Good morning all, I am hoping someone can point me in the right direction as I am pulling my hair, what little is left, out over an issue I am having with LDAP authentication to an AD server.
Guacamole version is 1.3.0 installed on an Ubuntu 20.04.3 Linux server. Ive downloaded the LDAP extension and put the guacamole-auth-ldap-1.3.0.jar in my /etc/guacamole/extensions directory. I also had the TOTP jar in there as well and that is working just fine. For purposes of this exercise I have disabled the TOTP extension right now though. DB authentication works just fine when I make it my primary authentication method. This is the contents of my guacamole.properties file (sanitized):<begin file> # Auth provider class auth-provider: net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider # MySQL properties mysql-hostname: localhost mysql-port: 3306 mysql-database: guacamole_db mysql-username: guacamole_user mysql-password:<correct password # LDAP properties ldap-hostname: dc1.corpserver.ca ldap-port: 389 ldap-user-base-dn: OU=Guacusers,DC=corpserver,DC=ca ldap-username-attribute: sAMAccountName ldap-config-base-dn: DC=corpserver,DC=ca ldap-search-bind-dn: CN=adbind,OU=Service_Accounts,DC=corpserver,DC=ca ldap-search-bind-password:<correct password> ldap-encryption-method: none <end file> Firewall on the AD server is, right now, disabled. I can run the following commands and results are returned properly from the AD server: ldapsearch -H ldap://dc1.corpserver.ca:389 -D CN=adbind,OU=Service_Accounts,DC=corpserver,DC=ca -W -b DC=corpserver,DC=ca & ldapsearch -H ldap://dc1.corpserver.ca -x -W -D "[email protected]" -b "dc=corpserver,dc=ca" "(sAMAccountName=adbind)" However, when I attempt to login to the Guacamole interface using an AD account, I just get a denied login, almost as if it isnt even connecting out to the AD server. I verified the account names were setup exactly in the DB as they would be on the AD server to allow for the saving of the connections in the DB by enabling the advanced properties and checking there that everything matched the user name I created in the DB first. I feel like I am missing something but I have checked over the documentation, looked online at other tutorials about implementing AD connectivity and they all seem to be pretty much the same as what I have done above. Tomcat is my app server. It is running at version 9.0.31 I am not seeing anything out of the ordinary in the logs, at least for Tomcat or Guacamole, other than some multipathd errors which I'm not concerned with at the moment. Am I missing something in the configuration that would be preventing my guacamole server from authenticating to the AD server? I appreciate any thoughts, ideas or suggestions that may get me moving in the right direction. Thank you, Rick Davies
