Imho you have a big issue already with authentication using no encryption at
all.
Best Regards,
Joachim
Von: Tifaine RIVOIRE OPTI Sécurité <t.rivo...@optisecurite.fr>
Gesendet: Donnerstag, 29. Juni 2023 11:22
An: user@guacamole.apache.org
Betreff: RE: Guacamole Extensions troubles
Hi,
After conducting further research following Nick's response, I discovered that
I don't need a search filter, so I removed it. My goal is to allow all users in
my Active Directory (AD) to connect to Guacamole.
However, I'm still encountering issues with LDAP authentication. Specifically,
when I attempt to connect with a user named l.coelho from my AD, the following
logs are generated:
08:29:44.881 [http-nio-8080-exec-2] INFO
o.a.g.a.l.AuthenticationProviderService - Unable to determine DN of user
"l.coelho" using LDAP server "192.168.87.20". Proceeding with next server...
08:29:44.882 [http-nio-8080-exec-2] INFO
o.a.g.a.l.AuthenticationProviderService - User "l.coelho" did not successfully
authenticate against any LDAP server.
08:29:44.883 [http-nio-8080-exec-2] WARN o.a.g.r.auth.AuthenticationService -
Authentication attempt from [X.X.X.X, 192.168.254.10] for user "l.coelho"
failed.
I have already verified that I can successfully telnet to port 389 of my LDAP
server, the encryption method is set correctly as "none," and I tested the LDAP
connectivity using the ldapsearch command, which worked fine.
Interestingly, my admin can connect to the AD without any issues, as confirmed
by the successful log entries in my AD logs.
I suspect that there might be a problem with my LDAP configuration in the
Docker Compose file. Could you assist me in resolving this issue?
My users are in : OU=AMG,OU=Utilisateur,DC=AMG,DC=lan
My admin in : OU=Users,DC=AMG,DC=lan
# LDAP Connection
LDAP_HOSTNAME: 192.168.87.20
LDAP_PORT: 389
LDAP_ENCRYPTION_METHOD: "none"
# Mapping Guacamole usernames to LDAP DN’s
LDAP_USER_BASE_DN: "dc=AMG,dc=LAN"
# Indirect Username Mapping
LDAP_SEARCH_BIND_DN: CN=admin,CN=Users,DC=AMG,DC=lan
LDAP_SEARCH_BIND_PASSWORD: password
LDAP-USERNAME-ATTRIBUTE: sAMAccountName
Best regards,
T. RIVOIRE
De : Nick Couchman <vn...@apache.org <mailto:vn...@apache.org> >
Envoyé : mercredi 14 juin 2023 14:46
À : user@guacamole.apache.org <mailto:user@guacamole.apache.org>
Objet : Re: Guacamole Extensions troubles
On Wed, Jun 14, 2023 at 8:26 AM Tifaine RIVOIRE OPTI Sécurité
<t.rivo...@optisecurite.fr <mailto:t.rivo...@optisecurite.fr> > wrote:
Hi,
I’m testing Guacamole and I want to configure some extensions.
I already set up guacamole with docker-compose and TOTP Extension.
I have some troubles with the LDAP extension. In fact, I follow a lot of
tutorials that show me how I can set up this one.
I copy the .jar file in extension directory but after a restart I can’t log in
with an AD user. I’va seen that a new directory called ldap was created (just
like totp) with .jar & .ldif file.
I also try to create a user with same AD name and blank password in guacamole,
I make sure to select create connection permission.
When I connect, Guacamole tell me wrong password but this is the correct one in
my AD.
I also see some forwarded communications (through firewall) from my Guacamole
server to my AD.
Can you help me to understand why I can’t log with an AD account ?
You'll need to take a look at the logs for the Guacamole Client container and
see what errors might be logged to the container. You may also have to change
the log level of Guacamole Client (LOGBACK_LEVEL environment variable) to get
more useful information out of the system.
I do notice in the Docker Compose file you posted that you appear to be using a
search filter that is supposed to make LDAP search nested AD groups. I'm not
sure that this will actually work - I think there are some things that need to
be implemented within Guacamole to support this, and I don't think those
currently exist. You might, at the very least, try changing your search filter
to something else - just create a single group with the users you want to have
access and search that group, only - and see if that helps.
-Nick
