You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Daniëls,
Tom <Da...@buas.nl> on 2020/01/17 10:46:59 UTC
LDAP/MySQL extensions not being loaded
Dear Guacamole List users,
Have installed Guacamole on Ubuntu 18.04.3 LTS and am trying to implement Active Directory authentication without Schema changes, so I have installed both the MySQL (guacamole-auth-02-jdbc-mysql-1.0.0.jar) and the LDAP extension (guacamole-auth-ldap-1.0.0.jar) in /etc/guacamole/extensions. I have also placed mysql-connector-java-8.0.19.jar in /etc/guacamole/lib. When starting Tomcat (9.0.30 with OpenJDK 11.0.5) I only see mention of org.apache.guacamole.auth.file.FileAuthenticationProvider being loaded in Catalina.out so it appears both auth jars are completely ignored even though the user Tomcat is running under (tomcat) is the owner of the jar files in that directory.
When running
mysql -u guacamole_user -p --database=guacamole_db
I am able to connect to database without issue so this seems to be an issue with the guacamole.war. Guacamole does work with the user settings set in /etc/guacamole/user-mapping.xm, but user guacadmin (which should have been created by 002-create-admin-user.sql) does not so it indeed seems like Guacamole is completely ignoring the extensions dir.
Anyone have any pointers on how to troubleshoot and/or fix this?
/etc/guacamole/guacamole.properties:
# Hostname and port of guacamole proxy
guacd-hostname: localhost
guacd-port: 4822
# Properties used by BasicFileAuthenticationProvider
basic-user-mapping: /etc/guacamole/user-mapping.xml
# MySQL properties
auth-provider: net.sourceforge.guacamole.net.auth.mysql.MySQLAuthenticationProvider
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
mysql-password: [password_ommitted]
MySQL:
mysql -u guacamole_user -p --database=guacamole_db
Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 6
Server version: 5.7.28-0ubuntu0.18.04.4 (Ubuntu)
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show tables;
+---------------------------------------+
| Tables_in_guacamole_db |
+---------------------------------------+
| guacamole_connection |
| guacamole_connection_attribute |
| guacamole_connection_group |
| guacamole_connection_group_attribute |
| guacamole_connection_group_permission |
| guacamole_connection_history |
| guacamole_connection_parameter |
| guacamole_connection_permission |
| guacamole_entity |
| guacamole_sharing_profile |
| guacamole_sharing_profile_attribute |
| guacamole_sharing_profile_parameter |
| guacamole_sharing_profile_permission |
| guacamole_system_permission |
| guacamole_user |
| guacamole_user_attribute |
| guacamole_user_group |
| guacamole_user_group_attribute |
| guacamole_user_group_member |
| guacamole_user_group_permission |
| guacamole_user_history |
| guacamole_user_password_history |
| guacamole_user_permission |
+---------------------------------------+
23 rows in set (0.00 sec)
Catalina.out:
17-Jan-2020 09:24:49.858 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet engine: [Apache Tomcat/9.0.30]
17-Jan-2020 09:24:49.876 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deploying web application archive [/usr/local/apache-tomcat9.0.30/webapps/guacamole.war]
17-Jan-2020 09:24:50.818 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
09:24:51.169 [main] INFO o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is "/etc/guacamole".
09:24:51.257 [main] INFO o.a.g.rest.auth.HashTokenSessionMap - Sessions will expire after 60 minutes of inactivity.
09:24:51.321 [main] INFO org.apache.guacamole.log.LogModule - Loading logback configuration from "/etc/guacamole/logback.xml".
09:24:51.363 [main] DEBUG o.a.g.e.LanguageResourceService - Added language: "nl"
09:24:51.363 [main] DEBUG o.a.g.e.LanguageResourceService - Added language: "en"
09:24:51.363 [main] DEBUG o.a.g.e.LanguageResourceService - Added language: "fr"
09:24:51.364 [main] DEBUG o.a.g.e.LanguageResourceService - Added language: "ru"
09:24:51.364 [main] DEBUG o.a.g.e.LanguageResourceService - Added language: "de"
09:24:51.364 [main] DEBUG o.a.g.e.LanguageResourceService - Added language: "no"
09:24:51.364 [main] DEBUG o.a.g.e.LanguageResourceService - Added language: "es"
09:24:51.365 [main] DEBUG o.a.g.e.LanguageResourceService - Added language: "it"
09:24:51.367 [main] DEBUG o.a.g.extension.ExtensionModule - [0] Binding AuthenticationProvider "org.apache.guacamole.auth.file.FileAuthenticationProvider".
09:24:51.387 [main] INFO o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is "/etc/guacamole".
09:24:51.512 [main] INFO o.a.g.t.w.WebSocketTunnelModule - Loading JSR-356 WebSocket support...
09:24:51.524 [main] DEBUG o.a.guacamole.tunnel.TunnelModule - WebSocket module loaded: org.apache.guacamole.tunnel.websocket.WebSocketTunnelModule
17-Jan-2020 09:24:51.920 INFO [main] com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.register Registering org.apache.guacamole.rest.RESTExceptionMapper as a provider class
17-Jan-2020 09:24:51.922 INFO [main] com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.register Registering org.apache.guacamole.rest.extension.ExtensionRESTService as a root resource class
17-Jan-2020 09:24:51.923 INFO [main] com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.register Registering org.apache.guacamole.rest.language.LanguageRESTService as a root resource class
17-Jan-2020 09:24:51.923 INFO [main] com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.register Registering org.apache.guacamole.rest.patch.PatchRESTService as a root resource class
17-Jan-2020 09:24:51.923 INFO [main] com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.register Registering org.apache.guacamole.rest.auth.TokenRESTService as a root resource class
17-Jan-2020 09:24:51.923 INFO [main] com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.register Registering org.apache.guacamole.rest.session.SessionRESTService as a root resource class
17-Jan-2020 09:24:51.924 INFO [main] com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.register Registering org.codehaus.jackson.jaxrs.JacksonJsonProvider as a provider class
17-Jan-2020 09:24:51.926 INFO [main] com.sun.jersey.server.impl.application.WebApplicationImpl._initiate Initiating Jersey application, version 'Jersey: 1.17.1 02/28/2013 12:47 PM'
17-Jan-2020 09:24:51.991 INFO [main] com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.getComponentProvider Binding org.apache.guacamole.rest.RESTExceptionMapper to GuiceManagedComponentProvider with the scope "Singleton"
17-Jan-2020 09:24:51.993 INFO [main] com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.getComponentProvider Binding org.codehaus.jackson.jaxrs.JacksonJsonProvider to GuiceManagedComponentProvider with the scope "Singleton"
17-Jan-2020 09:24:52.417 INFO [main] com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.getComponentProvider Binding org.apache.guacamole.rest.extension.ExtensionRESTService to GuiceManagedComponentProvider with the scope "PerRequest"
17-Jan-2020 09:24:52.421 INFO [main] com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.getComponentProvider Binding org.apache.guacamole.rest.language.LanguageRESTService to GuiceManagedComponentProvider with the scope "PerRequest"
17-Jan-2020 09:24:52.422 INFO [main] com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.getComponentProvider Binding org.apache.guacamole.rest.patch.PatchRESTService to GuiceManagedComponentProvider with the scope "PerRequest"
17-Jan-2020 09:24:52.425 INFO [main] com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.getComponentProvider Binding org.apache.guacamole.rest.auth.TokenRESTService to GuiceManagedComponentProvider with the scope "PerRequest"
17-Jan-2020 09:24:52.426 INFO [main] com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.getComponentProvider Binding org.apache.guacamole.rest.session.SessionRESTService to GuiceManagedComponentProvider with the scope "PerRequest"
17-Jan-2020 09:24:52.439 INFO [main] org.webjars.servlet.WebjarsServlet.init WebjarsServlet initialization completed
17-Jan-2020 09:24:52.451 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive [/usr/local/apache-tomcat9.0.30/webapps/guacamole.war] has finished in [2,575] ms
17-Jan-2020 09:24:52.453 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8080"]
17-Jan-2020 09:24:52.466 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["ajp-nio-8009"]
17-Jan-2020 09:24:52.475 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in [2,725] milliseconds
/etc/guacamole:
ls -al /etc/guacamole
total 28
drwxr-xr-x 4 tomcat tomcat 4096 Jan 17 10:34 .
drwxr-xr-x 100 root root 4096 Jan 17 06:44 ..
drw-r----- 2 tomcat tomcat 4096 Jan 17 10:41 extensions
-rw-r----- 1 tomcat tomcat 1427 Jan 17 08:00 guacamole.properties
drw-r----- 2 tomcat tomcat 4096 Jan 17 10:05 lib
-rw-r----- 1 tomcat tomcat 400 Jan 17 08:05 logback.xml
-rw-r--r-- 1 tomcat tomcat 888 Jan 17 08:06 user-mapping.xml
ls -al /etc/guacamole/extensions/
total 6104
drw-r----- 2 tomcat tomcat 4096 Jan 17 10:41 .
drwxr-xr-x 4 tomcat tomcat 4096 Jan 17 10:34 ..
-rw-r--r-- 1 tomcat tomcat 5026785 Jan 9 09:25 guacamole-auth-02-jdbc-mysql-1.0.0.jar
-rw-r--r-- 1 tomcat tomcat 1211422 Jan 9 09:28 guacamole-auth-ldap-1.0.0.jar
ls -al /etc/guacamole/lib/
total 3292
drw-r----- 2 tomcat tomcat 4096 Jan 17 10:05 .
drwxr-xr-x 4 tomcat tomcat 4096 Jan 17 10:34 ..
-rw-r--r-- 1 tomcat tomcat 2356711 Jan 17 07:48 mysql-connector-java-8.0.19.jar
Re: LDAP/MySQL extensions not being loaded
Posted by Mike Jumper <mi...@glyptodon.com>.
On Sun, Jan 19, 2020 at 10:40 PM Daniëls, Tom <Da...@buas.nl> wrote:
> Dear Mike,
>
>
>
> Thank you so much, I was unaware that I needed to set the execute bits and
> was almost literally pulling out my hair.
>
Excellent. Glad it solved things.
> I did not see this bit in the manual, could it be a good idea to add this
> specific info at https://guacamole.apache.org/doc/gug/ ?
>
No, not in this case. This is not specific to Guacamole; it's simply how
UNIX-style permissions work. You need "read" permission to list the files
contained within a directory and "execute" permission to access any of
those files.
$ mkdir foo
$ echo "hello" > foo/test.txt
$
$ chmod 500 foo # dr-x------
$ ls -l foo
total 4
-rw-r--r--. 1 mjumper users 6 Jan 19 23:03 test.txt
$ cat foo/test.txt
hello
$
$ chmod 400 foo # dr--------
$ ls -l foo
ls: cannot access 'foo/test.txt': Permission denied
total 0
-????????? ? ? ? ? ? test.txt
$ cat foo/test.txt
cat: foo/test.txt: Permission denied
$
$ chmod 100 foo # d--x------
$ ls -l foo
ls: cannot open directory 'foo': Permission denied
$ cat foo/test.txt
hello
$
- Mike
Re: LDAP/MySQL extensions not being loaded
Posted by Daniëls,
Tom <Da...@buas.nl>.
Thanks Mike, Servername was missing one single character…
/walks away slowly to sit in a corner
From: Mike Jumper <mj...@apache.org>
Reply to: "user@guacamole.apache.org" <us...@guacamole.apache.org>
Date: Friday, 24 January 2020 at 09:38
To: "user@guacamole.apache.org" <us...@guacamole.apache.org>
Subject: Re: LDAP/MySQL extensions not being loaded
On Fri, Jan 24, 2020 at 12:18 AM Daniëls, Tom <Da...@buas.nl>> wrote:
...
07:37:23.309 [http-nio-8080-exec-2] DEBUG o.a.g.a.ldap.LDAPConnectionService - Failed to connect to LDAP server.
com.novell.ldap.LDAPException: Connect Error
at com.novell.ldap.Connection.connect(Unknown Source) ~[na:na]
...
Caused by: java.net.UnknownHostException: dom-dc1.dom1.nhtv.nl<http://dom-dc1.dom1.nhtv.nl>
The domain name of your Active Directory server is failing to resolve to the IP address of your Active Directory server. Assuming the domain is valid at least on your private network, this likely means the machine running Guacamole is not using the DNS you expect.
...
On the Domain Controller I see no connection coming from the Guac-machine, netstat 2 -an | find "178.20:" returns nothing. In the eventlog I found no logon success/failure for user svc-guacamole.
You won't see any logs on the domain controller because Guacamole cannot connect to it, because the DNS service is not resolving the domain name of the Active Directory server.
...
When I use ldapsearch with the same credentials I get return values so username/password/servername/port etc appear to be completely correct.
ldapsearch -x -b "dc=domain1,dc=nl" -D "svc-guacamole@domain1.nl<ma...@domain1.nl>" -h [dom1-dc1 IP Address] -W ' test'
Same credentials, perhaps, but not the same parameters. You're using the IP address here.
The issue that you're having with Guacamole vs. ldapsearch is that you gave Guacamole the domain name, and that domain name can't be resolved to its IP.
- Mike
Re: LDAP/MySQL extensions not being loaded
Posted by Mike Jumper <mj...@apache.org>.
On Fri, Jan 24, 2020 at 12:18 AM Daniëls, Tom <Da...@buas.nl> wrote:
> ...
>
> 07:37:23.309 [http-nio-8080-exec-2] DEBUG
> o.a.g.a.ldap.LDAPConnectionService - Failed to connect to LDAP server.
>
> com.novell.ldap.LDAPException: Connect Error
>
> at com.novell.ldap.Connection.connect(Unknown Source) ~[na:na]
>
> ...
>
> Caused by: java.net.UnknownHostException: dom-dc1.dom1.nhtv.nl
>
The domain name of your Active Directory server is failing to resolve to
the IP address of your Active Directory server. Assuming the domain is
valid at least on your private network, this likely means the machine
running Guacamole is not using the DNS you expect.
...
>
> On the Domain Controller I see no connection coming from the Guac-machine,
> netstat 2 -an | find "178.20:" returns nothing. In the eventlog I found no
> logon success/failure for user svc-guacamole.
>
You won't see any logs on the domain controller because Guacamole cannot
connect to it, because the DNS service is not resolving the domain name of
the Active Directory server.
...
>
> When I use ldapsearch with the same credentials I get return values so
> username/password/servername/port etc appear to be completely correct.
>
> ldapsearch -x -b "dc=domain1,dc=nl" -D "svc-guacamole@domain1.nl" -h
> [dom1-dc1 IP Address] -W ' test'
>
Same credentials, perhaps, but not the same parameters. You're using the IP
address here.
The issue that you're having with Guacamole vs. ldapsearch is that you gave
Guacamole the domain name, and that domain name can't be resolved to its IP.
- Mike
Re: LDAP/MySQL extensions not being loaded
Posted by Daniëls,
Tom <Da...@buas.nl>.
Hi Mike,
Sorry your instructions were indeed quite clear, I was just reading them wrong. After chmod +x on both lib and extensions the MySQL and LDAP extensions now both load:
07:37:12.831 [main] DEBUG o.a.g.extension.ExtensionModule - [1] Binding AuthenticationProvider "org.apache.guacamole.auth.mysql.MySQLSharedAuthenticationProvider".
[…]
07:37:12.896 [main] DEBUG o.a.g.extension.ExtensionModule - [2] Binding AuthenticationProvider "org.apache.guacamole.auth.ldap.LDAPAuthenticationProvider".
Thanks so much for that pointer. Logging on with Database users is now working! (guacadmin works)
Hopefully you can help me a little bit more because for the life of me I cannot get Guacamole to actually connect to Active Directory. The following error is seen in Catalina.out when I try to login with an LDAP user:
07:37:23.272 [http-nio-8080-exec-2] DEBUG o.a.i.d.pooled.PooledDataSource - Testing connection 385835083 ...
07:37:23.272 [http-nio-8080-exec-2] DEBUG o.a.i.d.pooled.PooledDataSource - Connection 385835083 is GOOD!
07:37:23.272 [http-nio-8080-exec-2] DEBUG o.a.i.d.pooled.PooledDataSource - Returned connection 385835083 to pool.
07:37:23.287 [http-nio-8080-exec-2] DEBUG o.a.g.a.ldap.LDAPConnectionService - Connection to LDAP server without encryption.
07:37:23.301 [http-nio-8080-exec-2] ERROR o.a.g.a.ldap.LDAPConnectionService - Unable to connect to LDAP server: Connect Error
07:37:23.309 [http-nio-8080-exec-2] DEBUG o.a.g.a.ldap.LDAPConnectionService - Failed to connect to LDAP server.
com.novell.ldap.LDAPException: Connect Error
at com.novell.ldap.Connection.connect(Unknown Source) ~[na:na]
at com.novell.ldap.Connection.connect(Unknown Source) ~[na:na]
at com.novell.ldap.LDAPConnection.connect(Unknown Source) ~[na:na]
at org.apache.guacamole.auth.ldap.LDAPConnectionService.bindAs(LDAPConnectionService.java:140) ~[na:na]
at org.apache.guacamole.auth.ldap.AuthenticationProviderService.getUserBindDN(AuthenticationProviderService.java:110) ~[na:na]
at org.apache.guacamole.auth.ldap.AuthenticationProviderService.bindAs(AuthenticationProviderService.java:187) ~[na:na]
at org.apache.guacamole.auth.ldap.AuthenticationProviderService.authenticateUser(AuthenticationProviderService.java:219) ~[na:na]
at org.apache.guacamole.auth.ldap.LDAPAuthenticationProvider.authenticateUser(LDAPAuthenticationProvider.java:75) ~[na:na]
at org.apache.guacamole.extension.AuthenticationProviderFacade.authenticateUser(AuthenticationProviderFacade.java:111) ~[classes/:na]
at org.apache.guacamole.rest.auth.AuthenticationService.authenticateUser(AuthenticationService.java:168) ~[classes/:na]
at org.apache.guacamole.rest.auth.AuthenticationService.getAuthenticatedUser(AuthenticationService.java:288) ~[classes/:na]
at org.apache.guacamole.rest.auth.AuthenticationService.authenticate(AuthenticationService.java:441) ~[classes/:na]
at org.apache.guacamole.rest.auth.TokenRESTService.createToken(TokenRESTService.java:173) ~[classes/:na]
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:na]
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:na]
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:na]
at java.base/java.lang.reflect.Method.invoke(Method.java:566) ~[na:na]
at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60) ~[jersey-server-1.17.1.jar:1.17.1]
at com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185) ~[jersey-server-1.17.1.jar:1.17.1]
at com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75) ~[jersey-server-1.17.1.jar:1.17.1]
at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302) ~[jersey-server-1.17.1.jar:1.17.1]
at com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108) ~[jersey-server-1.17.1.jar:1.17.1]
at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147) ~[jersey-server-1.17.1.jar:1.17.1]
at com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84) ~[jersey-server-1.17.1.jar:1.17.1]
at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1511) ~[jersey-server-1.17.1.jar:1.17.1]
at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1442) ~[jersey-server-1.17.1.jar:1.17.1]
at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1391) ~[jersey-server-1.17.1.jar:1.17.1]
at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1381) ~[jersey-server-1.17.1.jar:1.17.1]
at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416) ~[jersey-servlet-1.17.1.jar:1.17.1]
at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538) ~[jersey-servlet-1.17.1.jar:1.17.1]
at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716) ~[jersey-servlet-1.17.1.jar:1.17.1]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) ~[servlet-api.jar:na]
at com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:263) ~[guice-servlet-3.0.jar:na]
at com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:178) ~[guice-servlet-3.0.jar:na]
at com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:91) ~[guice-servlet-3.0.jar:na]
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:62) ~[guice-servlet-3.0.jar:na]
at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:118) ~[guice-servlet-3.0.jar:na]
at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:113) ~[guice-servlet-3.0.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:9.0.30]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:9.0.30]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) ~[catalina.jar:9.0.30]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) ~[catalina.jar:9.0.30]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541) ~[catalina.jar:9.0.30]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) ~[catalina.jar:9.0.30]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) ~[catalina.jar:9.0.30]
at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:747) ~[catalina.jar:9.0.30]
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678) ~[catalina.jar:9.0.30]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) ~[catalina.jar:9.0.30]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) ~[catalina.jar:9.0.30]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367) ~[tomcat-coyote.jar:9.0.30]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) ~[tomcat-coyote.jar:9.0.30]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860) ~[tomcat-coyote.jar:9.0.30]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598) ~[tomcat-coyote.jar:9.0.30]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) ~[tomcat-coyote.jar:9.0.30]
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[na:na]
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[na:na]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-util.jar:9.0.30]
at java.base/java.lang.Thread.run(Thread.java:834) ~[na:na]
Caused by: java.net.UnknownHostException: dom-dc1.dom1.nhtv.nl
at java.base/java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:220) ~[na:na]
at java.base/java.net.SocksSocketImpl.connect(SocksSocketImpl.java:403) ~[na:na]
at java.base/java.net.Socket.connect(Socket.java:609) ~[na:na]
at java.base/java.net.Socket.connect(Socket.java:558) ~[na:na]
at java.base/java.net.Socket.<init>(Socket.java:454) ~[na:na]
at java.base/java.net.Socket.<init>(Socket.java:231) ~[na:na]
... 58 common frames omitted
07:37:23.309 [http-nio-8080-exec-2] ERROR o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN "CN=svc-guacamole,OU=Serviceaccounts-Onpremise,DC=domain1,DC=nl "
07:37:23.309 [http-nio-8080-exec-2] DEBUG o.a.g.a.l.AuthenticationProviderService - Unable to determine DN for user "dani".
On the Domain Controller I see no connection coming from the Guac-machine, netstat 2 -an | find "178.20:" returns nothing. In the eventlog I found no logon success/failure for user svc-guacamole.
Guacamole.properties:
# Hostname and port of guacamole proxy
guacd-hostname: localhost
guacd-port: 4822
# MySQL properties
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
mysql-password: [password]
# LDAP properties
ldap-user-base-dn: OU=admins,DC=domain1,DC=nl
ldap-hostname: dom-dc1.domain1.nl
ldap-port: 389
ldap-search-bind-dn: CN=svc-guacamole,OU=Serviceaccounts-Onpremise,DC=domain1,DC=nl
ldap-search-bind-password: [password]
ldap-username-attribute: sAMAccountName
When I use ldapsearch with the same credentials I get return values so username/password/servername/port etc appear to be completely correct.
ldapsearch -x -b "dc=domain1,dc=nl" -D "svc-guacamole@domain1.nl" -h [dom1-dc1 IP Address] -W ' test'
# extended LDIF
#
# LDAPv3
# base <dc=domain1,dc=nl> with scope subtree
# filter: (objectclass=*)
# requesting: test
#
# domain1.nl
dn: DC=domain1,DC=nl
# Users, domain1.nl
dn: CN=Users,DC=domain1,DC=nl
[...]
When running ldapsearch I do see eventlog entries from user svc-guacamole on the Domain Controller so it appears Guacamole is not even trying to connect (?) (although I think the changes are higher that I’m just doing it wrong 😉) Note that I did not (and don’t want to) do any schema changes on the AD hence the MySQL setup.
Any pointers how to troubleshoot? The error message ‘Unable to connect to LDAP server: Connect Error’ does not appear to tell me much.
Kind regards,
Tom Daniels
From: Mike Jumper <mj...@apache.org>
Reply to: "user@guacamole.apache.org" <us...@guacamole.apache.org>
Date: Tuesday, 21 January 2020 at 18:22
To: "user@guacamole.apache.org" <us...@guacamole.apache.org>
Subject: Re: LDAP/MySQL extensions not being loaded
On Tue, Jan 21, 2020, 05:28 Daniëls, Tom <Da...@buas.nl>> wrote:
...
Added Executable bits on jar files and set rights according to your advice:
/etc/guacamole# ls -al
total 28
drwxr-xr-x 4 tomcat tomcat 4096 Jan 21 13:06 .
drwxr-xr-x 101 root root 4096 Jan 21 06:13 ..
drw-r----- 2 root tomcat 4096 Jan 17 10:41 extensions
You do not need execute bits on the .jar files.
You need execute bits on the directories.
- Mike
Re: LDAP/MySQL extensions not being loaded
Posted by Mike Jumper <mj...@apache.org>.
On Tue, Jan 21, 2020, 05:28 Daniëls, Tom <Da...@buas.nl> wrote:
> ...
>
> Added Executable bits on jar files and set rights according to your advice:
> */etc/guacamole*# ls -al
>
> total 28
>
> drwxr-xr-x 4 tomcat tomcat 4096 Jan 21 13:06 *.*
>
> drwxr-xr-x 101 root root 4096 Jan 21 06:13 *..*
>
> drw-r----- 2 root tomcat 4096 Jan 17 10:41 *extensions*
>
You do not need execute bits on the .jar files.
You need execute bits on the directories.
- Mike
Re: LDAP/MySQL extensions not being loaded
Posted by Daniëls,
Tom <Da...@buas.nl>.
Dear Mike,
Removed basic-user-mapping and auth-provider settings from /etc/guacamole/guacamole.properties
guacd-hostname: localhost
guacd-port: 4822
# MySQL properties
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
mysql-password: [Password]
Added Executable bits on jar files and set rights according to your advice:
/etc/guacamole# ls -al
total 28
drwxr-xr-x 4 tomcat tomcat 4096 Jan 21 13:06 .
drwxr-xr-x 101 root root 4096 Jan 21 06:13 ..
drw-r----- 2 root tomcat 4096 Jan 17 10:41 extensions
-rw-r----- 1 root tomcat 781 Jan 21 13:06 guacamole.properties
drw-r----- 2 root tomcat 4096 Jan 17 10:05 lib
-rw-r----- 1 root tomcat 400 Jan 17 08:05 logback.xml
-rw-r----- 1 root tomcat 692 Jan 17 12:38 user-mapping.xml
/etc/guacamole# ls -al extensions/
total 6104
drw-r----- 2 root tomcat 4096 Jan 17 10:41 .
drwxr-xr-x 4 tomcat tomcat 4096 Jan 21 13:06 ..
-rwxr-x--- 1 root tomcat 5026785 Jan 9 09:25 guacamole-auth-02-jdbc-mysql-1.0.0.jar
-rwxr-x--- 1 root tomcat 1211422 Jan 9 09:28 guacamole-auth-ldap-1.0.0.jar
/etc/guacamole# ls -al lib/
total 3292
drw-r----- 2 root tomcat 4096 Jan 17 10:05 .
drwxr-xr-x 4 tomcat tomcat 4096 Jan 21 13:06 ..
-rwxr-x--- 1 root tomcat 2356711 Jan 17 07:48 mysql-connector-java-8.0.19.jar
Unfortunately the jar files do still not appear to load (I see no mention at all in Catalina.out just org.apache.guacamole.auth.file.FileAuthenticationProvider. Also logon with guacadmin/guacadmin continues to fail)
What else can I do to troubleshoot this? Looking forward to your input.
21-Jan-2020 13:11:38.596 INFO [main] org.apache.coyote.AbstractProtocol.stop Stopping ProtocolHandler ["http-nio-8080"]
21-Jan-2020 13:11:38.603 INFO [main] org.apache.coyote.AbstractProtocol.stop Stopping ProtocolHandler ["ajp-nio-8009"]
21-Jan-2020 13:11:38.606 INFO [main] org.apache.coyote.AbstractProtocol.destroy Destroying ProtocolHandler ["http-nio-8080"]
21-Jan-2020 13:11:38.615 INFO [main] org.apache.coyote.AbstractProtocol.destroy Destroying ProtocolHandler ["ajp-nio-8009"]
NOTE: Picked up JDK_JAVA_OPTIONS: --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
21-Jan-2020 13:11:41.195 WARNING [main] org.apache.tomcat.util.digester.SetPropertiesRule.begin Match [Server/Service/Engine/Host/Valve] failed to set property [remoteIpProxiesHeader] to [x-forwarded-by]
21-Jan-2020 13:11:41.218 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version name: Apache Tomcat/9.0.30
21-Jan-2020 13:11:41.219 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built: Dec 7 2019 16:42:04 UTC
21-Jan-2020 13:11:41.220 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version number: 9.0.30.0
21-Jan-2020 13:11:41.220 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name: Linux
21-Jan-2020 13:11:41.221 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version: 4.15.0-74-generic
21-Jan-2020 13:11:41.221 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture: amd64
21-Jan-2020 13:11:41.222 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home: /usr/lib/jvm/java-11-openjdk-amd64
21-Jan-2020 13:11:41.223 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version: 11.0.5+10-post-Ubuntu-0ubuntu1.118.04
21-Jan-2020 13:11:41.223 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor: Private Build
21-Jan-2020 13:11:41.224 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE: /usr/local/apache-tomcat9.0.30
21-Jan-2020 13:11:41.225 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME: /usr/local/apache-tomcat9.0.30
21-Jan-2020 13:11:41.271 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.lang=ALL-UNNAMED
21-Jan-2020 13:11:41.272 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.io=ALL-UNNAMED
21-Jan-2020 13:11:41.273 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
21-Jan-2020 13:11:41.273 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/usr/local/apache-tomcat9/conf/logging.properties
21-Jan-2020 13:11:41.274 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
21-Jan-2020 13:11:41.274 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.security.egd=file:///dev/urandom
21-Jan-2020 13:11:41.275 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.awt.headless=true
21-Jan-2020 13:11:41.281 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djdk.tls.ephemeralDHKeySize=2048
21-Jan-2020 13:11:41.281 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
21-Jan-2020 13:11:41.282 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dorg.apache.catalina.security.SecurityListener.UMASK=0027
21-Jan-2020 13:11:41.282 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Xms512M
21-Jan-2020 13:11:41.283 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Xmx1024M
21-Jan-2020 13:11:41.295 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -XX:+UseParallelGC
21-Jan-2020 13:11:41.296 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dignore.endorsed.dirs=
21-Jan-2020 13:11:41.297 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/usr/local/apache-tomcat9
21-Jan-2020 13:11:41.297 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/usr/local/apache-tomcat9
21-Jan-2020 13:11:41.297 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/usr/local/apache-tomcat9/temp
21-Jan-2020 13:11:41.298 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: [/usr/java/packages/lib:/usr/lib/x86_64-linux-gnu/jni:/lib/x86_64-linux-gnu:/usr/lib/x86_64-linux-gnu:/usr/lib/jni:/lib:/usr/lib]
21-Jan-2020 13:11:42.354 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-8080"]
21-Jan-2020 13:11:42.405 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["ajp-nio-8009"]
21-Jan-2020 13:11:42.410 INFO [main] org.apache.catalina.startup.Catalina.load Server initialization in [2,015] milliseconds
21-Jan-2020 13:11:42.509 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service [Catalina]
21-Jan-2020 13:11:42.509 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet engine: [Apache Tomcat/9.0.30]
21-Jan-2020 13:11:42.530 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deploying web application archive [/usr/local/apache-tomcat9.0.30/webapps/guacamole.war]
21-Jan-2020 13:11:43.542 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
13:11:43.875 [main] INFO o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is "/etc/guacamole".
13:11:43.956 [main] INFO o.a.g.rest.auth.HashTokenSessionMap - Sessions will expire after 60 minutes of inactivity.
13:11:44.017 [main] INFO org.apache.guacamole.log.LogModule - Loading logback configuration from "/etc/guacamole/logback.xml".
13:11:44.055 [main] DEBUG o.a.g.e.LanguageResourceService - Added language: "nl"
13:11:44.055 [main] DEBUG o.a.g.e.LanguageResourceService - Added language: "en"
13:11:44.055 [main] DEBUG o.a.g.e.LanguageResourceService - Added language: "fr"
13:11:44.055 [main] DEBUG o.a.g.e.LanguageResourceService - Added language: "ru"
13:11:44.056 [main] DEBUG o.a.g.e.LanguageResourceService - Added language: "de"
13:11:44.056 [main] DEBUG o.a.g.e.LanguageResourceService - Added language: "no"
13:11:44.056 [main] DEBUG o.a.g.e.LanguageResourceService - Added language: "es"
13:11:44.056 [main] DEBUG o.a.g.e.LanguageResourceService - Added language: "it"
13:11:44.058 [main] DEBUG o.a.g.extension.ExtensionModule - [0] Binding AuthenticationProvider "org.apache.guacamole.auth.file.FileAuthenticationProvider".
13:11:44.075 [main] INFO o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is "/etc/guacamole".
13:11:44.169 [main] INFO o.a.g.t.w.WebSocketTunnelModule - Loading JSR-356 WebSocket support...
13:11:44.181 [main] DEBUG o.a.guacamole.tunnel.TunnelModule - WebSocket module loaded: org.apache.guacamole.tunnel.websocket.WebSocketTunnelModule
21-Jan-2020 13:11:44.541 INFO [main] com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.register Registering org.apache.guacamole.rest.RESTExceptionMapper as a provider class
21-Jan-2020 13:11:44.543 INFO [main] com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.register Registering org.apache.guacamole.rest.extension.ExtensionRESTService as a root resource class
21-Jan-2020 13:11:44.544 INFO [main] com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.register Registering org.apache.guacamole.rest.language.LanguageRESTService as a root resource class
21-Jan-2020 13:11:44.544 INFO [main] com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.register Registering org.apache.guacamole.rest.patch.PatchRESTService as a root resource class
21-Jan-2020 13:11:44.545 INFO [main] com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.register Registering org.apache.guacamole.rest.auth.TokenRESTService as a root resource class
21-Jan-2020 13:11:44.545 INFO [main] com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.register Registering org.apache.guacamole.rest.session.SessionRESTService as a root resource class
21-Jan-2020 13:11:44.546 INFO [main] com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.register Registering org.codehaus.jackson.jaxrs.JacksonJsonProvider as a provider class
21-Jan-2020 13:11:44.548 INFO [main] com.sun.jersey.server.impl.application.WebApplicationImpl._initiate Initiating Jersey application, version 'Jersey: 1.17.1 02/28/2013 12:47 PM'
21-Jan-2020 13:11:44.631 INFO [main] com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.getComponentProvider Binding org.apache.guacamole.rest.RESTExceptionMapper to GuiceManagedComponentProvider with the scope "Singleton"
21-Jan-2020 13:11:44.634 INFO [main] com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.getComponentProvider Binding org.codehaus.jackson.jaxrs.JacksonJsonProvider to GuiceManagedComponentProvider with the scope "Singleton"
21-Jan-2020 13:11:45.092 INFO [main] com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.getComponentProvider Binding org.apache.guacamole.rest.extension.ExtensionRESTService to GuiceManagedComponentProvider with the scope "PerRequest"
21-Jan-2020 13:11:45.098 INFO [main] com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.getComponentProvider Binding org.apache.guacamole.rest.language.LanguageRESTService to GuiceManagedComponentProvider with the scope "PerRequest"
21-Jan-2020 13:11:45.098 INFO [main] com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.getComponentProvider Binding org.apache.guacamole.rest.patch.PatchRESTService to GuiceManagedComponentProvider with the scope "PerRequest"
21-Jan-2020 13:11:45.102 INFO [main] com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.getComponentProvider Binding org.apache.guacamole.rest.auth.TokenRESTService to GuiceManagedComponentProvider with the scope "PerRequest"
21-Jan-2020 13:11:45.107 INFO [main] com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory.getComponentProvider Binding org.apache.guacamole.rest.session.SessionRESTService to GuiceManagedComponentProvider with the scope "PerRequest"
21-Jan-2020 13:11:45.122 INFO [main] org.webjars.servlet.WebjarsServlet.init WebjarsServlet initialization completed
21-Jan-2020 13:11:45.151 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive [/usr/local/apache-tomcat9.0.30/webapps/guacamole.war] has finished in [2,621] ms
21-Jan-2020 13:11:45.154 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8080"]
21-Jan-2020 13:11:45.163 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["ajp-nio-8009"]
21-Jan-2020 13:11:45.170 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in [2,760] milliseconds
13:12:34.657 [http-nio-8080-exec-7] DEBUG o.a.g.resource.ResourceServlet - Resource not modified: "/app.js"
13:12:40.854 [http-nio-8080-exec-6] DEBUG o.a.g.a.f.FileAuthenticationProvider - Reading user mapping file: "/etc/guacamole/user-mapping.xml"
13:12:40.934 [http-nio-8080-exec-6] DEBUG o.a.g.r.auth.AuthenticationService - Anonymous authentication attempt from 12.151.204.122 failed.
13:12:43.957 [pool-1-thread-1] DEBUG o.a.g.rest.auth.HashTokenSessionMap - Checking for expired sessions...
13:12:43.958 [pool-1-thread-1] DEBUG o.a.g.rest.auth.HashTokenSessionMap - Session check completed in 1 ms.
13:12:49.284 [http-nio-8080-exec-1] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 12.151.204.122 for user "guacadmin" failed.
Kind regards.
Tom Daniels
From: Tom Daniëls <Da...@buas.nl>
Reply to: "user@guacamole.apache.org" <us...@guacamole.apache.org>
Date: Monday, 20 January 2020 at 07:40
To: "user@guacamole.apache.org" <us...@guacamole.apache.org>
Subject: RE: LDAP/MySQL extensions not being loaded
Dear Mike,
Thank you so much, I was unaware that I needed to set the execute bits and was almost literally pulling out my hair. I did not see this bit in the manual, could it be a good idea to add this specific info at https://guacamole.apache.org/doc/gug/ ?
Of course also many thanks for your other input regarding rights of specific files, very much appreciated! Will be adding this to our test install tomorrow when I am back at work and will of course let you know if all issues have been resolved. Have been a happy user of Guacamole since version 0.8.3 for my home servers so that is probably why some older settings might have slipped in there ;)
Kind regards,
Tom Daniels
From: Mike Jumper <mi...@glyptodon.com>
Sent: zaterdag 18 januari 2020 05:31
To: user@guacamole.apache.org
Subject: Re: LDAP/MySQL extensions not being loaded
On Fri, Jan 17, 2020 at 2:47 AM Daniëls, Tom <Da...@buas.nl>> wrote:
Dear Guacamole List users,
Have installed Guacamole on Ubuntu 18.04.3 LTS and am trying to implement Active Directory authentication without Schema changes, so I have installed both the MySQL (guacamole-auth-02-jdbc-mysql-1.0.0.jar) and the LDAP extension (guacamole-auth-ldap-1.0.0.jar) in /etc/guacamole/extensions. I have also placed mysql-connector-java-8.0.19.jar in /etc/guacamole/lib. When starting Tomcat (9.0.30 with OpenJDK 11.0.5) I only see mention of org.apache.guacamole.auth.file.FileAuthenticationProvider being loaded in Catalina.out so it appears both auth jars are completely ignored even though the user Tomcat is running under (tomcat) is the owner of the jar files in that directory.
When running
mysql -u guacamole_user -p --database=guacamole_db
I am able to connect to database without issue so this seems to be an issue with the guacamole.war. Guacamole does work with the user settings set in /etc/guacamole/user-mapping.xm, but user guacadmin (which should have been created by 002-create-admin-user.sql) does not so it indeed seems like Guacamole is completely ignoring the extensions dir.
Anyone have any pointers on how to troubleshoot and/or fix this?
/etc/guacamole/guacamole.properties:
...
# Properties used by BasicFileAuthenticationProvider
basic-user-mapping: /etc/guacamole/user-mapping.xml
The "basic-user-mapping" property has been deprecated since 0.9.10-incubating and was removed in 1.0.0. Older releases would have logged a warning regarding its use, while releases from 1.0.0 onward will simply ignore it. Continuing to specify this is bad practice and has no effect.
http://guacamole.apache.org/releases/0.9.10-incubating/#deprecation-of-the-basic-user-mapping-property
http://guacamole.apache.org/releases/1.0.0/#removal-of-deprecated-properties
# MySQL properties
auth-provider: net.sourceforge.guacamole.net.auth.mysql.MySQLAuthenticationProvider
The "auth-provider" property has been deprecated since 0.9.7 and was removed in 0.9.10-incubating. Older releases would have logged a warning regarding its use, while releases from 0.9.10-incubating onward will simply ignore it. Continuing to specify this is bad practice and has no effect.
http://guacamole.apache.org/releases/0.9.10-incubating/#removal-of-deprecated-lib-directory-and-auth-provider-properties
...
drw-r----- 2 tomcat tomcat 4096 Jan 17 10:41 extensions
Directories need execute permission for their contents to be used. The tomcat user and group should have the execute bit set.
In general, there's little reason to make this directory unreadable to other users, as the extensions themselves are not usually considered sensitive, but there is also little reason to make it writable by Tomcat. I'd recommend either root:root ownership, writable by root and readable by all others, or root:tomcat ownership, again writable only by root.
-rw-r----- 1 tomcat tomcat 1427 Jan 17 08:00 guacamole.properties
drw-r----- 2 tomcat tomcat 4096 Jan 17 10:05 lib
Same here - you need execute bits.
-rw-r----- 1 tomcat tomcat 400 Jan 17 08:05 logback.xml
-rw-r--r-- 1 tomcat tomcat 888 Jan 17 08:06 user-mapping.xml
If you are going to use user-mapping.xml, it should not be world-readable. It contains sensitive information.
- Mike
RE: LDAP/MySQL extensions not being loaded
Posted by Daniëls,
Tom <Da...@buas.nl>.
Dear Mike,
Thank you so much, I was unaware that I needed to set the execute bits and was almost literally pulling out my hair. I did not see this bit in the manual, could it be a good idea to add this specific info at https://guacamole.apache.org/doc/gug/ ?
Of course also many thanks for your other input regarding rights of specific files, very much appreciated! Will be adding this to our test install tomorrow when I am back at work and will of course let you know if all issues have been resolved. Have been a happy user of Guacamole since version 0.8.3 for my home servers so that is probably why some older settings might have slipped in there ;)
Kind regards,
Tom Daniels
From: Mike Jumper <mi...@glyptodon.com>
Sent: zaterdag 18 januari 2020 05:31
To: user@guacamole.apache.org
Subject: Re: LDAP/MySQL extensions not being loaded
On Fri, Jan 17, 2020 at 2:47 AM Daniëls, Tom <Da...@buas.nl>> wrote:
Dear Guacamole List users,
Have installed Guacamole on Ubuntu 18.04.3 LTS and am trying to implement Active Directory authentication without Schema changes, so I have installed both the MySQL (guacamole-auth-02-jdbc-mysql-1.0.0.jar) and the LDAP extension (guacamole-auth-ldap-1.0.0.jar) in /etc/guacamole/extensions. I have also placed mysql-connector-java-8.0.19.jar in /etc/guacamole/lib. When starting Tomcat (9.0.30 with OpenJDK 11.0.5) I only see mention of org.apache.guacamole.auth.file.FileAuthenticationProvider being loaded in Catalina.out so it appears both auth jars are completely ignored even though the user Tomcat is running under (tomcat) is the owner of the jar files in that directory.
When running
mysql -u guacamole_user -p --database=guacamole_db
I am able to connect to database without issue so this seems to be an issue with the guacamole.war. Guacamole does work with the user settings set in /etc/guacamole/user-mapping.xm, but user guacadmin (which should have been created by 002-create-admin-user.sql) does not so it indeed seems like Guacamole is completely ignoring the extensions dir.
Anyone have any pointers on how to troubleshoot and/or fix this?
/etc/guacamole/guacamole.properties:
...
# Properties used by BasicFileAuthenticationProvider
basic-user-mapping: /etc/guacamole/user-mapping.xml
The "basic-user-mapping" property has been deprecated since 0.9.10-incubating and was removed in 1.0.0. Older releases would have logged a warning regarding its use, while releases from 1.0.0 onward will simply ignore it. Continuing to specify this is bad practice and has no effect.
http://guacamole.apache.org/releases/0.9.10-incubating/#deprecation-of-the-basic-user-mapping-property
http://guacamole.apache.org/releases/1.0.0/#removal-of-deprecated-properties
# MySQL properties
auth-provider: net.sourceforge.guacamole.net.auth.mysql.MySQLAuthenticationProvider
The "auth-provider" property has been deprecated since 0.9.7 and was removed in 0.9.10-incubating. Older releases would have logged a warning regarding its use, while releases from 0.9.10-incubating onward will simply ignore it. Continuing to specify this is bad practice and has no effect.
http://guacamole.apache.org/releases/0.9.10-incubating/#removal-of-deprecated-lib-directory-and-auth-provider-properties
...
drw-r----- 2 tomcat tomcat 4096 Jan 17 10:41 extensions
Directories need execute permission for their contents to be used. The tomcat user and group should have the execute bit set.
In general, there's little reason to make this directory unreadable to other users, as the extensions themselves are not usually considered sensitive, but there is also little reason to make it writable by Tomcat. I'd recommend either root:root ownership, writable by root and readable by all others, or root:tomcat ownership, again writable only by root.
-rw-r----- 1 tomcat tomcat 1427 Jan 17 08:00 guacamole.properties
drw-r----- 2 tomcat tomcat 4096 Jan 17 10:05 lib
Same here - you need execute bits.
-rw-r----- 1 tomcat tomcat 400 Jan 17 08:05 logback.xml
-rw-r--r-- 1 tomcat tomcat 888 Jan 17 08:06 user-mapping.xml
If you are going to use user-mapping.xml, it should not be world-readable. It contains sensitive information.
- Mike
Re: LDAP/MySQL extensions not being loaded
Posted by Mike Jumper <mi...@glyptodon.com>.
On Fri, Jan 17, 2020 at 2:47 AM Daniëls, Tom <Da...@buas.nl> wrote:
> Dear Guacamole List users,
>
>
>
> Have installed Guacamole on Ubuntu 18.04.3 LTS and am trying to implement
> Active Directory authentication without Schema changes, so I have installed
> both the MySQL (guacamole-auth-02-jdbc-mysql-1.0.0.jar) and the LDAP
> extension (guacamole-auth-ldap-1.0.0.jar) in /etc/guacamole/extensions. I
> have also placed mysql-connector-java-8.0.19.jar in /etc/guacamole/lib.
> When starting Tomcat (9.0.30 with OpenJDK 11.0.5) I only see mention of
> org.apache.guacamole.auth.file.FileAuthenticationProvider being loaded in
> Catalina.out so it appears both auth jars are completely ignored even
> though the user Tomcat is running under (tomcat) is the owner of the jar
> files in that directory.
>
>
>
> When running
>
> mysql -u guacamole_user -p --database=guacamole_db
>
> I am able to connect to database without issue so this seems to be an
> issue with the guacamole.war. Guacamole does work with the user settings
> set in /etc/guacamole/user-mapping.xm, but user guacadmin (which should
> have been created by 002-create-admin-user.sql) does not so it indeed
> seems like Guacamole is completely ignoring the extensions dir.
>
> Anyone have any pointers on how to troubleshoot and/or fix this?
>
>
>
> /etc/guacamole/guacamole.properties:
>
> ...
>
> # Properties used by BasicFileAuthenticationProvider
>
> basic-user-mapping: /etc/guacamole/user-mapping.xml
>
The "basic-user-mapping" property has been deprecated since
0.9.10-incubating and was removed in 1.0.0. Older releases would have
logged a warning regarding its use, while releases from 1.0.0 onward will
simply ignore it. Continuing to specify this is bad practice and has no
effect.
http://guacamole.apache.org/releases/0.9.10-incubating/#deprecation-of-the-basic-user-mapping-property
http://guacamole.apache.org/releases/1.0.0/#removal-of-deprecated-properties
> # MySQL properties
>
> auth-provider:
> net.sourceforge.guacamole.net.auth.mysql.MySQLAuthenticationProvider
>
The "auth-provider" property has been deprecated since 0.9.7 and was
removed in 0.9.10-incubating. Older releases would have logged a warning
regarding its use, while releases from 0.9.10-incubating onward will simply
ignore it. Continuing to specify this is bad practice and has no effect.
http://guacamole.apache.org/releases/0.9.10-incubating/#removal-of-deprecated-lib-directory-and-auth-provider-properties
...
>
> drw-r----- 2 tomcat tomcat 4096 Jan 17 10:41 extensions
>
Directories need execute permission for their contents to be used. The
tomcat user and group should have the execute bit set.
In general, there's little reason to make this directory unreadable to
other users, as the extensions themselves are not usually considered
sensitive, but there is also little reason to make it writable by Tomcat.
I'd recommend either root:root ownership, writable by root and readable by
all others, or root:tomcat ownership, again writable only by root.
-rw-r----- 1 tomcat tomcat 1427 Jan 17 08:00 guacamole.properties
>
> drw-r----- 2 tomcat tomcat 4096 Jan 17 10:05 lib
>
Same here - you need execute bits.
> -rw-r----- 1 tomcat tomcat 400 Jan 17 08:05 logback.xml
>
> -rw-r--r-- 1 tomcat tomcat 888 Jan 17 08:06 user-mapping.xml
>
If you are going to use user-mapping.xml, it should not be world-readable.
It contains sensitive information.
- Mike