Re: LDAP authentication not working
On Tue, Oct 26, 2021 at 6:53 AM Golota S.V. wrote: > Hello, if my experience is useful, I did this: > LDAP_HOSTNAME: "ip_addr_dc" > LDAP_PORT: "389" > LDAP_ENCRYPTION_METHOD: "none" > LDAP_SEARCH_BIND_DN: "CN = guacamoleadmin, OU = domaim, DC = local" > LDAP_SEARCH_BIND_PASSWORD: "password" > LDAP_USER_BASE_DN: "OU = NET, DC = domain, DC = local" > LDAP_USERNAME_ATTRIBUTE: "samAccountName" > LDAP_GROUP_BASE_DN: "OU = Group, DC = domain, DC = local" > LDAP_GROUP_NAME_ATTRIBUTE: "cn" > LDAP_FOLLOW_REFERRALS: "false" > LDAP_USER_SEARCH_FILTER: "(& (objectClass = *) (memberOf = CN = > rdp-user, OU = Group, DC = domain, DC = local))" > Thanks for sharing this! Please note that this is the Docker configuration, so it will have to be translated to guacamole.properties format, or you'll have to enable environment variable loading. > 26.10.2021 05:31, Maik Heinelt пишет: > I am not getting LDAP authentication with my Windows 2019 server to work. > My guacamole.properties looks as following: > > guacd-hostname: localhost > guacd-port: 4822 > GUACAMOLE_HOME:/etc/guacamole > There's no point to this line, as this file should already be in GUACAMOLE_HOME. > > auth-provider: > net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider > This line is completely unnecessary and does not add or change functionality. > > # LDAP properties > ldap-hostname:MyWin2019Server > ldap-port: 389 > ldap-encryption-method: none > ldap-username-attribute:sAMAccountName > ldap-user-base-dn: OU=Users,DC=mydomain,DC=local > ldap-search-bind-dn: > CN=Administrator,CN=Users,DC=mydomain,DC=local > ldap-search-bind-password: GoodPassword > > I would not use Administrator to do search binds - this is a needless compromise of your Admin credentials. You really only need an account that can actually bind to AD and then can locate the user, group, and/or connection objects that you want to query from Guacamole. > > I got the ldap-search-bind-dn from the server LDAP admin properties >> > Attribute Editor >> distinguishedName , so I am pretty sure this should be > correct. > That looks fine to me. > I am able to reach the LDAP without errors with using SSL or also no > encryption via Guacamole server command line using ldapsearch. > When looking at the catalina.out log file, there is no error or warning > shown when I try to authenticate via LDAP. > Just a "WARN o.a.g.r.auth.AuthenticationService - Authentication attempt > from 153.156.182.53 for user "MyUser" failed." > > The first thing I would check, here, is that you actually have the LDAP extension installed correctly? The JAR file should be under GUACAMOLE_HOME/extensions (/etc/guacamole/extensions, usually). After copying it to that directory make sure to reload the Guacamole web application by either re-deploying the WAR file or restarting Tomcat. You can check catalina.out and make sure that you're seeing a message when the WAR file is loaded that indicates that it has actually loaded the LDAP extension. After that you should try increasing the verbosity of logging for Guacamole Client: http://guacamole.apache.org/doc/gug/configuring-guacamole.html#webapp-logging Note that, particularly for the LDAP extension, this will result in a lot of extra messages being logged, and you'll have to go through the logs and locate the login attempts and where the LDAP conversation is failing. -Nick >
LDAP authentication not working
Hello, if my experience is useful, I did this: LDAP_HOSTNAME: "ip_addr_dc" LDAP_PORT: "389" LDAP_ENCRYPTION_METHOD: "none" LDAP_SEARCH_BIND_DN: "CN = guacamoleadmin, OU = domaim, DC = local" LDAP_SEARCH_BIND_PASSWORD: "password" LDAP_USER_BASE_DN: "OU = NET, DC = domain, DC = local" LDAP_USERNAME_ATTRIBUTE: "samAccountName" LDAP_GROUP_BASE_DN: "OU = Group, DC = domain, DC = local" LDAP_GROUP_NAME_ATTRIBUTE: "cn" LDAP_FOLLOW_REFERRALS: "false" LDAP_USER_SEARCH_FILTER: "(& (objectClass = *) (memberOf = CN = rdp-user, OU = Group, DC = domain, DC = local))" 26.10.2021 05:31, Maik Heinelt пишет: I am not getting LDAP authentication with my Windows 2019 server to work. My guacamole.properties looks as following: guacd-hostname: localhost guacd-port: 4822 GUACAMOLE_HOME: /etc/guacamole auth-provider: net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider # LDAP properties ldap-hostname: MyWin2019Server ldap-port: 389 ldap-encryption-method: none ldap-username-attribute: sAMAccountName ldap-user-base-dn: OU=Users,DC=mydomain,DC=local ldap-search-bind-dn: CN=Administrator,CN=Users,DC=mydomain,DC=local ldap-search-bind-password: GoodPassword I got the ldap-search-bind-dn from the server LDAP admin properties >> Attribute Editor >> distinguishedName , so I am pretty sure this should be correct. I am able to reach the LDAP without errors with using SSL or also no encryption via Guacamole server command line using ldapsearch. When looking at the catalina.out log file, there is no error or warning shown when I try to authenticate via LDAP. Just a "WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from153.156.182.53 for user "MyUser" failed." Please correct me if I am wrong, but my understanding is, I should be able to authenticate with every user with its account name who is at the Users OU. Maik -- С уважением Голота С.В. Администратор компьютерной сети AO "Тургай-Петролеум" e-mail:sgol...@turgai.kz сот. +2435230 раб. +77242261610
LDAP authentication not working
I am not getting LDAP authentication with my Windows 2019 server to work. My guacamole.properties looks as following: guacd-hostname: localhost guacd-port: 4822 GUACAMOLE_HOME: /etc/guacamole auth-provider: net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider # LDAP properties ldap-hostname: MyWin2019Server ldap-port: 389 ldap-encryption-method: none ldap-username-attribute: sAMAccountName ldap-user-base-dn: OU=Users,DC=mydomain,DC=local ldap-search-bind-dn: CN=Administrator,CN=Users,DC=mydomain,DC=local ldap-search-bind-password: GoodPassword I got the ldap-search-bind-dn from the server LDAP admin properties >> Attribute Editor >> distinguishedName , so I am pretty sure this should be correct. I am able to reach the LDAP without errors with using SSL or also no encryption via Guacamole server command line using ldapsearch. When looking at the catalina.out log file, there is no error or warning shown when I try to authenticate via LDAP. Just a "WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from [ callto:153.156.182.53 | 153.156.182.53 ] for user "MyUser" failed." Please correct me if I am wrong, but my understanding is, I should be able to authenticate with every user with its account name who is at the Users OU. Maik
Re: LDAP Authentication not working
Thanks for the reply. I am using Windows AD not Azure AD and also I tried with MySQL on Ubuntu. The MySQL authentication works well, but the LDAP Authentication still gives me the same error:WARN o.a.g.e.AuthenticationProviderFacade - The "ldap" authentication provider has encountered an internal error which will halt the authentication process. If this is unexpected or you are the developer of this authentication provider, you may wish to enable debug-level logging. If this is expected and you wish to ignore such failures in the future, please set "skip-if-unavailable: ldap" within your guacamole.propertiesI have configured the logs to be at the debug level, but could not find anything helpful either for catalina.out or syslog -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: LDAP Authentication not working
Yikes - this message did not format very well in the Nabble -> Mailing List translation, but I'll try to parse through it and give some suggestions... On Mon, Jun 22, 2020 at 4:26 PM sougatasen wrote: > Hi, I setup guacamole with basic authentication and got it working. > However, when I configured LDAP, I am not able to get the authentication to > work. Here is my guacamole.properties setting: guacd-hostname: localhost > guacd-port: 4822 mysql-hostname: x.mysql..azure.com mysql-port: > 3306 mysql-database: guacamole_db mysql-username: gsbadmin@ > mysql-password: xxx ldap-hostname: ldap-port: 389 > ldap-user-base-dn: CN=Users,DC=gsbldap,DC=local ldap-search-bind-dn: > CN=guacadmin,CN=Users,DC=gsbldap,DC=local ldap-search-bind-password: > ldap-username-attribute: sAMAccountName > ldap-follow-referrals:false This looks pretty similar to the configuration that I use with AD, so I'm guessing everything is okay, here, but hard to say for sure. Based on the fact that you're using Azure MySQL, I'm guessing you're also using Azure AD - I have no direct experience with that, as my AD environment is on-premise, so I don't know if that could impact things. My only suspicion as this point is around SSL connectivity to AD - maybe it's trying to start up TLS and failing certificate verification? > In AD, I created an administrative user called guacadmin under User and > created another another user called guacuser. I am able to connect to the > AD(LDAP Server) via ldp.exe and browse to the user from my machine. When I > try to login with either guacadmin or guacuser I get the following error > page : ERROR An error has occurred and this action cannot be completed. If > the problem persists, please notify your system administrator or check your > system logs. I checked the tomcat logs and this is what I get : > 20:19:26.055 [http-nio-8080-exec-7] DEBUG o.a.g.resource.ResourceServlet - > Resource not modified: "/app.css" 20:19:26.083 [http-nio-8080-exec-9] DEBUG > o.a.g.resource.ResourceServlet - Resource not modified: "/app.js" > 20:19:26.341 [http-nio-8080-exec-1] DEBUG > o.a.g.r.auth.AuthenticationService - Anonymous authentication attempt from > 208.89.185.65 failed. 20:19:26.422 [http-nio-8080-exec-3] DEBUG > o.a.g.resource.ResourceServlet - Resource not modified: > "/translations/en.json" 20:19:31.435 [pool-1-thread-1] DEBUG > o.a.g.rest.auth.HashTokenSessionMap - Checking for expired sessions... > 20:19:31.436 [pool-1-thread-1] DEBUG o.a.g.rest.auth.HashTokenSessionMap - > Session check completed in 1 ms. 20:19:36.559 [http-nio-8080-exec-4] WARN > o.a.g.e.AuthenticationProviderFacade - The "ldap" authentication provider > has encountered an internal error which will halt the authentication > process. If this is unexpected or you are the developer of this > authentication provider, you may wish to enable debug-level logging. If > this is expected and you wish to ignore such failures in the future, please > set "skip-if-unavailable: ldap" within your guacamole.properties. > 20:19:36.561 [http-nio-8080-exec-4] WARN o.a.g.r.auth.AuthenticationService > - Authentication attempt from 208.89.185.65 for user "guacuser" failed. I > followed the following tutorial to configure ldap : > https://guacamole.apache.org/doc/gug/ldap-auth.html As part of the > configuration for LDAP this is what I have done: 1. Placed the > guacamole-auth-ldap-1.1.0.jar file in the GUACAMOLE_HOME/extensions folder > 2. Updated the properties file as mentioned above 3. Created Users in AD 4. > Restarted Tomcat The actual reason for the failure is not evident from the > logs. Can you provide some guidance on how to troubleshoot this better > please ? You might want to put your Guacamole Client logging into debug mode and see if that gives you any additional insight. It will give you a *TON* of output - the Apache Directory API is very verbose when you get to the DEBUG level, so you'll have to parse through a ton of output to get the relevant messages - and, once you get them, you'll want to set logging back to normal levels. http://guacamole.apache.org/doc/gug/configuring-guacamole.html#webapp-logging -Nick
LDAP Authentication not working
Hi,I setup guacamole with basic authentication and got it working. However, when I configured LDAP, I am not able to get the authentication to work. Here is my guacamole.properties setting:guacd-hostname: localhostguacd-port: 4822mysql-hostname: x.mysql..azure.commysql-port: 3306mysql-database: guacamole_dbmysql-username: gsbadmin@mysql-password: xxxldap-hostname: ldap-port: 389ldap-user-base-dn: CN=Users,DC=gsbldap,DC=localldap-search-bind-dn: CN=guacadmin,CN=Users,DC=gsbldap,DC=localldap-search-bind-password: ldap-username-attribute: sAMAccountNameldap-follow-referrals:falseIn AD, I created an administrative user called guacadmin under User and created another another user called guacuser. I am able to connect to the AD(LDAP Server) via ldp.exe and browse to the user from my machine.When I try to login with either guacadmin or guacuser I get the following error page :ERRORAn error has occurred and this action cannot be completed. If the problem persists, please notify your system administrator or check your system logs.I checked the tomcat logs and this is what I get :20:19:26.055 [http-nio-8080-exec-7] DEBUG o.a.g.resource.ResourceServlet - Resource not modified: "/app.css"20:19:26.083 [http-nio-8080-exec-9] DEBUG o.a.g.resource.ResourceServlet - Resource not modified: "/app.js"20:19:26.341 [http-nio-8080-exec-1] DEBUG o.a.g.r.auth.AuthenticationService - Anonymous authentication attempt from 208.89.185.65 failed.20:19:26.422 [http-nio-8080-exec-3] DEBUG o.a.g.resource.ResourceServlet - Resource not modified: "/translations/en.json"20:19:31.435 [pool-1-thread-1] DEBUG o.a.g.rest.auth.HashTokenSessionMap - Checking for expired sessions...20:19:31.436 [pool-1-thread-1] DEBUG o.a.g.rest.auth.HashTokenSessionMap - Session check completed in 1 ms.20:19:36.559 [http-nio-8080-exec-4] WARN o.a.g.e.AuthenticationProviderFacade - The "ldap" authentication provider has encountered an internal error which will halt the authentication process. If this is unexpected or you are the developer of this authentication provider, you may wish to enable debug-level logging. If this is expected and you wish to ignore such failures in the future, please set "skip-if-unavailable: ldap" within your guacamole.properties.20:19:36.561 [http-nio-8080-exec-4] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 208.89.185.65 for user "guacuser" failed.I followed the following tutorial to configure ldap :https://guacamole.apache.org/doc/gug/ldap-auth.htmlAs part of the configuration for LDAP this is what I have done:1. Placed the guacamole-auth-ldap-1.1.0.jar file in the GUACAMOLE_HOME/extensions folder2. Updated the properties file as mentioned above3. Created Users in AD4. Restarted TomcatThe actual reason for the failure is not evident from the logs. Can you provide some guidance on how to troubleshoot this better please ? -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/