the
> OpenLDAP client utilities are installed and then use "ldapsearch" to query
> the same LDAP server that you're trying to use in Guacamole? Something
> like this:
>
>
>
> ldapsearch -H ldap://<server> -D <Search User> -W -b <base dn> cn=<Some
> User In LDAP>
>
>
>
> ...substituting in the above parameters and make sure you get a response?
>
>
>
> -Nick
>
>
> This e-mail is intended only for the recipient and may contain
> confidential or proprietary information. If you are not the intended
> recipient, the review, distribution, duplication or retention of this
> message and its attachments is prohibited. Please notify the sender of this
> error immediately by reply e-mail, and permanently delete this message and
> its attachments in any form in which they may have been preserved.
>
>
> This e-mail is intended only for the recipient and may contain
> confidential or proprietary information. If you are not the intended
> recipient, the review, distribution, duplication or retention of this
> message and its attachments is prohibited. Please notify the sender of this
> error immediately by reply e-mail, and permanently delete this message and
> its attachments in any form in which they may have been preserved.
>
--
This e-mail is intended only for the recipient and may contain confidential
or proprietary information. If you are not the intended recipient, the
review, distribution, duplication or retention of this message and its
attachments is prohibited. Please notify the sender of this error
immediately by reply e-mail, and permanently delete this message and its
attachments in any form in which they may have been preserved.
Re: Configuring LDAP
Posted by Mike Jumper <mi...@guac-dev.org>.
On Mon, Nov 27, 2017 at 10:49 AM, <ha...@faa.gov> wrote:
> Here’s my current /etc/guacamole/guacamole.properties file:
>
>
>
> #MySQL properties
>
> mysql-hostname: localhost
>
> mysql-port:3306
>
> mysql-database: guacdb
>
> mysql-username: guacuser
>
> mysql-password: guacadmin
>
> mysql-default-max-connections-per-user: 0
>
> mysql-default-max-group-connections-per-user:0
>
>
>
> #LDAP properties
>
> ldap-hostname:my.hostname
>
> ldap-port:389
>
> ldap-encryption-method:none
>
> ldap-dereference-aliases:never
>
> ldap-search-bind-dn:cn=Directory Manager
>
> ldap-search-bind-password:pass123
>
> ldap-user-base-dn:dc=example,dc=com
>
> #ldap-username-attribute=cn=users,cn=accounts,dc=example,dc=com
>
> ldap-username-attribute:cn
>
> ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com
>
>
>
>
>
> When I use the ldap-username-attribute:cn setting, I get the error where
> the Multiple DNs are what’s being complained about.
>
If Guacamole is complaining about multiple DNs matching the user, then the
user base DN is likely not specific enough, and multiple distinct user
accounts are matching otherwise valid usernames. To translate a user's
username into their corresponding DN via LDAP search, there must be exactly
one DN which matches the username beneath the base DN. If there are
multiple such DNs, then Guacamole cannot safely choose one arbitrarily, and
it fails the authentication attempt.
The value for "ldap-search-bind-dn" here is odd, as "cn=Directory Manager"
is not a fully qualified DN. If your LDAP server accepts it anyway, then it
will work, but I am surprised to not see "dc=example,dc=com" within that DN.
If I use the other one (the commented out one above), I simply get
> “Authentication attempted …… failed”. We use the “cn=users,cn=accounts”
> string in other projects where we communicate with our LDAP server, so I’m
> pretty sure that’s correct.
>
The commented-out "ldap-username-attribute" value is definitely incorrect,
as it is not the name of an attribute; it is a fully-qualified DN. The
value of "ldap-username-attribute" needs to be the name of an attribute.
Taking a step back here ... can you describe how your LDAP directory is
organized? What attribute contains the username for each user? Where are
these users located within the LDAP tree? Is the username within the DN of
each user, and thus the DN of the user can be directly derived from the
username, or can the DN only be determined from the username through an
LDAP search?
- Mike
RE: Configuring LDAP
Posted by ha...@faa.gov.
OK, I was able to get it working better now. In our system, cn is the Common Name, but the user id is retrieved by the uid property. Once I set it to that, I was able to get in fine. Now onto trying to get port 636 to work.
Thanks,
Harry
From: Mike Jumper [mailto:mike.jumper@guac-dev.org]
Sent: Friday, December 01, 2017 2:59 PM
To: user@guacamole.apache.org
Subject: Re: Configuring LDAP
On Fri, Dec 1, 2017 at 10:37 AM, <ha...@faa.gov>> wrote:
OK I was able to get it to log in. Here’s what I changed in my guacamole.properties to make it work:
ldap-search-bind-dn:cn=”Directory Manager”
ldap-user-base-dn:cn=users,cn=accounts,dc=example,dc=com
So the user logs in fine, but in /var/log/messages, I get the following errors that I’m not sure are relevant or not:
Dec 1 13:34:34 access server: 13:34:34.157 [http-bio-8080-exec-6] INFO o.a.g.r.auth.AuthenticationService - User "harry.devine" successfully authenticated from 172.31.26.216.
Dec 1 13:34:35 access server: 13:34:35.644 [http-bio-8080-exec-6] WARN o.a.g.auth.ldap.user.UserService - Possibly ambiguous user account: "Jon Moen".
Dec 1 13:34:36 access server: 13:34:36.122 [http-bio-8080-exec-6] WARN o.a.g.auth.ldap.user.UserService - Possibly ambiguous user account: "Steve Smith".
Dec 1 13:34:36 access server: 13:34:36.146 [http-bio-8080-exec-6] WARN o.a.g.auth.ldap.user.UserService - Could not query list of all users for attribute "cn": Error while querying users.
Guacamole is warning you that you have multiple users which map to the same username. Those users will likely be unable to log in, as Guacamole will not be able to determine with certainty which DN corresponds to those usernames.
You need to double-check your LDAP directory structure with respect to the configuration within guacamole.properties to determine why multiple users (multiple, distinct DNs) map to the same username. Something within the LDAP directory structure, the configuration, or both, is causing sanity checks for username uniqueness to fail, and the underlying problem needs to be corrected for things to work as expected.
- Mike
Re: Configuring LDAP
Posted by Mike Jumper <mi...@guac-dev.org>.
On Fri, Dec 1, 2017 at 10:37 AM, <ha...@faa.gov> wrote:
> OK I was able to get it to log in. Here’s what I changed in my
> guacamole.properties to make it work:
>
> ldap-search-bind-dn:cn=”Directory Manager”
>
> ldap-user-base-dn:cn=users,cn=accounts,dc=example,dc=com
>
>
>
> So the user logs in fine, but in /var/log/messages, I get the following
> errors that I’m not sure are relevant or not:
>
> Dec 1 13:34:34 access server: 13:34:34.157 [http-bio-8080-exec-6] INFO
> o.a.g.r.auth.AuthenticationService - User "harry.devine" successfully
> authenticated from 172.31.26.216.
>
> Dec 1 13:34:35 access server: 13:34:35.644 [http-bio-8080-exec-6] WARN
> o.a.g.auth.ldap.user.UserService - Possibly ambiguous user account: "Jon
> Moen".
>
> Dec 1 13:34:36 access server: 13:34:36.122 [http-bio-8080-exec-6] WARN
> o.a.g.auth.ldap.user.UserService - Possibly ambiguous user account:
> "Steve Smith".
>
> Dec 1 13:34:36 access server: 13:34:36.146 [http-bio-8080-exec-6] WARN
> o.a.g.auth.ldap.user.UserService - Could not query list of all users for
> attribute "cn": Error while querying users.
>
>
Guacamole is warning you that you have multiple users which map to the same
username. Those users will likely be unable to log in, as Guacamole will
not be able to determine with certainty which DN corresponds to those
usernames.
You need to double-check your LDAP directory structure with respect to the
configuration within guacamole.properties to determine why multiple users
(multiple, distinct DNs) map to the same username. Something within the
LDAP directory structure, the configuration, or both, is causing sanity
checks for username uniqueness to fail, and the underlying problem needs to
be corrected for things to work as expected.
- Mike
Re: Configuring LDAP
Posted by Erik Berndt <er...@superiorpaving.net>.
>Dec 1 13:34:35 access server: 13:34:35.644 [http-bio-8080-exec-6] WARN
o.a.g.auth.ldap.user.UserService - Possibly ambiguous user account: "Jon
Moen".
>Dec 1 13:34:36 access server: 13:34:36.122 [http-bio-8080-exec-6] WARN
o.a.g.auth.ldap.user.UserService - Possibly ambiguous user account: "Steve
Smith".
Are these users able to login successfully? Do they appear in the user list
when logged in to the admin console?
Double check that the ldap-user-base-dn is at the root of the AD structure
and the ldap-search-bind-dn user is correctly qualified. As Mike said, try
fully qualifying the base-dn attribute and post results. It may be that the
ldap-auth module is querying your AD and returning incomplete information
do this not being fully qualified.
Erik Berndt / Systems Administrator
5551 Wellington Rd, Gainesville, VA 20155
703.631.0004 x520 (Phone) / 703.257.1725 (Fax)
http://www.superiorpaving.net
Need to open an IT support ticket?
http://FixIT.superiorpaving.net/portal or FixIT@superiorpaving.net
On Fri, Dec 1, 2017 at 1:37 PM, <ha...@faa.gov> wrote:
> OK I was able to get it to log in. Here’s what I changed in my
> guacamole.properties to make it work:
>
> ldap-search-bind-dn:cn=”Directory Manager”
>
> ldap-user-base-dn:cn=users,cn=accounts,dc=example,dc=com
>
>
>
> So the user logs in fine, but in /var/log/messages, I get the following
> errors that I’m not sure are relevant or not:
>
> Dec 1 13:34:34 access server: 13:34:34.157 [http-bio-8080-exec-6] INFO
> o.a.g.r.auth.AuthenticationService - User "harry.devine" successfully
> authenticated from 172.31.26.216.
>
> Dec 1 13:34:35 access server: 13:34:35.644 [http-bio-8080-exec-6] WARN
> o.a.g.auth.ldap.user.UserService - Possibly ambiguous user account: "Jon
> Moen".
>
> Dec 1 13:34:36 access server: 13:34:36.122 [http-bio-8080-exec-6] WARN
> o.a.g.auth.ldap.user.UserService - Possibly ambiguous user account:
> "Steve Smith".
>
> Dec 1 13:34:36 access server: 13:34:36.146 [http-bio-8080-exec-6] WARN
> o.a.g.auth.ldap.user.UserService - Could not query list of all users for
> attribute "cn": Error while querying users.
>
>
>
> VERY close now! Thoughts?
>
> Harry
>
>
>
> *From:* Erik Berndt [mailto:erikberndt@superiorpaving.net]
> *Sent:* Friday, December 01, 2017 12:19 PM
> *To:* user@guacamole.apache.org
> *Subject:* Re: Configuring LDAP
>
>
>
> I don't know if you paraphrased the config file, but I noticed the
> ldap-search-bind-dn common name doesn't have the space escaped. I wonder if
> guacd is treating the ldap-search-bind-dn cn as two separate entries, hence
> the "Multiple DNs possible" error?
>
>
>
> I'm not sure if it's required or not, but I fully qualified each LDAP
> parameter i.e. ldap-search-bind-dn: CN="Directory
> Manager",OU=foo,DC=faa,DC=gov" and it's working successfully for us. The
> search-bind-dn user should be part of the base-dn in case it isn't already.
>
>
>
> The relevant LDAP attributes from our working configuration are below.
>
>
>
> ldap-hostname: dc.local
> ldap-port: 389
> ldap-user-base-dn: OU="Superior Paving Employees",DC=superiorpaving,DC=net
> ldap-search-bind-dn: CN=guacamole,OU="Information
> Technology",OU=Office,OU="Superior Paving Employees",DC=superiorpaving,
> DC=net
> ldap-search-bind-password: XXXXX
>
>
>
>
> Erik Berndt / Systems Administrator
> 5551 Wellington Rd, Gainesville, VA 20155
> <https://maps.google.com/?q=5551+Wellington+Rd,+Gainesville,+VA+20155+%0D+703&entry=gmail&source=g>
> 703.631.0004 x520 (Phone) / 703.257.1725 (Fax)
> http://www.superiorpaving.net
>
> Need to open an IT support ticket?
> http://FixIT.superiorpaving.net/portal or FixIT@superiorpaving.net
>
>
>
> On Fri, Dec 1, 2017 at 11:11 AM, <ha...@faa.gov> wrote:
>
> Just wondering if anyone has any ideas on how the LDAP is configured
> below? This still isn’t working for me and I’d like to know why.
>
>
>
> Thanks,
>
> Harry
>
>
>
> *From:* Devine, Harry (FAA)
> *Sent:* Monday, November 27, 2017 1:49 PM
> *To:* user@guacamole.apache.org
> *Subject:* RE: Configuring LDAP
>
>
>
> Here’s my current /etc/guacamole/guacamole.properties file:
>
>
>
> #MySQL properties
>
> mysql-hostname: localhost
>
> mysql-port:3306
>
> mysql-database: guacdb
>
> mysql-username: guacuser
>
> mysql-password: guacadmin
>
> mysql-default-max-connections-per-user: 0
>
> mysql-default-max-group-connections-per-user:0
>
>
>
> #LDAP properties
>
> ldap-hostname:my.hostname
>
> ldap-port:389
>
> ldap-encryption-method:none
>
> ldap-dereference-aliases:never
>
> ldap-search-bind-dn:cn=Directory Manager
>
> ldap-search-bind-password:pass123
>
> ldap-user-base-dn:dc=example,dc=com
>
> #ldap-username-attribute=cn=users,cn=accounts,dc=example,dc=com
>
> ldap-username-attribute:cn
>
> ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com
>
>
>
>
>
> When I use the ldap-username-attribute:cn setting, I get the error where
> the Multiple DNs are what’s being complained about. If I use the other one
> (the commented out one above), I simply get “Authentication attempted ……
> failed”. We use the “cn=users,cn=accounts” string in other projects where
> we communicate with our LDAP server, so I’m pretty sure that’s correct.
>
>
>
> Thanks,
>
> Harry
>
>
>
> *From:* Jonathan Hankins [mailto:jhankins@homewood.k12.al.us
> <jh...@homewood.k12.al.us>]
> *Sent:* Monday, November 27, 2017 12:38 PM
> *To:* user@guacamole.apache.org
> *Subject:* Re: Configuring LDAP
>
>
>
> Harry, you said you tried "modifying ldap-username-attribute to be
> cn=users,cn=accounts,dc=example,dc=com" - just wanted to confirm.
> Ldap-username-attribute should be an LDAP attribute name like cn. Could you
> post your complete (redacted) guacamole.properties as you have it currently?
>
>
>
> Also, I saw that on a previous attempt today you got the log message:
>
>
>
> Nov 27 09:42:01 access server: 09:42:01.909 [http-bio-8080-exec-6] WARN
> o.a.g.a.l.AuthenticationProviderService - Multiple DNs possible for user
> "harry.devine": [uid=harry.devine,cn=users,cn=compat,dc=example,dc=com,
> uid=harry.devine,cn=users,cn=accounts,dc=example,dc=com]
>
>
>
> If you have two users under your search base with uid (or cn, or whatever
> you are using for ldap-username-attribute) "harry.devine" you are going to
> have to use a more specific search base or a more unique
> ldap-username-attribute or a more restrictive search filter so that you
> don't get multiple matches for the username you are typing into the
> username field on the login page.
>
>
>
> I.e., the attribute you match against has to uniquely identify the user
> beneath your search base for your query.
>
>
>
> -Jonathan Hankins
>
>
>
> On Mon, Nov 27, 2017, 10:10 AM Nick Couchman <vn...@apache.org> wrote:
>
> On Mon, Nov 27, 2017 at 10:02 AM, <ha...@faa.gov> wrote:
>
> OK, so I tried that, including modifying ldap-username-attribute to be
> cn=users,cn=accounts,dc=example,dc=com, and now I get a 403 error in the
> Developer Tools, and the following error in /var/log/messages:
>
>
>
> Nov 27 10:00:34 access server: 10:00:34.766 [http-bio-8080-exec-8] WARN
> o.a.g.r.auth.AuthenticationService - Authentication attempt from
> xxx.xxx.xxx.xxx for user "harry.devine" failed.
>
>
>
> However, I know that the password is 100% correct. Where to look now? I
> feel we’re getting very close.
>
>
>
>
>
> What LDAP server are you running? You probably mentioned it already
> somewhere in this thread, and I'm going to guess Active Directory, but just
> want to make sure? If it's OpenLDAP then it is quite possible it is
> configured to disallow logins without some form of encryption (although I
> wouldn't expect the search bind to work in this case, but who knows). AD
> doesn't usually have those restrictions, but depending on the environment,
> it actually might require encryption, as well. Other than that, it would
> be useful to get a log from the LDAP server that indicates why it is
> failing authentication - if it believes the password is wrong, or if it is
> throwing some other sort of error. I realize that you might be in an
> organization where you don't have access to that server or those logs, but,
> if you do, that would be helpful.
>
>
>
> -Nick
>
>
> This e-mail is intended only for the recipient and may contain
> confidential or proprietary information. If you are not the intended
> recipient, the review, distribution, duplication or retention of this
> message and its attachments is prohibited. Please notify the sender of this
> error immediately by reply e-mail, and permanently delete this message and
> its attachments in any form in which they may have been preserved.
>
>
>
RE: Configuring LDAP
Posted by ha...@faa.gov.
OK I was able to get it to log in. Here’s what I changed in my guacamole.properties to make it work:
ldap-search-bind-dn:cn=”Directory Manager”
ldap-user-base-dn:cn=users,cn=accounts,dc=example,dc=com
So the user logs in fine, but in /var/log/messages, I get the following errors that I’m not sure are relevant or not:
Dec 1 13:34:34 access server: 13:34:34.157 [http-bio-8080-exec-6] INFO o.a.g.r.auth.AuthenticationService - User "harry.devine" successfully authenticated from 172.31.26.216.
Dec 1 13:34:35 access server: 13:34:35.644 [http-bio-8080-exec-6] WARN o.a.g.auth.ldap.user.UserService - Possibly ambiguous user account: "Jon Moen".
Dec 1 13:34:36 access server: 13:34:36.122 [http-bio-8080-exec-6] WARN o.a.g.auth.ldap.user.UserService - Possibly ambiguous user account: "Steve Smith".
Dec 1 13:34:36 access server: 13:34:36.146 [http-bio-8080-exec-6] WARN o.a.g.auth.ldap.user.UserService - Could not query list of all users for attribute "cn": Error while querying users.
VERY close now! Thoughts?
Harry
From: Erik Berndt [mailto:erikberndt@superiorpaving.net]
Sent: Friday, December 01, 2017 12:19 PM
To: user@guacamole.apache.org
Subject: Re: Configuring LDAP
I don't know if you paraphrased the config file, but I noticed the ldap-search-bind-dn common name doesn't have the space escaped. I wonder if guacd is treating the ldap-search-bind-dn cn as two separate entries, hence the "Multiple DNs possible" error?
I'm not sure if it's required or not, but I fully qualified each LDAP parameter i.e. ldap-search-bind-dn: CN="Directory Manager",OU=foo,DC=faa,DC=gov" and it's working successfully for us. The search-bind-dn user should be part of the base-dn in case it isn't already.
The relevant LDAP attributes from our working configuration are below.
ldap-hostname: dc.local
ldap-port: 389
ldap-user-base-dn: OU="Superior Paving Employees",DC=superiorpaving,DC=net
ldap-search-bind-dn: CN=guacamole,OU="Information Technology",OU=Office,OU="Superior Paving Employees",DC=superiorpaving,DC=net
ldap-search-bind-password: XXXXX
Erik Berndt / Systems Administrator
5551 Wellington Rd, Gainesville, VA 20155
703.631.0004 x520 (Phone) / 703.257.1725 (Fax)
http://www.superiorpaving.net
Need to open an IT support ticket?
http://FixIT.superiorpaving.net/portal or FixIT@superiorpaving.net<ma...@superiorpaving.net>
On Fri, Dec 1, 2017 at 11:11 AM, <ha...@faa.gov>> wrote:
Just wondering if anyone has any ideas on how the LDAP is configured below? This still isn’t working for me and I’d like to know why.
Thanks,
Harry
From: Devine, Harry (FAA)
Sent: Monday, November 27, 2017 1:49 PM
To: user@guacamole.apache.org<ma...@guacamole.apache.org>
Subject: RE: Configuring LDAP
Here’s my current /etc/guacamole/guacamole.properties file:
#MySQL properties
mysql-hostname: localhost
mysql-port:3306
mysql-database: guacdb
mysql-username: guacuser
mysql-password: guacadmin
mysql-default-max-connections-per-user: 0
mysql-default-max-group-connections-per-user:0
#LDAP properties
ldap-hostname:my.hostname
ldap-port:389
ldap-encryption-method:none
ldap-dereference-aliases:never
ldap-search-bind-dn:cn=Directory Manager
ldap-search-bind-password:pass123
ldap-user-base-dn:dc=example,dc=com
#ldap-username-attribute=cn=users,cn=accounts,dc=example,dc=com
ldap-username-attribute:cn
ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com
When I use the ldap-username-attribute:cn setting, I get the error where the Multiple DNs are what’s being complained about. If I use the other one (the commented out one above), I simply get “Authentication attempted …… failed”. We use the “cn=users,cn=accounts” string in other projects where we communicate with our LDAP server, so I’m pretty sure that’s correct.
Thanks,
Harry
From: Jonathan Hankins [mailto:jhankins@homewood.k12.al.us]
Sent: Monday, November 27, 2017 12:38 PM
To: user@guacamole.apache.org<ma...@guacamole.apache.org>
Subject: Re: Configuring LDAP
Harry, you said you tried "modifying ldap-username-attribute to be cn=users,cn=accounts,dc=example,dc=com" - just wanted to confirm. Ldap-username-attribute should be an LDAP attribute name like cn. Could you post your complete (redacted) guacamole.properties as you have it currently?
Also, I saw that on a previous attempt today you got the log message:
Nov 27 09:42:01 access server: 09:42:01.909 [http-bio-8080-exec-6] WARN o.a.g.a.l.AuthenticationProviderService - Multiple DNs possible for user "harry.devine": [uid=harry.devine,cn=users,cn=compat,dc=example,dc=com, uid=harry.devine,cn=users,cn=accounts,dc=example,dc=com]
If you have two users under your search base with uid (or cn, or whatever you are using for ldap-username-attribute) "harry.devine" you are going to have to use a more specific search base or a more unique ldap-username-attribute or a more restrictive search filter so that you don't get multiple matches for the username you are typing into the username field on the login page.
I.e., the attribute you match against has to uniquely identify the user beneath your search base for your query.
-Jonathan Hankins
On Mon, Nov 27, 2017, 10:10 AM Nick Couchman <vn...@apache.org>> wrote:
On Mon, Nov 27, 2017 at 10:02 AM, <ha...@faa.gov>> wrote:
OK, so I tried that, including modifying ldap-username-attribute to be cn=users,cn=accounts,dc=example,dc=com, and now I get a 403 error in the Developer Tools, and the following error in /var/log/messages:
Nov 27 10:00:34 access server: 10:00:34.766 [http-bio-8080-exec-8] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from xxx.xxx.xxx.xxx for user "harry.devine" failed.
However, I know that the password is 100% correct. Where to look now? I feel we’re getting very close.
What LDAP server are you running? You probably mentioned it already somewhere in this thread, and I'm going to guess Active Directory, but just want to make sure? If it's OpenLDAP then it is quite possible it is configured to disallow logins without some form of encryption (although I wouldn't expect the search bind to work in this case, but who knows). AD doesn't usually have those restrictions, but depending on the environment, it actually might require encryption, as well. Other than that, it would be useful to get a log from the LDAP server that indicates why it is failing authentication - if it believes the password is wrong, or if it is throwing some other sort of error. I realize that you might be in an organization where you don't have access to that server or those logs, but, if you do, that would be helpful.
-Nick
This e-mail is intended only for the recipient and may contain confidential or proprietary information. If you are not the intended recipient, the review, distribution, duplication or retention of this message and its attachments is prohibited. Please notify the sender of this error immediately by reply e-mail, and permanently delete this message and its attachments in any form in which they may have been preserved.
Re: Configuring LDAP
Posted by Erik Berndt <er...@superiorpaving.net>.
I don't know if you paraphrased the config file, but I noticed the
ldap-search-bind-dn common name doesn't have the space escaped. I wonder if
guacd is treating the ldap-search-bind-dn cn as two separate entries, hence
the "Multiple DNs possible" error?
I'm not sure if it's required or not, but I fully qualified each LDAP
parameter i.e. ldap-search-bind-dn: CN="Directory
Manager",OU=foo,DC=faa,DC=gov" and it's working successfully for us. The
search-bind-dn user should be part of the base-dn in case it isn't already.
The relevant LDAP attributes from our working configuration are below.
ldap-hostname: dc.local
ldap-port: 389
ldap-user-base-dn: OU="Superior Paving Employees",DC=superiorpaving,DC=net
ldap-search-bind-dn: CN=guacamole,OU="Information
Technology",OU=Office,OU="Superior Paving
Employees",DC=superiorpaving,DC=net
ldap-search-bind-password: XXXXX
Erik Berndt / Systems Administrator
5551 Wellington Rd, Gainesville, VA 20155
703.631.0004 x520 (Phone) / 703.257.1725 (Fax)
http://www.superiorpaving.net
Need to open an IT support ticket?
http://FixIT.superiorpaving.net/portal or FixIT@superiorpaving.net
On Fri, Dec 1, 2017 at 11:11 AM, <ha...@faa.gov> wrote:
> Just wondering if anyone has any ideas on how the LDAP is configured
> below? This still isn’t working for me and I’d like to know why.
>
>
>
> Thanks,
>
> Harry
>
>
>
> *From:* Devine, Harry (FAA)
> *Sent:* Monday, November 27, 2017 1:49 PM
> *To:* user@guacamole.apache.org
> *Subject:* RE: Configuring LDAP
>
>
>
> Here’s my current /etc/guacamole/guacamole.properties file:
>
>
>
> #MySQL properties
>
> mysql-hostname: localhost
>
> mysql-port:3306
>
> mysql-database: guacdb
>
> mysql-username: guacuser
>
> mysql-password: guacadmin
>
> mysql-default-max-connections-per-user: 0
>
> mysql-default-max-group-connections-per-user:0
>
>
>
> #LDAP properties
>
> ldap-hostname:my.hostname
>
> ldap-port:389
>
> ldap-encryption-method:none
>
> ldap-dereference-aliases:never
>
> ldap-search-bind-dn:cn=Directory Manager
>
> ldap-search-bind-password:pass123
>
> ldap-user-base-dn:dc=example,dc=com
>
> #ldap-username-attribute=cn=users,cn=accounts,dc=example,dc=com
>
> ldap-username-attribute:cn
>
> ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com
>
>
>
>
>
> When I use the ldap-username-attribute:cn setting, I get the error where
> the Multiple DNs are what’s being complained about. If I use the other one
> (the commented out one above), I simply get “Authentication attempted ……
> failed”. We use the “cn=users,cn=accounts” string in other projects where
> we communicate with our LDAP server, so I’m pretty sure that’s correct.
>
>
>
> Thanks,
>
> Harry
>
>
>
> *From:* Jonathan Hankins [mailto:jhankins@homewood.k12.al.us
> <jh...@homewood.k12.al.us>]
> *Sent:* Monday, November 27, 2017 12:38 PM
> *To:* user@guacamole.apache.org
> *Subject:* Re: Configuring LDAP
>
>
>
> Harry, you said you tried "modifying ldap-username-attribute to be
> cn=users,cn=accounts,dc=example,dc=com" - just wanted to confirm.
> Ldap-username-attribute should be an LDAP attribute name like cn. Could you
> post your complete (redacted) guacamole.properties as you have it currently?
>
>
>
> Also, I saw that on a previous attempt today you got the log message:
>
>
>
> Nov 27 09:42:01 access server: 09:42:01.909 [http-bio-8080-exec-6] WARN
> o.a.g.a.l.AuthenticationProviderService - Multiple DNs possible for user
> "harry.devine": [uid=harry.devine,cn=users,cn=compat,dc=example,dc=com,
> uid=harry.devine,cn=users,cn=accounts,dc=example,dc=com]
>
>
>
> If you have two users under your search base with uid (or cn, or whatever
> you are using for ldap-username-attribute) "harry.devine" you are going to
> have to use a more specific search base or a more unique
> ldap-username-attribute or a more restrictive search filter so that you
> don't get multiple matches for the username you are typing into the
> username field on the login page.
>
>
>
> I.e., the attribute you match against has to uniquely identify the user
> beneath your search base for your query.
>
>
>
> -Jonathan Hankins
>
>
>
> On Mon, Nov 27, 2017, 10:10 AM Nick Couchman <vn...@apache.org> wrote:
>
> On Mon, Nov 27, 2017 at 10:02 AM, <ha...@faa.gov> wrote:
>
> OK, so I tried that, including modifying ldap-username-attribute to be
> cn=users,cn=accounts,dc=example,dc=com, and now I get a 403 error in the
> Developer Tools, and the following error in /var/log/messages:
>
>
>
> Nov 27 10:00:34 access server: 10:00:34.766 [http-bio-8080-exec-8] WARN
> o.a.g.r.auth.AuthenticationService - Authentication attempt from
> xxx.xxx.xxx.xxx for user "harry.devine" failed.
>
>
>
> However, I know that the password is 100% correct. Where to look now? I
> feel we’re getting very close.
>
>
>
>
>
> What LDAP server are you running? You probably mentioned it already
> somewhere in this thread, and I'm going to guess Active Directory, but just
> want to make sure? If it's OpenLDAP then it is quite possible it is
> configured to disallow logins without some form of encryption (although I
> wouldn't expect the search bind to work in this case, but who knows). AD
> doesn't usually have those restrictions, but depending on the environment,
> it actually might require encryption, as well. Other than that, it would
> be useful to get a log from the LDAP server that indicates why it is
> failing authentication - if it believes the password is wrong, or if it is
> throwing some other sort of error. I realize that you might be in an
> organization where you don't have access to that server or those logs, but,
> if you do, that would be helpful.
>
>
>
> -Nick
>
>
> This e-mail is intended only for the recipient and may contain
> confidential or proprietary information. If you are not the intended
> recipient, the review, distribution, duplication or retention of this
> message and its attachments is prohibited. Please notify the sender of this
> error immediately by reply e-mail, and permanently delete this message and
> its attachments in any form in which they may have been preserved.
>
RE: Configuring LDAP
Posted by ha...@faa.gov.
Just wondering if anyone has any ideas on how the LDAP is configured below? This still isn’t working for me and I’d like to know why.
Thanks,
Harry
From: Devine, Harry (FAA)
Sent: Monday, November 27, 2017 1:49 PM
To: user@guacamole.apache.org
Subject: RE: Configuring LDAP
Here’s my current /etc/guacamole/guacamole.properties file:
#MySQL properties
mysql-hostname: localhost
mysql-port:3306
mysql-database: guacdb
mysql-username: guacuser
mysql-password: guacadmin
mysql-default-max-connections-per-user: 0
mysql-default-max-group-connections-per-user:0
#LDAP properties
ldap-hostname:my.hostname
ldap-port:389
ldap-encryption-method:none
ldap-dereference-aliases:never
ldap-search-bind-dn:cn=Directory Manager
ldap-search-bind-password:pass123
ldap-user-base-dn:dc=example,dc=com
#ldap-username-attribute=cn=users,cn=accounts,dc=example,dc=com
ldap-username-attribute:cn
ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com
When I use the ldap-username-attribute:cn setting, I get the error where the Multiple DNs are what’s being complained about. If I use the other one (the commented out one above), I simply get “Authentication attempted …… failed”. We use the “cn=users,cn=accounts” string in other projects where we communicate with our LDAP server, so I’m pretty sure that’s correct.
Thanks,
Harry
From: Jonathan Hankins [mailto:jhankins@homewood.k12.al.us]
Sent: Monday, November 27, 2017 12:38 PM
To: user@guacamole.apache.org<ma...@guacamole.apache.org>
Subject: Re: Configuring LDAP
Harry, you said you tried "modifying ldap-username-attribute to be cn=users,cn=accounts,dc=example,dc=com" - just wanted to confirm. Ldap-username-attribute should be an LDAP attribute name like cn. Could you post your complete (redacted) guacamole.properties as you have it currently?
Also, I saw that on a previous attempt today you got the log message:
Nov 27 09:42:01 access server: 09:42:01.909 [http-bio-8080-exec-6] WARN o.a.g.a.l.AuthenticationProviderService - Multiple DNs possible for user "harry.devine": [uid=harry.devine,cn=users,cn=compat,dc=example,dc=com, uid=harry.devine,cn=users,cn=accounts,dc=example,dc=com]
If you have two users under your search base with uid (or cn, or whatever you are using for ldap-username-attribute) "harry.devine" you are going to have to use a more specific search base or a more unique ldap-username-attribute or a more restrictive search filter so that you don't get multiple matches for the username you are typing into the username field on the login page.
I.e., the attribute you match against has to uniquely identify the user beneath your search base for your query.
-Jonathan Hankins
On Mon, Nov 27, 2017, 10:10 AM Nick Couchman <vn...@apache.org>> wrote:
On Mon, Nov 27, 2017 at 10:02 AM, <ha...@faa.gov>> wrote:
OK, so I tried that, including modifying ldap-username-attribute to be cn=users,cn=accounts,dc=example,dc=com, and now I get a 403 error in the Developer Tools, and the following error in /var/log/messages:
Nov 27 10:00:34 access server: 10:00:34.766 [http-bio-8080-exec-8] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from xxx.xxx.xxx.xxx for user "harry.devine" failed.
However, I know that the password is 100% correct. Where to look now? I feel we’re getting very close.
What LDAP server are you running? You probably mentioned it already somewhere in this thread, and I'm going to guess Active Directory, but just want to make sure? If it's OpenLDAP then it is quite possible it is configured to disallow logins without some form of encryption (although I wouldn't expect the search bind to work in this case, but who knows). AD doesn't usually have those restrictions, but depending on the environment, it actually might require encryption, as well. Other than that, it would be useful to get a log from the LDAP server that indicates why it is failing authentication - if it believes the password is wrong, or if it is throwing some other sort of error. I realize that you might be in an organization where you don't have access to that server or those logs, but, if you do, that would be helpful.
-Nick
This e-mail is intended only for the recipient and may contain confidential or proprietary information. If you are not the intended recipient, the review, distribution, duplication or retention of this message and its attachments is prohibited. Please notify the sender of this error immediately by reply e-mail, and permanently delete this message and its attachments in any form in which they may have been preserved.
RE: Configuring LDAP
Posted by ha...@faa.gov.
Here’s my current /etc/guacamole/guacamole.properties file:
#MySQL properties
mysql-hostname: localhost
mysql-port:3306
mysql-database: guacdb
mysql-username: guacuser
mysql-password: guacadmin
mysql-default-max-connections-per-user: 0
mysql-default-max-group-connections-per-user:0
#LDAP properties
ldap-hostname:my.hostname
ldap-port:389
ldap-encryption-method:none
ldap-dereference-aliases:never
ldap-search-bind-dn:cn=Directory Manager
ldap-search-bind-password:pass123
ldap-user-base-dn:dc=example,dc=com
#ldap-username-attribute=cn=users,cn=accounts,dc=example,dc=com
ldap-username-attribute:cn
ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com
When I use the ldap-username-attribute:cn setting, I get the error where the Multiple DNs are what’s being complained about. If I use the other one (the commented out one above), I simply get “Authentication attempted …… failed”. We use the “cn=users,cn=accounts” string in other projects where we communicate with our LDAP server, so I’m pretty sure that’s correct.
Thanks,
Harry
From: Jonathan Hankins [mailto:jhankins@homewood.k12.al.us]
Sent: Monday, November 27, 2017 12:38 PM
To: user@guacamole.apache.org
Subject: Re: Configuring LDAP
Harry, you said you tried "modifying ldap-username-attribute to be cn=users,cn=accounts,dc=example,dc=com" - just wanted to confirm. Ldap-username-attribute should be an LDAP attribute name like cn. Could you post your complete (redacted) guacamole.properties as you have it currently?
Also, I saw that on a previous attempt today you got the log message:
Nov 27 09:42:01 access server: 09:42:01.909 [http-bio-8080-exec-6] WARN o.a.g.a.l.AuthenticationProviderService - Multiple DNs possible for user "harry.devine": [uid=harry.devine,cn=users,cn=compat,dc=example,dc=com, uid=harry.devine,cn=users,cn=accounts,dc=example,dc=com]
If you have two users under your search base with uid (or cn, or whatever you are using for ldap-username-attribute) "harry.devine" you are going to have to use a more specific search base or a more unique ldap-username-attribute or a more restrictive search filter so that you don't get multiple matches for the username you are typing into the username field on the login page.
I.e., the attribute you match against has to uniquely identify the user beneath your search base for your query.
-Jonathan Hankins
On Mon, Nov 27, 2017, 10:10 AM Nick Couchman <vn...@apache.org>> wrote:
On Mon, Nov 27, 2017 at 10:02 AM, <ha...@faa.gov>> wrote:
OK, so I tried that, including modifying ldap-username-attribute to be cn=users,cn=accounts,dc=example,dc=com, and now I get a 403 error in the Developer Tools, and the following error in /var/log/messages:
Nov 27 10:00:34 access server: 10:00:34.766 [http-bio-8080-exec-8] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from xxx.xxx.xxx.xxx for user "harry.devine" failed.
However, I know that the password is 100% correct. Where to look now? I feel we’re getting very close.
What LDAP server are you running? You probably mentioned it already somewhere in this thread, and I'm going to guess Active Directory, but just want to make sure? If it's OpenLDAP then it is quite possible it is configured to disallow logins without some form of encryption (although I wouldn't expect the search bind to work in this case, but who knows). AD doesn't usually have those restrictions, but depending on the environment, it actually might require encryption, as well. Other than that, it would be useful to get a log from the LDAP server that indicates why it is failing authentication - if it believes the password is wrong, or if it is throwing some other sort of error. I realize that you might be in an organization where you don't have access to that server or those logs, but, if you do, that would be helpful.
-Nick
This e-mail is intended only for the recipient and may contain confidential or proprietary information. If you are not the intended recipient, the review, distribution, duplication or retention of this message and its attachments is prohibited. Please notify the sender of this error immediately by reply e-mail, and permanently delete this message and its attachments in any form in which they may have been preserved.
Re: Configuring LDAP
Posted by Jonathan Hankins <jh...@homewood.k12.al.us>.
Harry, you said you tried "modifying ldap-username-attribute to be
cn=users,cn=accounts,dc=example,dc=com" - just wanted to confirm.
Ldap-username-attribute should be an LDAP attribute name like cn. Could you
post your complete (redacted) guacamole.properties as you have it currently?
Also, I saw that on a previous attempt today you got the log message:
Nov 27 09:42:01 access server: 09:42:01.909 [http-bio-8080-exec-6] WARN
o.a.g.a.l.AuthenticationProviderService - Multiple DNs possible for user
"harry.devine": [uid=harry.devine,cn=users,cn=compat,dc=example,dc=com,
uid=harry.devine,cn=users,cn=accounts,dc=example,dc=com]
If you have two users under your search base with uid (or cn, or whatever
you are using for ldap-username-attribute) "harry.devine" you are going to
have to use a more specific search base or a more unique
ldap-username-attribute or a more restrictive search filter so that you
don't get multiple matches for the username you are typing into the
username field on the login page.
I.e., the attribute you match against has to uniquely identify the user
beneath your search base for your query.
-Jonathan Hankins
On Mon, Nov 27, 2017, 10:10 AM Nick Couchman <vn...@apache.org> wrote:
> On Mon, Nov 27, 2017 at 10:02 AM, <ha...@faa.gov> wrote:
>
>> OK, so I tried that, including modifying ldap-username-attribute to be
>> cn=users,cn=accounts,dc=example,dc=com, and now I get a 403 error in the
>> Developer Tools, and the following error in /var/log/messages:
>>
>>
>>
>> Nov 27 10:00:34 access server: 10:00:34.766 [http-bio-8080-exec-8] WARN
>> o.a.g.r.auth.AuthenticationService - Authentication attempt from
>> xxx.xxx.xxx.xxx for user "harry.devine" failed.
>>
>>
>>
>> However, I know that the password is 100% correct. Where to look now? I
>> feel we’re getting very close.
>>
>>
>>
>
> What LDAP server are you running? You probably mentioned it already
> somewhere in this thread, and I'm going to guess Active Directory, but just
> want to make sure? If it's OpenLDAP then it is quite possible it is
> configured to disallow logins without some form of encryption (although I
> wouldn't expect the search bind to work in this case, but who knows). AD
> doesn't usually have those restrictions, but depending on the environment,
> it actually might require encryption, as well. Other than that, it would
> be useful to get a log from the LDAP server that indicates why it is
> failing authentication - if it believes the password is wrong, or if it is
> throwing some other sort of error. I realize that you might be in an
> organization where you don't have access to that server or those logs, but,
> if you do, that would be helpful.
>
> -Nick
>
--
This e-mail is intended only for the recipient and may contain confidential
or proprietary information. If you are not the intended recipient, the
review, distribution, duplication or retention of this message and its
attachments is prohibited. Please notify the sender of this error
immediately by reply e-mail, and permanently delete this message and its
attachments in any form in which they may have been preserved.
Re: Configuring LDAP
Posted by Nick Couchman <vn...@apache.org>.
On Mon, Nov 27, 2017 at 10:02 AM, <ha...@faa.gov> wrote:
> OK, so I tried that, including modifying ldap-username-attribute to be
> cn=users,cn=accounts,dc=example,dc=com, and now I get a 403 error in the
> Developer Tools, and the following error in /var/log/messages:
>
>
>
> Nov 27 10:00:34 access server: 10:00:34.766 [http-bio-8080-exec-8] WARN
> o.a.g.r.auth.AuthenticationService - Authentication attempt from
> xxx.xxx.xxx.xxx for user "harry.devine" failed.
>
>
>
> However, I know that the password is 100% correct. Where to look now? I
> feel we’re getting very close.
>
>
>
What LDAP server are you running? You probably mentioned it already
somewhere in this thread, and I'm going to guess Active Directory, but just
want to make sure? If it's OpenLDAP then it is quite possible it is
configured to disallow logins without some form of encryption (although I
wouldn't expect the search bind to work in this case, but who knows). AD
doesn't usually have those restrictions, but depending on the environment,
it actually might require encryption, as well. Other than that, it would
be useful to get a log from the LDAP server that indicates why it is
failing authentication - if it believes the password is wrong, or if it is
throwing some other sort of error. I realize that you might be in an
organization where you don't have access to that server or those logs, but,
if you do, that would be helpful.
-Nick
RE: Configuring LDAP
Posted by ha...@faa.gov.
OK, so I tried that, including modifying ldap-username-attribute to be cn=users,cn=accounts,dc=example,dc=com, and now I get a 403 error in the Developer Tools, and the following error in /var/log/messages:
Nov 27 10:00:34 access server: 10:00:34.766 [http-bio-8080-exec-8] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from xxx.xxx.xxx.xxx for user "harry.devine" failed.
However, I know that the password is 100% correct. Where to look now? I feel we’re getting very close.
Thanks,
Harry
From: Nick Couchman [mailto:vnick@apache.org]
Sent: Monday, November 27, 2017 9:56 AM
To: user@guacamole.apache.org
Subject: Re: Configuring LDAP
On Mon, Nov 27, 2017 at 9:46 AM, <ha...@faa.gov>> wrote:
Update: using port 389 and none for encryption, and I had to change the search DN to be just cn=Directory Manager. Now I get the following error:
Nov 27 09:42:01 access server: 09:42:01.909 [http-bio-8080-exec-6] WARN o.a.g.a.l.AuthenticationProviderService - Multiple DNs possible for user "harry.devine": [uid=harry.devine,cn=users,cn=compat,dc=example,dc=com, uid=harry.devine,cn=users,cn=accounts,dc=example,dc=com]
Try disabling LDAP alias dereferencing:
ldap-dereference-aliases: never
It looks like you probably have the cn=users,cn=compat area pointed to the real objects (cn=users,cn=accounts), and this could be confusing the LDAP client when it expects uniquely-named items. Otherwise, you'll need to narrow your base DN such that it only locates one or the other account.
-Nick
Re: Configuring LDAP
Posted by Nick Couchman <vn...@apache.org>.
On Mon, Nov 27, 2017 at 9:46 AM, <ha...@faa.gov> wrote:
> Update: using port 389 and none for encryption, and I had to change the
> search DN to be just cn=Directory Manager. Now I get the following error:
>
>
>
> Nov 27 09:42:01 access server: 09:42:01.909 [http-bio-8080-exec-6] WARN
> o.a.g.a.l.AuthenticationProviderService - Multiple DNs possible for user
> "harry.devine": [uid=harry.devine,cn=users,cn=compat,dc=example,dc=com,
> uid=harry.devine,cn=users,cn=accounts,dc=example,dc=com]
>
>
>
Try disabling LDAP alias dereferencing:
ldap-dereference-aliases: never
It looks like you probably have the cn=users,cn=compat area pointed to the
real objects (cn=users,cn=accounts), and this could be confusing the LDAP
client when it expects uniquely-named items. Otherwise, you'll need to
narrow your base DN such that it only locates one or the other account.
-Nick
RE: Configuring LDAP
Posted by ha...@faa.gov.
Update: using port 389 and none for encryption, and I had to change the search DN to be just cn=Directory Manager. Now I get the following error:
Nov 27 09:42:01 access server: 09:42:01.909 [http-bio-8080-exec-6] WARN o.a.g.a.l.AuthenticationProviderService - Multiple DNs possible for user "harry.devine": [uid=harry.devine,cn=users,cn=compat,dc=example,dc=com, uid=harry.devine,cn=users,cn=accounts,dc=example,dc=com]
Nov 27 09:42:01 access server: 09:42:01.917 [http-bio-8080-exec-6] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from xxx.xxx.xxx.xxx for user "harry.devine" failed.
When I tried port 636 and encryption set to SSL, I get “Unable to bind using search DN “cn=Directory Manager”. Ultimately, we need to have SSL working, so any help with first: logging in, then second, logging in via SSL/636 would be great.
Thanks,
Harry
From: Devine, Harry (FAA)
Sent: Monday, November 27, 2017 9:32 AM
To: user@guacamole.apache.org
Subject: RE: Configuring LDAP
OK, I just tried it again with both 389/none and 636/ssl for those parameters, and both times I get the following errors:
Nov 27 09:30:31 access server: 09:30:31.838 [http-bio-8080-exec-9] ERROR o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN "cn=Directory Manager,dc=example,dc=com"
Nov 27 09:30:31 access server: 09:30:31.839 [http-bio-8080-exec-9] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 172.31.26.216 for user "harry.devine" failed.
Thanks,
Harry
From: Jonathan Hankins [mailto:jhankins@homewood.k12.al.us]
Sent: Monday, November 27, 2017 9:27 AM
To: user@guacamole.apache.org<ma...@guacamole.apache.org>
Subject: Re: Configuring LDAP
Harry, if you are using ldap-port:636, you probably need to specify:
ldap-encryption-method: ssl
I believe the default is "none" .
Assuming you are able to temporarily configure your LDAP server to allow unencrypted binds(if it isn't already), you may want to test with ldap-port: 389 and ldap-encryption-method: none to make sure you have all of your LDAP settings correct before enabling encryption, then tackle the encryption.
-Jonathan Hankins
On Mon, Nov 27, 2017, 8:23 AM <ha...@faa.gov>> wrote:
I just got back into the office and tried what you suggested. Whenever I don’t have quotes around the ldap-search-bind-dn value, the login button doesn’t seem to respond. In the Network tab in Chrome’s Developer Tools, the /guacamole/api/tokens call always shows “(pending)” as the status instead of 200 or 403.
Here’s what I have for my LDAP values in guacamole.properties (again, masking out the real values):
ldap-hostname:ldap.hostname
ldap-port:636
ldap-search-bind-dn:cn=Directory Manager,dc=example,dc=com
ldap-search-bind-password:pass123
ldap-user-base-dn:dc=example,dc=com
ldap-username-attribute:cn
ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com
Thanks,
Harry
From: Jonathan Hankins [mailto:jhankins@homewood.k12.al.us<ma...@homewood.k12.al.us>]
Sent: Wednesday, November 22, 2017 1:41 PM
To: user@guacamole.apache.org<ma...@guacamole.apache.org>
Subject: Re: Configuring LDAP
Harry,
I believe you need to fully qualify your ldap-search-bind-dn:
ldap-search-bind-dn: cn=My User,dc=my,dc=example,dc=com
And your ldap-username-attribute should be the name of an ldap attribute that you want to match usernames against, such as cn:
ldap-username-attribute: cn
Also, unsure if the config you posted was pseudo-code, but the guacamole.properties file should look like:
varname: this is the value to end of line
See my examples above.
-Jonathan Hankins
On Tue, Nov 21, 2017, 3:41 PM Hawkins, Richard <ri...@medctrbarbour.org>> wrote:
Restart tomcat
Service tomcat restart..
Tail –f /var/log/messages
Authenticated
From: harry.devine@faa.gov<ma...@faa.gov> [mailto:harry.devine@faa.gov<ma...@faa.gov>]
Sent: Tuesday, November 21, 2017 2:01 PM
To: user@guacamole.apache.org<ma...@guacamole.apache.org>
Subject: RE: Configuring LDAP
OK, took me a little bit to weed through some OpenLDAP config issues (it wasn’t installed on the server I have guacamole installed on; didn’t realize that at first), but I got the ldapsearch working. So I re-enabled the LDAP parameters and tried again. The page shows “Invalid Login”, but the following is displayed in the /var/log/messages:
Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR o.a.g.a.ldap.LDAPConnectionService - Unable to connect to LDAP server: Connect Error
Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN ""cn=My User""
Nov 21 14:56:15 access server: 14:56:15.496 [http-bio-8080-exec-9] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 172.31.26.216 for user "harry.devine" failed.
I have the LDAP parameters defined as follows in guacamole properties (I am masking the usernames and such):
ldap-hostname="my-host"
ldap-port=636
ldap-search-bind-dn="cn=My User"
ldap-search-bind-password="Pass123"
ldap-user-base-dn="dc=my,dc=example,dc=com"
ldap-username-attribute="cn=users,cn=accounts,dc=my,dc=example,dc=com"
ldap-group-base-dn="cn=groups,cn=accounts,dc=my,dc=example,dc=com"
Ideas?
Harry
From: Nick Couchman [mailto:vnick@apache.org<ma...@apache.org>]
Sent: Tuesday, November 21, 2017 9:20 AM
To: user@guacamole.apache.org<ma...@guacamole.apache.org>
Subject: Re: Configuring LDAP
On Tue, Nov 21, 2017 at 8:10 AM, <ha...@faa.gov>> wrote:
I set SELinux to permissive and put the LDAP extension back (its under /usr/share/tomcat/.guacamole/extensions), restarted tomcat and guacd, and try to log in using an LDAP user. I click Login and on the Network tab, it shows tokens (/guacamole/api/tokens) as having a “pending” status. Never gets any further.
Okay...on the system where you're running Tomcat, can you make sure the OpenLDAP client utilities are installed and then use "ldapsearch" to query the same LDAP server that you're trying to use in Guacamole? Something like this:
ldapsearch -H ldap://<server> -D <Search User> -W -b <base dn> cn=<Some User In LDAP>
...substituting in the above parameters and make sure you get a response?
-Nick
This e-mail is intended only for the recipient and may contain confidential or proprietary information. If you are not the intended recipient, the review, distribution, duplication or retention of this message and its attachments is prohibited. Please notify the sender of this error immediately by reply e-mail, and permanently delete this message and its attachments in any form in which they may have been preserved.
This e-mail is intended only for the recipient and may contain confidential or proprietary information. If you are not the intended recipient, the review, distribution, duplication or retention of this message and its attachments is prohibited. Please notify the sender of this error immediately by reply e-mail, and permanently delete this message and its attachments in any form in which they may have been preserved.
RE: Configuring LDAP
Posted by ha...@faa.gov.
OK, I just tried it again with both 389/none and 636/ssl for those parameters, and both times I get the following errors:
Nov 27 09:30:31 access server: 09:30:31.838 [http-bio-8080-exec-9] ERROR o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN "cn=Directory Manager,dc=example,dc=com"
Nov 27 09:30:31 access server: 09:30:31.839 [http-bio-8080-exec-9] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 172.31.26.216 for user "harry.devine" failed.
Thanks,
Harry
From: Jonathan Hankins [mailto:jhankins@homewood.k12.al.us]
Sent: Monday, November 27, 2017 9:27 AM
To: user@guacamole.apache.org
Subject: Re: Configuring LDAP
Harry, if you are using ldap-port:636, you probably need to specify:
ldap-encryption-method: ssl
I believe the default is "none" .
Assuming you are able to temporarily configure your LDAP server to allow unencrypted binds(if it isn't already), you may want to test with ldap-port: 389 and ldap-encryption-method: none to make sure you have all of your LDAP settings correct before enabling encryption, then tackle the encryption.
-Jonathan Hankins
On Mon, Nov 27, 2017, 8:23 AM <ha...@faa.gov>> wrote:
I just got back into the office and tried what you suggested. Whenever I don’t have quotes around the ldap-search-bind-dn value, the login button doesn’t seem to respond. In the Network tab in Chrome’s Developer Tools, the /guacamole/api/tokens call always shows “(pending)” as the status instead of 200 or 403.
Here’s what I have for my LDAP values in guacamole.properties (again, masking out the real values):
ldap-hostname:ldap.hostname
ldap-port:636
ldap-search-bind-dn:cn=Directory Manager,dc=example,dc=com
ldap-search-bind-password:pass123
ldap-user-base-dn:dc=example,dc=com
ldap-username-attribute:cn
ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com
Thanks,
Harry
From: Jonathan Hankins [mailto:jhankins@homewood.k12.al.us<ma...@homewood.k12.al.us>]
Sent: Wednesday, November 22, 2017 1:41 PM
To: user@guacamole.apache.org<ma...@guacamole.apache.org>
Subject: Re: Configuring LDAP
Harry,
I believe you need to fully qualify your ldap-search-bind-dn:
ldap-search-bind-dn: cn=My User,dc=my,dc=example,dc=com
And your ldap-username-attribute should be the name of an ldap attribute that you want to match usernames against, such as cn:
ldap-username-attribute: cn
Also, unsure if the config you posted was pseudo-code, but the guacamole.properties file should look like:
varname: this is the value to end of line
See my examples above.
-Jonathan Hankins
On Tue, Nov 21, 2017, 3:41 PM Hawkins, Richard <ri...@medctrbarbour.org>> wrote:
Restart tomcat
Service tomcat restart..
Tail –f /var/log/messages
Authenticated
From: harry.devine@faa.gov<ma...@faa.gov> [mailto:harry.devine@faa.gov<ma...@faa.gov>]
Sent: Tuesday, November 21, 2017 2:01 PM
To: user@guacamole.apache.org<ma...@guacamole.apache.org>
Subject: RE: Configuring LDAP
OK, took me a little bit to weed through some OpenLDAP config issues (it wasn’t installed on the server I have guacamole installed on; didn’t realize that at first), but I got the ldapsearch working. So I re-enabled the LDAP parameters and tried again. The page shows “Invalid Login”, but the following is displayed in the /var/log/messages:
Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR o.a.g.a.ldap.LDAPConnectionService - Unable to connect to LDAP server: Connect Error
Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN ""cn=My User""
Nov 21 14:56:15 access server: 14:56:15.496 [http-bio-8080-exec-9] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 172.31.26.216 for user "harry.devine" failed.
I have the LDAP parameters defined as follows in guacamole properties (I am masking the usernames and such):
ldap-hostname="my-host"
ldap-port=636
ldap-search-bind-dn="cn=My User"
ldap-search-bind-password="Pass123"
ldap-user-base-dn="dc=my,dc=example,dc=com"
ldap-username-attribute="cn=users,cn=accounts,dc=my,dc=example,dc=com"
ldap-group-base-dn="cn=groups,cn=accounts,dc=my,dc=example,dc=com"
Ideas?
Harry
From: Nick Couchman [mailto:vnick@apache.org<ma...@apache.org>]
Sent: Tuesday, November 21, 2017 9:20 AM
To: user@guacamole.apache.org<ma...@guacamole.apache.org>
Subject: Re: Configuring LDAP
On Tue, Nov 21, 2017 at 8:10 AM, <ha...@faa.gov>> wrote:
I set SELinux to permissive and put the LDAP extension back (its under /usr/share/tomcat/.guacamole/extensions), restarted tomcat and guacd, and try to log in using an LDAP user. I click Login and on the Network tab, it shows tokens (/guacamole/api/tokens) as having a “pending” status. Never gets any further.
Okay...on the system where you're running Tomcat, can you make sure the OpenLDAP client utilities are installed and then use "ldapsearch" to query the same LDAP server that you're trying to use in Guacamole? Something like this:
ldapsearch -H ldap://<server> -D <Search User> -W -b <base dn> cn=<Some User In LDAP>
...substituting in the above parameters and make sure you get a response?
-Nick
This e-mail is intended only for the recipient and may contain confidential or proprietary information. If you are not the intended recipient, the review, distribution, duplication or retention of this message and its attachments is prohibited. Please notify the sender of this error immediately by reply e-mail, and permanently delete this message and its attachments in any form in which they may have been preserved.
This e-mail is intended only for the recipient and may contain confidential or proprietary information. If you are not the intended recipient, the review, distribution, duplication or retention of this message and its attachments is prohibited. Please notify the sender of this error immediately by reply e-mail, and permanently delete this message and its attachments in any form in which they may have been preserved.
Re: Configuring LDAP
Posted by Jonathan Hankins <jh...@homewood.k12.al.us>.
Harry, if you are using ldap-port:636, you probably need to specify:
ldap-encryption-method: ssl
I believe the default is "none" .
Assuming you are able to temporarily configure your LDAP server to allow
unencrypted binds(if it isn't already), you may want to test with
ldap-port: 389 and ldap-encryption-method: none to make sure you have all
of your LDAP settings correct before enabling encryption, then tackle the
encryption.
-Jonathan Hankins
On Mon, Nov 27, 2017, 8:23 AM <ha...@faa.gov> wrote:
> I just got back into the office and tried what you suggested. Whenever I
> don’t have quotes around the ldap-search-bind-dn value, the login button
> doesn’t seem to respond. In the Network tab in Chrome’s Developer Tools,
> the /guacamole/api/tokens call always shows “(pending)” as the status
> instead of 200 or 403.
>
>
>
> Here’s what I have for my LDAP values in guacamole.properties (again,
> masking out the real values):
>
>
>
> ldap-hostname:ldap.hostname
>
> ldap-port:636
>
> ldap-search-bind-dn:cn=Directory Manager,dc=example,dc=com
>
> ldap-search-bind-password:pass123
>
> ldap-user-base-dn:dc=example,dc=com
>
> ldap-username-attribute:cn
>
> ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com
>
>
>
> Thanks,
>
> Harry
>
>
>
> *From:* Jonathan Hankins [mailto:jhankins@homewood.k12.al.us]
> *Sent:* Wednesday, November 22, 2017 1:41 PM
>
>
> *To:* user@guacamole.apache.org
> *Subject:* Re: Configuring LDAP
>
>
>
> Harry,
>
>
>
> I believe you need to fully qualify your ldap-search-bind-dn:
>
>
>
> ldap-search-bind-dn: cn=My User,dc=my,dc=example,dc=com
>
>
>
> And your ldap-username-attribute should be the name of an ldap attribute
> that you want to match usernames against, such as cn:
>
>
>
> ldap-username-attribute: cn
>
>
>
> Also, unsure if the config you posted was pseudo-code, but the
> guacamole.properties file should look like:
>
>
>
> varname: this is the value to end of line
>
>
>
> See my examples above.
>
>
>
> -Jonathan Hankins
>
>
>
>
>
> On Tue, Nov 21, 2017, 3:41 PM Hawkins, Richard <
> richard.hawkins@medctrbarbour.org> wrote:
>
>
>
> Restart tomcat
>
>
>
> Service tomcat restart..
>
>
>
> Tail –f /var/log/messages
>
>
>
>
>
> Authenticated
>
>
>
>
>
>
>
> *From:* harry.devine@faa.gov [mailto:harry.devine@faa.gov]
> *Sent:* Tuesday, November 21, 2017 2:01 PM
> *To:* user@guacamole.apache.org
> *Subject:* RE: Configuring LDAP
>
>
>
> OK, took me a little bit to weed through some OpenLDAP config issues (it
> wasn’t installed on the server I have guacamole installed on; didn’t
> realize that at first), but I got the ldapsearch working. So I re-enabled
> the LDAP parameters and tried again. The page shows “Invalid Login”, but
> the following is displayed in the /var/log/messages:
>
>
>
> Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR
> o.a.g.a.ldap.LDAPConnectionService - Unable to connect to LDAP server:
> Connect Error
>
> Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR
> o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN
> ""cn=My User""
>
> Nov 21 14:56:15 access server: 14:56:15.496 [http-bio-8080-exec-9] WARN
> o.a.g.r.auth.AuthenticationService - Authentication attempt from
> 172.31.26.216 for user "harry.devine" failed.
>
>
>
> I have the LDAP parameters defined as follows in guacamole properties (I
> am masking the usernames and such):
>
> ldap-hostname="my-host"
>
> ldap-port=636
>
> ldap-search-bind-dn="cn=My User"
>
> ldap-search-bind-password="Pass123"
>
> ldap-user-base-dn="dc=my,dc=example,dc=com"
>
> ldap-username-attribute="cn=users,cn=accounts,dc=my,dc=example,dc=com"
>
> ldap-group-base-dn="cn=groups,cn=accounts,dc=my,dc=example,dc=com"
>
>
>
> Ideas?
>
> Harry
>
>
>
> *From:* Nick Couchman [mailto:vnick@apache.org]
> *Sent:* Tuesday, November 21, 2017 9:20 AM
> *To:* user@guacamole.apache.org
> *Subject:* Re: Configuring LDAP
>
>
>
> On Tue, Nov 21, 2017 at 8:10 AM, <ha...@faa.gov> wrote:
>
> I set SELinux to permissive and put the LDAP extension back (its under
> /usr/share/tomcat/.guacamole/extensions), restarted tomcat and guacd, and
> try to log in using an LDAP user. I click Login and on the Network tab, it
> shows tokens (/guacamole/api/tokens) as having a “pending” status. Never
> gets any further.
>
>
>
>
>
> Okay...on the system where you're running Tomcat, can you make sure the
> OpenLDAP client utilities are installed and then use "ldapsearch" to query
> the same LDAP server that you're trying to use in Guacamole? Something
> like this:
>
>
>
> ldapsearch -H ldap://<server> -D <Search User> -W -b <base dn> cn=<Some
> User In LDAP>
>
>
>
> ...substituting in the above parameters and make sure you get a response?
>
>
>
> -Nick
>
>
> This e-mail is intended only for the recipient and may contain
> confidential or proprietary information. If you are not the intended
> recipient, the review, distribution, duplication or retention of this
> message and its attachments is prohibited. Please notify the sender of this
> error immediately by reply e-mail, and permanently delete this message and
> its attachments in any form in which they may have been preserved.
>
--
This e-mail is intended only for the recipient and may contain confidential
or proprietary information. If you are not the intended recipient, the
review, distribution, duplication or retention of this message and its
attachments is prohibited. Please notify the sender of this error
immediately by reply e-mail, and permanently delete this message and its
attachments in any form in which they may have been preserved.
RE: Configuring LDAP
Posted by ha...@faa.gov.
I just got back into the office and tried what you suggested. Whenever I don’t have quotes around the ldap-search-bind-dn value, the login button doesn’t seem to respond. In the Network tab in Chrome’s Developer Tools, the /guacamole/api/tokens call always shows “(pending)” as the status instead of 200 or 403.
Here’s what I have for my LDAP values in guacamole.properties (again, masking out the real values):
ldap-hostname:ldap.hostname
ldap-port:636
ldap-search-bind-dn:cn=Directory Manager,dc=example,dc=com
ldap-search-bind-password:pass123
ldap-user-base-dn:dc=example,dc=com
ldap-username-attribute:cn
ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com
Thanks,
Harry
From: Jonathan Hankins [mailto:jhankins@homewood.k12.al.us]
Sent: Wednesday, November 22, 2017 1:41 PM
To: user@guacamole.apache.org
Subject: Re: Configuring LDAP
Harry,
I believe you need to fully qualify your ldap-search-bind-dn:
ldap-search-bind-dn: cn=My User,dc=my,dc=example,dc=com
And your ldap-username-attribute should be the name of an ldap attribute that you want to match usernames against, such as cn:
ldap-username-attribute: cn
Also, unsure if the config you posted was pseudo-code, but the guacamole.properties file should look like:
varname: this is the value to end of line
See my examples above.
-Jonathan Hankins
On Tue, Nov 21, 2017, 3:41 PM Hawkins, Richard <ri...@medctrbarbour.org>> wrote:
Restart tomcat
Service tomcat restart..
Tail –f /var/log/messages
Authenticated
From: harry.devine@faa.gov<ma...@faa.gov> [mailto:harry.devine@faa.gov<ma...@faa.gov>]
Sent: Tuesday, November 21, 2017 2:01 PM
To: user@guacamole.apache.org<ma...@guacamole.apache.org>
Subject: RE: Configuring LDAP
OK, took me a little bit to weed through some OpenLDAP config issues (it wasn’t installed on the server I have guacamole installed on; didn’t realize that at first), but I got the ldapsearch working. So I re-enabled the LDAP parameters and tried again. The page shows “Invalid Login”, but the following is displayed in the /var/log/messages:
Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR o.a.g.a.ldap.LDAPConnectionService - Unable to connect to LDAP server: Connect Error
Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN ""cn=My User""
Nov 21 14:56:15 access server: 14:56:15.496 [http-bio-8080-exec-9] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 172.31.26.216 for user "harry.devine" failed.
I have the LDAP parameters defined as follows in guacamole properties (I am masking the usernames and such):
ldap-hostname="my-host"
ldap-port=636
ldap-search-bind-dn="cn=My User"
ldap-search-bind-password="Pass123"
ldap-user-base-dn="dc=my,dc=example,dc=com"
ldap-username-attribute="cn=users,cn=accounts,dc=my,dc=example,dc=com"
ldap-group-base-dn="cn=groups,cn=accounts,dc=my,dc=example,dc=com"
Ideas?
Harry
From: Nick Couchman [mailto:vnick@apache.org<ma...@apache.org>]
Sent: Tuesday, November 21, 2017 9:20 AM
To: user@guacamole.apache.org<ma...@guacamole.apache.org>
Subject: Re: Configuring LDAP
On Tue, Nov 21, 2017 at 8:10 AM, <ha...@faa.gov>> wrote:
I set SELinux to permissive and put the LDAP extension back (its under /usr/share/tomcat/.guacamole/extensions), restarted tomcat and guacd, and try to log in using an LDAP user. I click Login and on the Network tab, it shows tokens (/guacamole/api/tokens) as having a “pending” status. Never gets any further.
Okay...on the system where you're running Tomcat, can you make sure the OpenLDAP client utilities are installed and then use "ldapsearch" to query the same LDAP server that you're trying to use in Guacamole? Something like this:
ldapsearch -H ldap://<server> -D <Search User> -W -b <base dn> cn=<Some User In LDAP>
...substituting in the above parameters and make sure you get a response?
-Nick
This e-mail is intended only for the recipient and may contain confidential or proprietary information. If you are not the intended recipient, the review, distribution, duplication or retention of this message and its attachments is prohibited. Please notify the sender of this error immediately by reply e-mail, and permanently delete this message and its attachments in any form in which they may have been preserved.
Re: Configuring LDAP
Posted by Jonathan Hankins <jh...@homewood.k12.al.us>.
Harry,
I believe you need to fully qualify your ldap-search-bind-dn:
ldap-search-bind-dn: cn=My User,dc=my,dc=example,dc=com
And your ldap-username-attribute should be the name of an ldap attribute
that you want to match usernames against, such as cn:
ldap-username-attribute: cn
Also, unsure if the config you posted was pseudo-code, but the
guacamole.properties file should look like:
varname: this is the value to end of line
See my examples above.
-Jonathan Hankins
On Tue, Nov 21, 2017, 3:41 PM Hawkins, Richard <
richard.hawkins@medctrbarbour.org> wrote:
>
>
> Restart tomcat
>
>
>
> Service tomcat restart..
>
>
>
> Tail –f /var/log/messages
>
>
>
>
>
> Authenticated
>
>
>
>
>
>
>
> *From:* harry.devine@faa.gov [mailto:harry.devine@faa.gov]
> *Sent:* Tuesday, November 21, 2017 2:01 PM
> *To:* user@guacamole.apache.org
> *Subject:* RE: Configuring LDAP
>
>
>
> OK, took me a little bit to weed through some OpenLDAP config issues (it
> wasn’t installed on the server I have guacamole installed on; didn’t
> realize that at first), but I got the ldapsearch working. So I re-enabled
> the LDAP parameters and tried again. The page shows “Invalid Login”, but
> the following is displayed in the /var/log/messages:
>
>
>
> Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR
> o.a.g.a.ldap.LDAPConnectionService - Unable to connect to LDAP server:
> Connect Error
>
> Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR
> o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN
> ""cn=My User""
>
> Nov 21 14:56:15 access server: 14:56:15.496 [http-bio-8080-exec-9] WARN
> o.a.g.r.auth.AuthenticationService - Authentication attempt from
> 172.31.26.216 for user "harry.devine" failed.
>
>
>
> I have the LDAP parameters defined as follows in guacamole properties (I
> am masking the usernames and such):
>
> ldap-hostname="my-host"
>
> ldap-port=636
>
> ldap-search-bind-dn="cn=My User"
>
> ldap-search-bind-password="Pass123"
>
> ldap-user-base-dn="dc=my,dc=example,dc=com"
>
> ldap-username-attribute="cn=users,cn=accounts,dc=my,dc=example,dc=com"
>
> ldap-group-base-dn="cn=groups,cn=accounts,dc=my,dc=example,dc=com"
>
>
>
> Ideas?
>
> Harry
>
>
>
> *From:* Nick Couchman [mailto:vnick@apache.org]
> *Sent:* Tuesday, November 21, 2017 9:20 AM
> *To:* user@guacamole.apache.org
> *Subject:* Re: Configuring LDAP
>
>
>
> On Tue, Nov 21, 2017 at 8:10 AM, <ha...@faa.gov> wrote:
>
> I set SELinux to permissive and put the LDAP extension back (its under
> /usr/share/tomcat/.guacamole/extensions), restarted tomcat and guacd, and
> try to log in using an LDAP user. I click Login and on the Network tab, it
> shows tokens (/guacamole/api/tokens) as having a “pending” status. Never
> gets any further.
>
>
>
>
>
> Okay...on the system where you're running Tomcat, can you make sure the
> OpenLDAP client utilities are installed and then use "ldapsearch" to query
> the same LDAP server that you're trying to use in Guacamole? Something
> like this:
>
>
>
> ldapsearch -H ldap://<server> -D <Search User> -W -b <base dn> cn=<Some
> User In LDAP>
>
>
>
> ...substituting in the above parameters and make sure you get a response?
>
>
>
> -Nick
>
--
This e-mail is intended only for the recipient and may contain confidential
or proprietary information. If you are not the intended recipient, the
review, distribution, duplication or retention of this message and its
attachments is prohibited. Please notify the sender of this error
immediately by reply e-mail, and permanently delete this message and its
attachments in any form in which they may have been preserved.
RE: Configuring LDAP
Posted by "Hawkins, Richard" <ri...@medctrbarbour.org>.
Restart tomcat
Service tomcat restart..
Tail –f /var/log/messages
Authenticated
From: harry.devine@faa.gov [mailto:harry.devine@faa.gov]
Sent: Tuesday, November 21, 2017 2:01 PM
To: user@guacamole.apache.org
Subject: RE: Configuring LDAP
OK, took me a little bit to weed through some OpenLDAP config issues (it wasn’t installed on the server I have guacamole installed on; didn’t realize that at first), but I got the ldapsearch working. So I re-enabled the LDAP parameters and tried again. The page shows “Invalid Login”, but the following is displayed in the /var/log/messages:
Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR o.a.g.a.ldap.LDAPConnectionService - Unable to connect to LDAP server: Connect Error
Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN ""cn=My User""
Nov 21 14:56:15 access server: 14:56:15.496 [http-bio-8080-exec-9] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 172.31.26.216 for user "harry.devine" failed.
I have the LDAP parameters defined as follows in guacamole properties (I am masking the usernames and such):
ldap-hostname="my-host"
ldap-port=636
ldap-search-bind-dn="cn=My User"
ldap-search-bind-password="Pass123"
ldap-user-base-dn="dc=my,dc=example,dc=com"
ldap-username-attribute="cn=users,cn=accounts,dc=my,dc=example,dc=com"
ldap-group-base-dn="cn=groups,cn=accounts,dc=my,dc=example,dc=com"
Ideas?
Harry
From: Nick Couchman [mailto:vnick@apache.org]
Sent: Tuesday, November 21, 2017 9:20 AM
To: user@guacamole.apache.org
Subject: Re: Configuring LDAP
On Tue, Nov 21, 2017 at 8:10 AM, <ha...@faa.gov> wrote:
I set SELinux to permissive and put the LDAP extension back (its under /usr/share/tomcat/.guacamole/extensions), restarted tomcat and guacd, and try to log in using an LDAP user. I click Login and on the Network tab, it shows tokens (/guacamole/api/tokens) as having a “pending” status. Never gets any further.
Okay...on the system where you're running Tomcat, can you make sure the OpenLDAP client utilities are installed and then use "ldapsearch" to query the same LDAP server that you're trying to use in Guacamole? Something like this:
ldapsearch -H ldap://<server> -D <Search User> -W -b <base dn> cn=<Some User In LDAP>
...substituting in the above parameters and make sure you get a response?
-Nick
RE: Configuring LDAP
Posted by ha...@faa.gov.
OK, took me a little bit to weed through some OpenLDAP config issues (it wasn’t installed on the server I have guacamole installed on; didn’t realize that at first), but I got the ldapsearch working. So I re-enabled the LDAP parameters and tried again. The page shows “Invalid Login”, but the following is displayed in the /var/log/messages:
Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR o.a.g.a.ldap.LDAPConnectionService - Unable to connect to LDAP server: Connect Error
Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN ""cn=My User""
Nov 21 14:56:15 access server: 14:56:15.496 [http-bio-8080-exec-9] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 172.31.26.216 for user "harry.devine" failed.
I have the LDAP parameters defined as follows in guacamole properties (I am masking the usernames and such):
ldap-hostname="my-host"
ldap-port=636
ldap-search-bind-dn="cn=My User"
ldap-search-bind-password="Pass123"
ldap-user-base-dn="dc=my,dc=example,dc=com"
ldap-username-attribute="cn=users,cn=accounts,dc=my,dc=example,dc=com"
ldap-group-base-dn="cn=groups,cn=accounts,dc=my,dc=example,dc=com"
Ideas?
Harry
From: Nick Couchman [mailto:vnick@apache.org]
Sent: Tuesday, November 21, 2017 9:20 AM
To: user@guacamole.apache.org
Subject: Re: Configuring LDAP
On Tue, Nov 21, 2017 at 8:10 AM, <ha...@faa.gov>> wrote:
I set SELinux to permissive and put the LDAP extension back (its under /usr/share/tomcat/.guacamole/extensions), restarted tomcat and guacd, and try to log in using an LDAP user. I click Login and on the Network tab, it shows tokens (/guacamole/api/tokens) as having a “pending” status. Never gets any further.
Okay...on the system where you're running Tomcat, can you make sure the OpenLDAP client utilities are installed and then use "ldapsearch" to query the same LDAP server that you're trying to use in Guacamole? Something like this:
ldapsearch -H ldap://<server> -D <Search User> -W -b <base dn> cn=<Some User In LDAP>
...substituting in the above parameters and make sure you get a response?
-Nick
Re: Configuring LDAP
Posted by Nick Couchman <vn...@apache.org>.
On Tue, Nov 21, 2017 at 8:10 AM, <ha...@faa.gov> wrote:
> I set SELinux to permissive and put the LDAP extension back (its under
> /usr/share/tomcat/.guacamole/extensions), restarted tomcat and guacd, and
> try to log in using an LDAP user. I click Login and on the Network tab, it
> shows tokens (/guacamole/api/tokens) as having a “pending” status. Never
> gets any further.
>
>
>
Okay...on the system where you're running Tomcat, can you make sure the
OpenLDAP client utilities are installed and then use "ldapsearch" to query
the same LDAP server that you're trying to use in Guacamole? Something
like this:
ldapsearch -H ldap://<server> -D <Search User> -W -b <base dn> cn=<Some
User In LDAP>
...substituting in the above parameters and make sure you get a response?
-Nick
RE: Configuring LDAP
Posted by ha...@faa.gov.
I set SELinux to permissive and put the LDAP extension back (its under /usr/share/tomcat/.guacamole/extensions), restarted tomcat and guacd, and try to log in using an LDAP user. I click Login and on the Network tab, it shows tokens (/guacamole/api/tokens) as having a “pending” status. Never gets any further.
Harry
From: Nick Couchman [mailto:vnick@apache.org]
Sent: Monday, November 20, 2017 2:04 PM
To: user@guacamole.apache.org
Subject: Re: Configuring LDAP
On Mon, Nov 20, 2017 at 1:52 PM, <ha...@faa.gov>> wrote:
We’re using Red Hat Enterprise Linux 7.4 with SELinux set to enforcing. I disabled the LDAP extension and just used MySQL for the guacadmin user and could log in. I do see the following information in /var/log/messages:
This sounds like the server-side, but are you able to temporarily disable SELinux (set it to permissive mode, "setenforce 0") and then restart Tomcat and see if it works with LDAP? I'm not suggesting this as a long-term fix, just long enough to validate whether SELinux is, indeed, blocking LDAP traffic, or if it's still something else?
-Nick
Re: Configuring LDAP
Posted by Nick Couchman <vn...@apache.org>.
On Mon, Nov 20, 2017 at 1:52 PM, <ha...@faa.gov> wrote:
> We’re using Red Hat Enterprise Linux 7.4 with SELinux set to enforcing. I
> disabled the LDAP extension and just used MySQL for the guacadmin user and
> could log in. I do see the following information in /var/log/messages:
>
>
>
This sounds like the server-side, but are you able to temporarily disable
SELinux (set it to permissive mode, "setenforce 0") and then restart Tomcat
and see if it works with LDAP? I'm not suggesting this as a long-term fix,
just long enough to validate whether SELinux is, indeed, blocking LDAP
traffic, or if it's still something else?
-Nick
RE: Configuring LDAP
Posted by ha...@faa.gov.
We’re using Red Hat Enterprise Linux 7.4 with SELinux set to enforcing. I disabled the LDAP extension and just used MySQL for the guacadmin user and could log in. I do see the following information in /var/log/messages:
Nov 20 13:43:57 access server: 13:43:57.545 [http-bio-8080-exec-6] INFO o.a.g.r.auth.AuthenticationService - User "guacadmin" successfully authenticated from 172.31.26.216.
Nov 20 13:44:01 access setroubleshoot: SELinux is preventing /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/bin/java from name_connect access on the tcp_socket port 3306. For complete SELinux messages run: sealert -l 1514ddfd-32d5-4705-b5d3-cdec3cb55f46
Nov 20 13:44:01 access python: SELinux is preventing /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/bin/java from name_connect access on the tcp_socket port 3306.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that java should be allowed name_connect access on the port 3306 tcp_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'java' --raw | audit2allow -M my-java#012# semodule -i my-java.pp#012
I found the following bug against the SELinux policy RPMs: https://bugzilla.redhat.com/show_bug.cgi?id=1491747
As a workaround, I made that portion with the bug set to Permissive. Did that a few weeks ago, so Guacamole is working for at least the local Admin user. Not for LDAP.
Harry
From: Nick Couchman [mailto:vnick@apache.org]
Sent: Monday, November 20, 2017 1:25 PM
To: user@guacamole.apache.org
Subject: Re: Configuring LDAP
On Mon, Nov 20, 2017 at 1:06 PM, <ha...@faa.gov>> wrote:
/var/log/messages doesn’t show anything at all when I try the login. Also, when I click Login, the area at the top of the Developer Tools window (with the times in it 2000ms, 4000ms, etc.) updates, but the list of javascript files that is accessed doesn’t change. The tokens file/topic is in red, and it says that the Initiator is angular.js on line 9902.
Okay, a couple of things for you:
- This thread started out as an issue with the LDAP module/authentication, but I'm fairly convinced it has absolutely nothing to do with LDAP. Have you tried removing the LDAP module and just using something like the JDBC module, or even the simple file authentication module, and see if it works at all like that? I suspect it will not, but it would be good to confirm.
- What client platform are you running (Windows, Linux, etc.), and have you tried it on more than one client system, and preferably on more than one platform?
- This issue really sounds like some sort of security software intercepting the browser's attempt to log in to the system. Do you have any sort of A/V or security extension installed in the browser (e.g. McAfee, Symantec, etc.), any of the Chrome Enterprise Group Policies deployed, or any sort of web security software running on the client, that could be blocking this web page from actually submitting the data to the Guacamole system? The behavior you are describing sounds very much like something is stopping the browser from actually making the call to the REST endpoint, and not like a Tomcat/servlet issue.
-Nick
Re: Configuring LDAP
Posted by Nick Couchman <vn...@apache.org>.
On Mon, Nov 20, 2017 at 1:06 PM, <ha...@faa.gov> wrote:
> /var/log/messages doesn’t show anything at all when I try the login.
> Also, when I click Login, the area at the top of the Developer Tools window
> (with the times in it 2000ms, 4000ms, etc.) updates, but the list of
> javascript files that is accessed doesn’t change. The tokens file/topic is
> in red, and it says that the Initiator is angular.js on line 9902.
>
>
>
Okay, a couple of things for you:
- This thread started out as an issue with the LDAP module/authentication,
but I'm fairly convinced it has absolutely nothing to do with LDAP. Have
you tried removing the LDAP module and just using something like the JDBC
module, or even the simple file authentication module, and see if it works
at all like that? I suspect it will not, but it would be good to confirm.
- What client platform are you running (Windows, Linux, etc.), and have you
tried it on more than one client system, and preferably on more than one
platform?
- This issue really sounds like some sort of security software intercepting
the browser's attempt to log in to the system. Do you have any sort of A/V
or security extension installed in the browser (e.g. McAfee, Symantec,
etc.), any of the Chrome Enterprise Group Policies deployed, or any sort of
web security software running on the client, that could be blocking this
web page from actually submitting the data to the Guacamole system? The
behavior you are describing sounds very much like something is stopping the
browser from actually making the call to the REST endpoint, and not like a
Tomcat/servlet issue.
-Nick
RE: Configuring LDAP
Posted by ha...@faa.gov.
/var/log/messages doesn’t show anything at all when I try the login. Also, when I click Login, the area at the top of the Developer Tools window (with the times in it 2000ms, 4000ms, etc.) updates, but the list of javascript files that is accessed doesn’t change. The tokens file/topic is in red, and it says that the Initiator is angular.js on line 9902.
Thanks,
Harry
From: Nick Couchman [mailto:vnick@apache.org]
Sent: Monday, November 20, 2017 1:00 PM
To: user@guacamole.apache.org
Subject: Re: Configuring LDAP
On Mon, Nov 20, 2017 at 12:53 PM, <ha...@faa.gov>> wrote:
Looks like I get a 403 when it tries to access /guacamole/api/tokens.
There will be an initial 403 that happens when the page is loaded (this prompts the login dialog to appear in the first place), but if you're getting a 403 after entering the credentials and clicking Login, then something is going wrong with the login process. Can you dig into the 403 and see what type of error/response you're seeing? Is it Invalid credentials, insufficient credentials, or some other error?
I think we determined in the past that on your system the bulk of the Tomcat messages are actually going to /var/log/messages instead of the Tomcat-specific logs. Can you do a "tail -f /var/log/messages" and attempt the login, and see what gets displayed there? You should get at least the authentication failure message, if nothing else.
-Nick
Re: Configuring LDAP
Posted by Mike Jumper <mi...@guac-dev.org>.
On Mon, Nov 20, 2017 at 10:01 AM, Richard Lee <ri...@streamgo.co.uk>
wrote:
> How can I leave this group?
>
>
If you want to unsubscribe to the user@ list, send an email to
user-unsubscribe@guacamole.apache.org and follow the instructions in the
confirmation email. Be sure to send the email from the email address that
you used to subscribe.
See:
http://guacamole.apache.org/support/#mailing-lists
http://apache.org/foundation/mailinglists.html
- Mike
Re: Configuring LDAP
Posted by Richard Lee <ri...@streamgo.co.uk>.
How can I leave this group?
Richard Lee // Production Director // +44 203 627 6280 // www.streamgo.co.uk
<http://www.streamgo.co.uk/>
the streaming and online event experts
On 20 November 2017 at 18:00, Nick Couchman <vn...@apache.org> wrote:
> On Mon, Nov 20, 2017 at 12:53 PM, <ha...@faa.gov> wrote:
>
>> Looks like I get a 403 when it tries to access /guacamole/api/tokens.
>>
>>
>>
>
> There will be an initial 403 that happens when the page is loaded (this
> prompts the login dialog to appear in the first place), but if you're
> getting a 403 after entering the credentials and clicking Login, then
> something is going wrong with the login process. Can you dig into the 403
> and see what type of error/response you're seeing? Is it Invalid
> credentials, insufficient credentials, or some other error?
>
> I think we determined in the past that on your system the bulk of the
> Tomcat messages are actually going to /var/log/messages instead of the
> Tomcat-specific logs. Can you do a "tail -f /var/log/messages" and attempt
> the login, and see what gets displayed there? You should get at least the
> authentication failure message, if nothing else.
>
> -Nick
>
>
--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
Re: Configuring LDAP
Posted by Nick Couchman <vn...@apache.org>.
On Mon, Nov 20, 2017 at 12:53 PM, <ha...@faa.gov> wrote:
> Looks like I get a 403 when it tries to access /guacamole/api/tokens.
>
>
>
There will be an initial 403 that happens when the page is loaded (this
prompts the login dialog to appear in the first place), but if you're
getting a 403 after entering the credentials and clicking Login, then
something is going wrong with the login process. Can you dig into the 403
and see what type of error/response you're seeing? Is it Invalid
credentials, insufficient credentials, or some other error?
I think we determined in the past that on your system the bulk of the
Tomcat messages are actually going to /var/log/messages instead of the
Tomcat-specific logs. Can you do a "tail -f /var/log/messages" and attempt
the login, and see what gets displayed there? You should get at least the
authentication failure message, if nothing else.
-Nick
RE: Configuring LDAP
Posted by ha...@faa.gov.
Looks like I get a 403 when it tries to access /guacamole/api/tokens.
Harry
From: Nick Couchman [mailto:vnick@apache.org]
Sent: Monday, November 20, 2017 11:40 AM
To: user@guacamole.apache.org
Subject: Re: Configuring LDAP
On Mon, Nov 20, 2017 at 8:10 AM, <ha...@faa.gov>> wrote:
I use Chrome and I use the Developer Console all the time. I just tried it again and got nothing at all in the console. I even had the catalina.2017-11-20.log file open and got nothing in there either. Nothing happens.
Great. What about on the Network tab? When you click the Login button, do you see it making any attempts to access anything network-side? For example, when I log in, I see a POST to the api/tokens REST endpoint with the credentials, and I receive a 200 (OK) response. You should see this POST happen, and then some sort of return - 200 for OK (which I would not expect in your case), 403 if the credentials are not accepted, or 500 if there's a server-side error.
-Nick
Re: Configuring LDAP
Posted by Nick Couchman <vn...@apache.org>.
On Mon, Nov 20, 2017 at 8:10 AM, <ha...@faa.gov> wrote:
> I use Chrome and I use the Developer Console all the time. I just tried
> it again and got nothing at all in the console. I even had the
> catalina.2017-11-20.log file open and got nothing in there either. Nothing
> happens.
>
Great. What about on the Network tab? When you click the Login button, do
you see it making any attempts to access anything network-side? For
example, when I log in, I see a POST to the api/tokens REST endpoint with
the credentials, and I receive a 200 (OK) response. You should see this
POST happen, and then some sort of return - 200 for OK (which I would not
expect in your case), 403 if the credentials are not accepted, or 500 if
there's a server-side error.
-Nick
RE: Configuring LDAP
Posted by ha...@faa.gov.
I use Chrome and I use the Developer Console all the time. I just tried it again and got nothing at all in the console. I even had the catalina.2017-11-20.log file open and got nothing in there either. Nothing happens.
Harry
From: Nick Couchman [mailto:vnick@apache.org]
Sent: Friday, November 17, 2017 1:17 PM
To: user@guacamole.apache.org
Subject: Re: Configuring LDAP
On Thu, Nov 16, 2017 at 9:33 AM, <ha...@faa.gov>> wrote:
Nothing at all. And the Guacamole screen never changes, as if the Login button doesn't work or is somehow dead.
Hmmm...okay, this is odd. What browser are you using? If you're using Chrome, can you open the Developer Console and look for errors in the JavaScript console, or what the network activity during login and see what's being returned??
-Nick
Re: Configuring LDAP
Posted by Nick Couchman <vn...@apache.org>.
On Thu, Nov 16, 2017 at 9:33 AM, <ha...@faa.gov> wrote:
> Nothing at all. And the Guacamole screen never changes, as if the Login
> button doesn't work or is somehow dead.
>
Hmmm...okay, this is odd. What browser are you using? If you're using
Chrome, can you open the Developer Console and look for errors in the
JavaScript console, or what the network activity during login and see
what's being returned??
-Nick
Re: Configuring LDAP
Posted by ha...@faa.gov.
Nothing at all. And the Guacamole screen never changes, as if the Login button doesn't work or is somehow dead.
Thanks,
Harry
________________________________
From: Nick Couchman <vn...@apache.org>
Sent: Wednesday, November 15, 2017 7:59:36 PM
To: user@guacamole.incubator.apache.org
Subject: Re: Configuring LDAP
On Wed, Nov 15, 2017 at 15:35 <ha...@faa.gov>> wrote:
Here’s the /var/log/messages data from right after I restarted Tomcat and Guacamole: https://pastebin.com/YSwepbgk. This server is running RHEL 7.4.
So, on line 94 the LDAP extension appears to be getting loaded, so that part is fine. Seems like it might be a configuration issue - what shows up in that log file when you try to authenticate?
- Nick
Re: Configuring LDAP
Posted by Nick Couchman <vn...@apache.org>.
On Wed, Nov 15, 2017 at 15:35 <ha...@faa.gov> wrote:
> Here’s the /var/log/messages data from right after I restarted Tomcat and
> Guacamole: https://pastebin.com/YSwepbgk. This server is running RHEL
> 7.4.
>
So, on line 94 the LDAP extension appears to be getting loaded, so that
part is fine. Seems like it might be a configuration issue - what shows up
in that log file when you try to authenticate?
- Nick
RE: Configuring LDAP
Posted by ha...@faa.gov.
Here’s the /var/log/messages data from right after I restarted Tomcat and Guacamole: https://pastebin.com/YSwepbgk. This server is running RHEL 7.4.
Thanks,
Harry
From: Mike Jumper [mailto:mike.jumper@guac-dev.org]
Sent: Wednesday, November 15, 2017 3:27 PM
To: user@guacamole.incubator.apache.org
Subject: Re: Configuring LDAP
And, failing that, journalctl or /var/log/messages or syslog. Distributions vary widely.
- Mike
On Nov 15, 2017 12:24, "Nick Couchman" <vn...@apache.org>> wrote:
On Mon, Nov 13, 2017 at 7:27 PM, <ha...@faa.gov>> wrote:
/var/log/tomcat/catalina.2017-11-13.log
Can you look for/at /var/log/tomcat/catalina.out, instead? I'm not certain that file will be there, but my general experience with Tomcat is that catalina.out has more detail than even the catalina.*.log files.
-Nick
Re: Configuring LDAP
Posted by Mike Jumper <mi...@guac-dev.org>.
And, failing that, journalctl or /var/log/messages or syslog. Distributions
vary widely.
- Mike
On Nov 15, 2017 12:24, "Nick Couchman" <vn...@apache.org> wrote:
> On Mon, Nov 13, 2017 at 7:27 PM, <ha...@faa.gov> wrote:
>
>> /var/log/tomcat/catalina.2017-11-13.log
>>
>
> Can you look for/at /var/log/tomcat/catalina.out, instead? I'm not
> certain that file will be there, but my general experience with Tomcat is
> that catalina.out has more detail than even the catalina.*.log files.
>
> -Nick
>
RE: Configuring LDAP
Posted by ha...@faa.gov.
That file has Sunday’s date on it (11/12/17) and is a zero length file. I know I was restarting Tomcat and Guacamole on Monday the 13th, so that file looks like it’s a dead end.
Thanks,
Harry
From: Nick Couchman [mailto:vnick@apache.org]
Sent: Wednesday, November 15, 2017 3:24 PM
To: user@guacamole.incubator.apache.org
Subject: Re: Configuring LDAP
On Mon, Nov 13, 2017 at 7:27 PM, <ha...@faa.gov>> wrote:
/var/log/tomcat/catalina.2017-11-13.log
Can you look for/at /var/log/tomcat/catalina.out, instead? I'm not certain that file will be there, but my general experience with Tomcat is that catalina.out has more detail than even the catalina.*.log files.
-Nick
Re: Configuring LDAP
Posted by Nick Couchman <vn...@apache.org>.
On Mon, Nov 13, 2017 at 7:27 PM, <ha...@faa.gov> wrote:
> /var/log/tomcat/catalina.2017-11-13.log
>
Can you look for/at /var/log/tomcat/catalina.out, instead? I'm not certain
that file will be there, but my general experience with Tomcat is that
catalina.out has more detail than even the catalina.*.log files.
-Nick
Re: Configuring LDAP
Posted by ha...@faa.gov.
/var/log/tomcat/catalina.2017-11-13.log
________________________________
From: Mike Jumper <mi...@guac-dev.org>
Sent: Monday, November 13, 2017 4:56:23 PM
To: user@guacamole.incubator.apache.org
Subject: Re: Configuring LDAP
Which log are these messages from?
- Mike
On Mon, Nov 13, 2017 at 12:55 PM, <ha...@faa.gov>> wrote:
OK, here goes: https://pastebin.com/Be35FaN6
Thanks,
Harry
From: Mike Jumper [mailto:mike.jumper@guac-dev.org<ma...@guac-dev.org>]
Sent: Monday, November 13, 2017 3:49 PM
To: user@guacamole.incubator.apache.org<ma...@guacamole.incubator.apache.org>
Subject: Re: Configuring LDAP
Don't send it to me directly off-list - things really need to be kept on-list.
pastebin or a GitHub gist are decent choices. You could also paste the logs directly into a new email. I don't recommend trying to attach the logs, as attachments are sometimes filtered away.
On Mon, Nov 13, 2017 at 12:44 PM, <ha...@faa.gov>> wrote:
Any place in particular? Not really sure where I can put something like that. Can I send it to you off-list?
Thanks,
Harry
From: Mike Jumper [mailto:mike.jumper@guac-dev.org<ma...@guac-dev.org>]
Sent: Monday, November 13, 2017 2:02 PM
To: user@guacamole.incubator.apache.org<ma...@guacamole.incubator.apache.org>
Subject: Re: Configuring LDAP
Following a restart of Tomcat, can you post the entire Tomcat log somewhere, at least the portion which follows that restart?
- Mike
On Mon, Nov 13, 2017 at 10:51 AM, <ha...@faa.gov>> wrote:
I tried to add GUACAMOLE_HOME=”/etc/guacamole” into /etc/tomcat/tomcat.conf and restarting Tomcat, but that didn’t work. Instead of getting “Login failed” on the page, the page did nothing. So I backed that out and restarted everything, and can’t log in at all. I enter the guacadmin user and password and click Login, and nothing happens. I do see a successful login message in /var/log/messages, but the page doesn’t redirect me anywhere any longer.
Thanks,
Harry
From: Devine, Harry (FAA)
Sent: Monday, November 13, 2017 8:49 AM
To: user@guacamole.incubator.apache.org<ma...@guacamole.incubator.apache.org>
Subject: RE: Configuring LDAP
Well, I tried moving the extensions to /etc/guacamole and restarting Tomcat and guacamole, and I still don’t see LDAP referenced in the logs. Where do I set that in catalina.properties? That’s my next step. Also, when I try to log in, I do see the following error in the log (I masked out the IP and the user name):
Nov 13 08:32:28 access server: 08:32:28.177 [http-bio-8080-exec-1] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from xxx.xxx.xxx.xxx for user "user" failed.
Thanks,
Harry
From: Nick Couchman [mailto:vnick@apache.org]
Sent: Monday, November 13, 2017 8:05 AM
To: user@guacamole.incubator.apache.org<ma...@guacamole.incubator.apache.org>
Subject: Re: Configuring LDAP
On Mon, Nov 13, 2017 at 7:55 AM, <ha...@faa.gov>> wrote:
I just restarted Guacamole and Tomcat, and I don’t see anything about LDAP loading. I have the 0.9.13 LDAP extension at /usr/share/tomcat/.guacamole/extensions. Is that the proper directory for it? I’m pretty sure that’s where the user guide said to put it. I also have the pertinent LDAP parameters set in the guacamole.properties file at /etc/guacamole.
In 0.9.13-incubating, if you downloaded the release from the website, then the default GUACAMOLE_HOME will be the $HOME/.guacamole directory. Double-check and make sure that's the Tomcat user's home directory. You can also change the GUACAMOLE_HOME via either the guacamole.home property in Tomcat's catalina.properties file, or by setting the GUACAMOLE_HOME environment variable before starting Tomcat. This changes slightly in 0.9.14-incubating (git repo), with /etc/guacamole becoming the fallback-default location.
If you have guacamole.properties in /etc/guacamole, and you can successfully change other items in that file and see the changes take effect, then I believe your GUACAMOLE_HOME is probably configured for /etc/guacamole, in which case your extensions should be in /etc/guacamole/extensions. So, you might try creating that directory, placing the LDAP extension there, and then restarting Tomcat.
-Nick
Re: Configuring LDAP
Posted by Mike Jumper <mi...@guac-dev.org>.
Which log are these messages from?
- Mike
On Mon, Nov 13, 2017 at 12:55 PM, <ha...@faa.gov> wrote:
> OK, here goes: https://pastebin.com/Be35FaN6
>
>
>
> Thanks,
>
> Harry
>
>
>
> *From:* Mike Jumper [mailto:mike.jumper@guac-dev.org]
> *Sent:* Monday, November 13, 2017 3:49 PM
>
> *To:* user@guacamole.incubator.apache.org
> *Subject:* Re: Configuring LDAP
>
>
>
> Don't send it to me directly off-list - things really need to be kept
> on-list.
>
>
>
> pastebin or a GitHub gist are decent choices. You could also paste the
> logs directly into a new email. I don't recommend trying to attach the
> logs, as attachments are sometimes filtered away.
>
>
>
>
>
> On Mon, Nov 13, 2017 at 12:44 PM, <ha...@faa.gov> wrote:
>
> Any place in particular? Not really sure where I can put something like
> that. Can I send it to you off-list?
>
>
>
> Thanks,
>
> Harry
>
>
>
> *From:* Mike Jumper [mailto:mike.jumper@guac-dev.org]
> *Sent:* Monday, November 13, 2017 2:02 PM
>
>
> *To:* user@guacamole.incubator.apache.org
> *Subject:* Re: Configuring LDAP
>
>
>
> Following a restart of Tomcat, can you post the entire Tomcat log
> somewhere, at least the portion which follows that restart?
>
>
>
> - Mike
>
>
>
>
>
> On Mon, Nov 13, 2017 at 10:51 AM, <ha...@faa.gov> wrote:
>
> I tried to add GUACAMOLE_HOME=”/etc/guacamole” into
> /etc/tomcat/tomcat.conf and restarting Tomcat, but that didn’t work.
> Instead of getting “Login failed” on the page, the page did nothing. So I
> backed that out and restarted everything, and can’t log in at all. I enter
> the guacadmin user and password and click Login, and nothing happens. I do
> see a successful login message in /var/log/messages, but the page doesn’t
> redirect me anywhere any longer.
>
>
>
> Thanks,
>
> Harry
>
>
>
> *From:* Devine, Harry (FAA)
> *Sent:* Monday, November 13, 2017 8:49 AM
> *To:* user@guacamole.incubator.apache.org
> *Subject:* RE: Configuring LDAP
>
>
>
> Well, I tried moving the extensions to /etc/guacamole and restarting
> Tomcat and guacamole, and I still don’t see LDAP referenced in the logs.
> Where do I set that in catalina.properties? That’s my next step. Also,
> when I try to log in, I do see the following error in the log (I masked out
> the IP and the user name):
>
>
>
> Nov 13 08:32:28 access server: 08:32:28.177 [http-bio-8080-exec-1] WARN
> o.a.g.r.auth.AuthenticationService - Authentication attempt from
> xxx.xxx.xxx.xxx for user "user" failed.
>
>
>
> Thanks,
>
> Harry
>
>
>
> *From:* Nick Couchman [mailto:vnick@apache.org <vn...@apache.org>]
> *Sent:* Monday, November 13, 2017 8:05 AM
> *To:* user@guacamole.incubator.apache.org
> *Subject:* Re: Configuring LDAP
>
>
>
> On Mon, Nov 13, 2017 at 7:55 AM, <ha...@faa.gov> wrote:
>
> I just restarted Guacamole and Tomcat, and I don’t see anything about LDAP
> loading. I have the 0.9.13 LDAP extension at /usr/share/tomcat/.guacamole/extensions.
> Is that the proper directory for it? I’m pretty sure that’s where the user
> guide said to put it. I also have the pertinent LDAP parameters set in the
> guacamole.properties file at /etc/guacamole.
>
>
>
> In 0.9.13-incubating, if you downloaded the release from the website, then
> the default GUACAMOLE_HOME will be the $HOME/.guacamole directory.
> Double-check and make sure that's the Tomcat user's home directory. You
> can also change the GUACAMOLE_HOME via either the guacamole.home property
> in Tomcat's catalina.properties file, or by setting the GUACAMOLE_HOME
> environment variable before starting Tomcat. This changes slightly in
> 0.9.14-incubating (git repo), with /etc/guacamole becoming the
> fallback-default location.
>
>
>
> If you have guacamole.properties in /etc/guacamole, and you can
> successfully change other items in that file and see the changes take
> effect, then I believe your GUACAMOLE_HOME is probably configured for
> /etc/guacamole, in which case your extensions should be in
> /etc/guacamole/extensions. So, you might try creating that directory,
> placing the LDAP extension there, and then restarting Tomcat.
>
>
>
> -Nick
>
>
>
>
>
RE: Configuring LDAP
Posted by ha...@faa.gov.
OK, here goes: https://pastebin.com/Be35FaN6
Thanks,
Harry
From: Mike Jumper [mailto:mike.jumper@guac-dev.org]
Sent: Monday, November 13, 2017 3:49 PM
To: user@guacamole.incubator.apache.org
Subject: Re: Configuring LDAP
Don't send it to me directly off-list - things really need to be kept on-list.
pastebin or a GitHub gist are decent choices. You could also paste the logs directly into a new email. I don't recommend trying to attach the logs, as attachments are sometimes filtered away.
On Mon, Nov 13, 2017 at 12:44 PM, <ha...@faa.gov>> wrote:
Any place in particular? Not really sure where I can put something like that. Can I send it to you off-list?
Thanks,
Harry
From: Mike Jumper [mailto:mike.jumper@guac-dev.org<ma...@guac-dev.org>]
Sent: Monday, November 13, 2017 2:02 PM
To: user@guacamole.incubator.apache.org<ma...@guacamole.incubator.apache.org>
Subject: Re: Configuring LDAP
Following a restart of Tomcat, can you post the entire Tomcat log somewhere, at least the portion which follows that restart?
- Mike
On Mon, Nov 13, 2017 at 10:51 AM, <ha...@faa.gov>> wrote:
I tried to add GUACAMOLE_HOME=”/etc/guacamole” into /etc/tomcat/tomcat.conf and restarting Tomcat, but that didn’t work. Instead of getting “Login failed” on the page, the page did nothing. So I backed that out and restarted everything, and can’t log in at all. I enter the guacadmin user and password and click Login, and nothing happens. I do see a successful login message in /var/log/messages, but the page doesn’t redirect me anywhere any longer.
Thanks,
Harry
From: Devine, Harry (FAA)
Sent: Monday, November 13, 2017 8:49 AM
To: user@guacamole.incubator.apache.org<ma...@guacamole.incubator.apache.org>
Subject: RE: Configuring LDAP
Well, I tried moving the extensions to /etc/guacamole and restarting Tomcat and guacamole, and I still don’t see LDAP referenced in the logs. Where do I set that in catalina.properties? That’s my next step. Also, when I try to log in, I do see the following error in the log (I masked out the IP and the user name):
Nov 13 08:32:28 access server: 08:32:28.177 [http-bio-8080-exec-1] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from xxx.xxx.xxx.xxx for user "user" failed.
Thanks,
Harry
From: Nick Couchman [mailto:vnick@apache.org]
Sent: Monday, November 13, 2017 8:05 AM
To: user@guacamole.incubator.apache.org<ma...@guacamole.incubator.apache.org>
Subject: Re: Configuring LDAP
On Mon, Nov 13, 2017 at 7:55 AM, <ha...@faa.gov>> wrote:
I just restarted Guacamole and Tomcat, and I don’t see anything about LDAP loading. I have the 0.9.13 LDAP extension at /usr/share/tomcat/.guacamole/extensions. Is that the proper directory for it? I’m pretty sure that’s where the user guide said to put it. I also have the pertinent LDAP parameters set in the guacamole.properties file at /etc/guacamole.
In 0.9.13-incubating, if you downloaded the release from the website, then the default GUACAMOLE_HOME will be the $HOME/.guacamole directory. Double-check and make sure that's the Tomcat user's home directory. You can also change the GUACAMOLE_HOME via either the guacamole.home property in Tomcat's catalina.properties file, or by setting the GUACAMOLE_HOME environment variable before starting Tomcat. This changes slightly in 0.9.14-incubating (git repo), with /etc/guacamole becoming the fallback-default location.
If you have guacamole.properties in /etc/guacamole, and you can successfully change other items in that file and see the changes take effect, then I believe your GUACAMOLE_HOME is probably configured for /etc/guacamole, in which case your extensions should be in /etc/guacamole/extensions. So, you might try creating that directory, placing the LDAP extension there, and then restarting Tomcat.
-Nick
Re: Configuring LDAP
Posted by Mike Jumper <mi...@guac-dev.org>.
Don't send it to me directly off-list - things really need to be kept
on-list.
pastebin or a GitHub gist are decent choices. You could also paste the logs
directly into a new email. I don't recommend trying to attach the logs, as
attachments are sometimes filtered away.
On Mon, Nov 13, 2017 at 12:44 PM, <ha...@faa.gov> wrote:
> Any place in particular? Not really sure where I can put something like
> that. Can I send it to you off-list?
>
>
>
> Thanks,
>
> Harry
>
>
>
> *From:* Mike Jumper [mailto:mike.jumper@guac-dev.org]
> *Sent:* Monday, November 13, 2017 2:02 PM
>
> *To:* user@guacamole.incubator.apache.org
> *Subject:* Re: Configuring LDAP
>
>
>
> Following a restart of Tomcat, can you post the entire Tomcat log
> somewhere, at least the portion which follows that restart?
>
>
>
> - Mike
>
>
>
>
>
> On Mon, Nov 13, 2017 at 10:51 AM, <ha...@faa.gov> wrote:
>
> I tried to add GUACAMOLE_HOME=”/etc/guacamole” into
> /etc/tomcat/tomcat.conf and restarting Tomcat, but that didn’t work.
> Instead of getting “Login failed” on the page, the page did nothing. So I
> backed that out and restarted everything, and can’t log in at all. I enter
> the guacadmin user and password and click Login, and nothing happens. I do
> see a successful login message in /var/log/messages, but the page doesn’t
> redirect me anywhere any longer.
>
>
>
> Thanks,
>
> Harry
>
>
>
> *From:* Devine, Harry (FAA)
> *Sent:* Monday, November 13, 2017 8:49 AM
> *To:* user@guacamole.incubator.apache.org
> *Subject:* RE: Configuring LDAP
>
>
>
> Well, I tried moving the extensions to /etc/guacamole and restarting
> Tomcat and guacamole, and I still don’t see LDAP referenced in the logs.
> Where do I set that in catalina.properties? That’s my next step. Also,
> when I try to log in, I do see the following error in the log (I masked out
> the IP and the user name):
>
>
>
> Nov 13 08:32:28 access server: 08:32:28.177 [http-bio-8080-exec-1] WARN
> o.a.g.r.auth.AuthenticationService - Authentication attempt from
> xxx.xxx.xxx.xxx for user "user" failed.
>
>
>
> Thanks,
>
> Harry
>
>
>
> *From:* Nick Couchman [mailto:vnick@apache.org <vn...@apache.org>]
> *Sent:* Monday, November 13, 2017 8:05 AM
> *To:* user@guacamole.incubator.apache.org
> *Subject:* Re: Configuring LDAP
>
>
>
> On Mon, Nov 13, 2017 at 7:55 AM, <ha...@faa.gov> wrote:
>
> I just restarted Guacamole and Tomcat, and I don’t see anything about LDAP
> loading. I have the 0.9.13 LDAP extension at /usr/share/tomcat/.guacamole/extensions.
> Is that the proper directory for it? I’m pretty sure that’s where the user
> guide said to put it. I also have the pertinent LDAP parameters set in the
> guacamole.properties file at /etc/guacamole.
>
>
>
> In 0.9.13-incubating, if you downloaded the release from the website, then
> the default GUACAMOLE_HOME will be the $HOME/.guacamole directory.
> Double-check and make sure that's the Tomcat user's home directory. You
> can also change the GUACAMOLE_HOME via either the guacamole.home property
> in Tomcat's catalina.properties file, or by setting the GUACAMOLE_HOME
> environment variable before starting Tomcat. This changes slightly in
> 0.9.14-incubating (git repo), with /etc/guacamole becoming the
> fallback-default location.
>
>
>
> If you have guacamole.properties in /etc/guacamole, and you can
> successfully change other items in that file and see the changes take
> effect, then I believe your GUACAMOLE_HOME is probably configured for
> /etc/guacamole, in which case your extensions should be in
> /etc/guacamole/extensions. So, you might try creating that directory,
> placing the LDAP extension there, and then restarting Tomcat.
>
>
>
> -Nick
>
>
>
RE: Configuring LDAP
Posted by ha...@faa.gov.
Any place in particular? Not really sure where I can put something like that. Can I send it to you off-list?
Thanks,
Harry
From: Mike Jumper [mailto:mike.jumper@guac-dev.org]
Sent: Monday, November 13, 2017 2:02 PM
To: user@guacamole.incubator.apache.org
Subject: Re: Configuring LDAP
Following a restart of Tomcat, can you post the entire Tomcat log somewhere, at least the portion which follows that restart?
- Mike
On Mon, Nov 13, 2017 at 10:51 AM, <ha...@faa.gov>> wrote:
I tried to add GUACAMOLE_HOME=”/etc/guacamole” into /etc/tomcat/tomcat.conf and restarting Tomcat, but that didn’t work. Instead of getting “Login failed” on the page, the page did nothing. So I backed that out and restarted everything, and can’t log in at all. I enter the guacadmin user and password and click Login, and nothing happens. I do see a successful login message in /var/log/messages, but the page doesn’t redirect me anywhere any longer.
Thanks,
Harry
From: Devine, Harry (FAA)
Sent: Monday, November 13, 2017 8:49 AM
To: user@guacamole.incubator.apache.org<ma...@guacamole.incubator.apache.org>
Subject: RE: Configuring LDAP
Well, I tried moving the extensions to /etc/guacamole and restarting Tomcat and guacamole, and I still don’t see LDAP referenced in the logs. Where do I set that in catalina.properties? That’s my next step. Also, when I try to log in, I do see the following error in the log (I masked out the IP and the user name):
Nov 13 08:32:28 access server: 08:32:28.177 [http-bio-8080-exec-1] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from xxx.xxx.xxx.xxx for user "user" failed.
Thanks,
Harry
From: Nick Couchman [mailto:vnick@apache.org]
Sent: Monday, November 13, 2017 8:05 AM
To: user@guacamole.incubator.apache.org<ma...@guacamole.incubator.apache.org>
Subject: Re: Configuring LDAP
On Mon, Nov 13, 2017 at 7:55 AM, <ha...@faa.gov>> wrote:
I just restarted Guacamole and Tomcat, and I don’t see anything about LDAP loading. I have the 0.9.13 LDAP extension at /usr/share/tomcat/.guacamole/extensions. Is that the proper directory for it? I’m pretty sure that’s where the user guide said to put it. I also have the pertinent LDAP parameters set in the guacamole.properties file at /etc/guacamole.
In 0.9.13-incubating, if you downloaded the release from the website, then the default GUACAMOLE_HOME will be the $HOME/.guacamole directory. Double-check and make sure that's the Tomcat user's home directory. You can also change the GUACAMOLE_HOME via either the guacamole.home property in Tomcat's catalina.properties file, or by setting the GUACAMOLE_HOME environment variable before starting Tomcat. This changes slightly in 0.9.14-incubating (git repo), with /etc/guacamole becoming the fallback-default location.
If you have guacamole.properties in /etc/guacamole, and you can successfully change other items in that file and see the changes take effect, then I believe your GUACAMOLE_HOME is probably configured for /etc/guacamole, in which case your extensions should be in /etc/guacamole/extensions. So, you might try creating that directory, placing the LDAP extension there, and then restarting Tomcat.
-Nick
Re: Configuring LDAP
Posted by Mike Jumper <mi...@guac-dev.org>.
Following a restart of Tomcat, can you post the entire Tomcat log
somewhere, at least the portion which follows that restart?
- Mike
On Mon, Nov 13, 2017 at 10:51 AM, <ha...@faa.gov> wrote:
> I tried to add GUACAMOLE_HOME=”/etc/guacamole” into
> /etc/tomcat/tomcat.conf and restarting Tomcat, but that didn’t work.
> Instead of getting “Login failed” on the page, the page did nothing. So I
> backed that out and restarted everything, and can’t log in at all. I enter
> the guacadmin user and password and click Login, and nothing happens. I do
> see a successful login message in /var/log/messages, but the page doesn’t
> redirect me anywhere any longer.
>
>
>
> Thanks,
>
> Harry
>
>
>
> *From:* Devine, Harry (FAA)
> *Sent:* Monday, November 13, 2017 8:49 AM
> *To:* user@guacamole.incubator.apache.org
> *Subject:* RE: Configuring LDAP
>
>
>
> Well, I tried moving the extensions to /etc/guacamole and restarting
> Tomcat and guacamole, and I still don’t see LDAP referenced in the logs.
> Where do I set that in catalina.properties? That’s my next step. Also,
> when I try to log in, I do see the following error in the log (I masked out
> the IP and the user name):
>
>
>
> Nov 13 08:32:28 access server: 08:32:28.177 [http-bio-8080-exec-1] WARN
> o.a.g.r.auth.AuthenticationService - Authentication attempt from
> xxx.xxx.xxx.xxx for user "user" failed.
>
>
>
> Thanks,
>
> Harry
>
>
>
> *From:* Nick Couchman [mailto:vnick@apache.org <vn...@apache.org>]
> *Sent:* Monday, November 13, 2017 8:05 AM
> *To:* user@guacamole.incubator.apache.org
> *Subject:* Re: Configuring LDAP
>
>
>
> On Mon, Nov 13, 2017 at 7:55 AM, <ha...@faa.gov> wrote:
>
> I just restarted Guacamole and Tomcat, and I don’t see anything about LDAP
> loading. I have the 0.9.13 LDAP extension at /usr/share/tomcat/.guacamole/extensions.
> Is that the proper directory for it? I’m pretty sure that’s where the user
> guide said to put it. I also have the pertinent LDAP parameters set in the
> guacamole.properties file at /etc/guacamole.
>
>
>
> In 0.9.13-incubating, if you downloaded the release from the website, then
> the default GUACAMOLE_HOME will be the $HOME/.guacamole directory.
> Double-check and make sure that's the Tomcat user's home directory. You
> can also change the GUACAMOLE_HOME via either the guacamole.home property
> in Tomcat's catalina.properties file, or by setting the GUACAMOLE_HOME
> environment variable before starting Tomcat. This changes slightly in
> 0.9.14-incubating (git repo), with /etc/guacamole becoming the
> fallback-default location.
>
>
>
> If you have guacamole.properties in /etc/guacamole, and you can
> successfully change other items in that file and see the changes take
> effect, then I believe your GUACAMOLE_HOME is probably configured for
> /etc/guacamole, in which case your extensions should be in
> /etc/guacamole/extensions. So, you might try creating that directory,
> placing the LDAP extension there, and then restarting Tomcat.
>
>
>
> -Nick
>
RE: Configuring LDAP
Posted by ha...@faa.gov.
I tried to add GUACAMOLE_HOME=”/etc/guacamole” into /etc/tomcat/tomcat.conf and restarting Tomcat, but that didn’t work. Instead of getting “Login failed” on the page, the page did nothing. So I backed that out and restarted everything, and can’t log in at all. I enter the guacadmin user and password and click Login, and nothing happens. I do see a successful login message in /var/log/messages, but the page doesn’t redirect me anywhere any longer.
Thanks,
Harry
From: Devine, Harry (FAA)
Sent: Monday, November 13, 2017 8:49 AM
To: user@guacamole.incubator.apache.org
Subject: RE: Configuring LDAP
Well, I tried moving the extensions to /etc/guacamole and restarting Tomcat and guacamole, and I still don’t see LDAP referenced in the logs. Where do I set that in catalina.properties? That’s my next step. Also, when I try to log in, I do see the following error in the log (I masked out the IP and the user name):
Nov 13 08:32:28 access server: 08:32:28.177 [http-bio-8080-exec-1] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from xxx.xxx.xxx.xxx for user "user" failed.
Thanks,
Harry
From: Nick Couchman [mailto:vnick@apache.org]
Sent: Monday, November 13, 2017 8:05 AM
To: user@guacamole.incubator.apache.org<ma...@guacamole.incubator.apache.org>
Subject: Re: Configuring LDAP
On Mon, Nov 13, 2017 at 7:55 AM, <ha...@faa.gov>> wrote:
I just restarted Guacamole and Tomcat, and I don’t see anything about LDAP loading. I have the 0.9.13 LDAP extension at /usr/share/tomcat/.guacamole/extensions. Is that the proper directory for it? I’m pretty sure that’s where the user guide said to put it. I also have the pertinent LDAP parameters set in the guacamole.properties file at /etc/guacamole.
In 0.9.13-incubating, if you downloaded the release from the website, then the default GUACAMOLE_HOME will be the $HOME/.guacamole directory. Double-check and make sure that's the Tomcat user's home directory. You can also change the GUACAMOLE_HOME via either the guacamole.home property in Tomcat's catalina.properties file, or by setting the GUACAMOLE_HOME environment variable before starting Tomcat. This changes slightly in 0.9.14-incubating (git repo), with /etc/guacamole becoming the fallback-default location.
If you have guacamole.properties in /etc/guacamole, and you can successfully change other items in that file and see the changes take effect, then I believe your GUACAMOLE_HOME is probably configured for /etc/guacamole, in which case your extensions should be in /etc/guacamole/extensions. So, you might try creating that directory, placing the LDAP extension there, and then restarting Tomcat.
-Nick
RE: Configuring LDAP
Posted by ha...@faa.gov.
Well, I tried moving the extensions to /etc/guacamole and restarting Tomcat and guacamole, and I still don’t see LDAP referenced in the logs. Where do I set that in catalina.properties? That’s my next step. Also, when I try to log in, I do see the following error in the log (I masked out the IP and the user name):
Nov 13 08:32:28 access server: 08:32:28.177 [http-bio-8080-exec-1] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from xxx.xxx.xxx.xxx for user "user" failed.
Thanks,
Harry
From: Nick Couchman [mailto:vnick@apache.org]
Sent: Monday, November 13, 2017 8:05 AM
To: user@guacamole.incubator.apache.org
Subject: Re: Configuring LDAP
On Mon, Nov 13, 2017 at 7:55 AM, <ha...@faa.gov>> wrote:
I just restarted Guacamole and Tomcat, and I don’t see anything about LDAP loading. I have the 0.9.13 LDAP extension at /usr/share/tomcat/.guacamole/extensions. Is that the proper directory for it? I’m pretty sure that’s where the user guide said to put it. I also have the pertinent LDAP parameters set in the guacamole.properties file at /etc/guacamole.
In 0.9.13-incubating, if you downloaded the release from the website, then the default GUACAMOLE_HOME will be the $HOME/.guacamole directory. Double-check and make sure that's the Tomcat user's home directory. You can also change the GUACAMOLE_HOME via either the guacamole.home property in Tomcat's catalina.properties file, or by setting the GUACAMOLE_HOME environment variable before starting Tomcat. This changes slightly in 0.9.14-incubating (git repo), with /etc/guacamole becoming the fallback-default location.
If you have guacamole.properties in /etc/guacamole, and you can successfully change other items in that file and see the changes take effect, then I believe your GUACAMOLE_HOME is probably configured for /etc/guacamole, in which case your extensions should be in /etc/guacamole/extensions. So, you might try creating that directory, placing the LDAP extension there, and then restarting Tomcat.
-Nick
Re: Configuring LDAP
Posted by Nick Couchman <vn...@apache.org>.
On Mon, Nov 13, 2017 at 7:55 AM, <ha...@faa.gov> wrote:
> I just restarted Guacamole and Tomcat, and I don’t see anything about LDAP
> loading. I have the 0.9.13 LDAP extension at /usr/share/tomcat/.guacamole/extensions.
> Is that the proper directory for it? I’m pretty sure that’s where the user
> guide said to put it. I also have the pertinent LDAP parameters set in the
> guacamole.properties file at /etc/guacamole.
>
In 0.9.13-incubating, if you downloaded the release from the website, then
the default GUACAMOLE_HOME will be the $HOME/.guacamole directory.
Double-check and make sure that's the Tomcat user's home directory. You
can also change the GUACAMOLE_HOME via either the guacamole.home property
in Tomcat's catalina.properties file, or by setting the GUACAMOLE_HOME
environment variable before starting Tomcat. This changes slightly in
0.9.14-incubating (git repo), with /etc/guacamole becoming the
fallback-default location.
If you have guacamole.properties in /etc/guacamole, and you can
successfully change other items in that file and see the changes take
effect, then I believe your GUACAMOLE_HOME is probably configured for
/etc/guacamole, in which case your extensions should be in
/etc/guacamole/extensions. So, you might try creating that directory,
placing the LDAP extension there, and then restarting Tomcat.
-Nick
RE: Configuring LDAP
Posted by ha...@faa.gov.
I just restarted Guacamole and Tomcat, and I don't see anything about LDAP loading. I have the 0.9.13 LDAP extension at /usr/share/tomcat/.guacamole/extensions. Is that the proper directory for it? I'm pretty sure that's where the user guide said to put it. I also have the pertinent LDAP parameters set in the guacamole.properties file at /etc/guacamole.
Thanks,
Harry
From: Devine, Harry (FAA)
Sent: Thursday, November 09, 2017 8:37 PM
To: user@guacamole.incubator.apache.org
Subject: Re: Configuring LDAP
I won't be back in the office until Monday so I'll look and provide that then, if that's OK.
Thanks,
Harry
________________________________
From: Mike Jumper <mi...@guac-dev.org>>
Sent: Thursday, November 9, 2017 8:21:44 PM
To: user@guacamole.incubator.apache.org<ma...@guacamole.incubator.apache.org>
Subject: Re: Configuring LDAP
On Thu, Nov 9, 2017 at 12:45 PM, <ha...@faa.gov>> wrote:
I'm trying to configure LDAP to work on our new Guacamole installation. I followed Chapter 7 in the user guide, but I still can't get it to work. When I enter a user name and the password that I know exists in our LDAP (which is running on RHEL 7 using IDM), and click the Login button, nothing happens. No errors, no visual clues, nothing. I look at the logs on the server and get zero errors or indications that it even attempted it.
There will not be visual clues, as such details are not exposed at the user-visible level. There should be log messages, however, including messages indicating that the LDAP authentication extension was loaded. Can you post what you see in the Tomcat logs from the point that Guacamole is starting up until the first pair of login failures (there should be at least two: the first resulting from the default anonymous auth attempt which caused the login dialog to display, and the second from using that login dialog)?
- Mike
Re: Configuring LDAP
Posted by ha...@faa.gov.
I won't be back in the office until Monday so I'll look and provide that then, if that's OK.
Thanks,
Harry
________________________________
From: Mike Jumper <mi...@guac-dev.org>
Sent: Thursday, November 9, 2017 8:21:44 PM
To: user@guacamole.incubator.apache.org
Subject: Re: Configuring LDAP
On Thu, Nov 9, 2017 at 12:45 PM, <ha...@faa.gov>> wrote:
I’m trying to configure LDAP to work on our new Guacamole installation. I followed Chapter 7 in the user guide, but I still can’t get it to work. When I enter a user name and the password that I know exists in our LDAP (which is running on RHEL 7 using IDM), and click the Login button, nothing happens. No errors, no visual clues, nothing. I look at the logs on the server and get zero errors or indications that it even attempted it.
There will not be visual clues, as such details are not exposed at the user-visible level. There should be log messages, however, including messages indicating that the LDAP authentication extension was loaded. Can you post what you see in the Tomcat logs from the point that Guacamole is starting up until the first pair of login failures (there should be at least two: the first resulting from the default anonymous auth attempt which caused the login dialog to display, and the second from using that login dialog)?
- Mike
Re: Configuring LDAP
Posted by Mike Jumper <mi...@guac-dev.org>.
On Thu, Nov 9, 2017 at 12:45 PM, <ha...@faa.gov> wrote:
> I’m trying to configure LDAP to work on our new Guacamole installation. I
> followed Chapter 7 in the user guide, but I still can’t get it to work.
> When I enter a user name and the password that I know exists in our LDAP
> (which is running on RHEL 7 using IDM), and click the Login button, nothing
> happens. No errors, no visual clues, nothing. I look at the logs on the
> server and get zero errors or indications that it even attempted it.
>
There will not be visual clues, as such details are not exposed at the
user-visible level. There should be log messages, however, including
messages indicating that the LDAP authentication extension was loaded. Can
you post what you see in the Tomcat logs from the point that Guacamole is
starting up until the first pair of login failures (there should be at
least two: the first resulting from the default anonymous auth attempt
which caused the login dialog to display, and the second from using that
login dialog)?
- Mike