On 4/30/24 9:06 AM, David Lomas wrote:
Hi,
I've set up Guacamole using docker containers using guacamole/guacamole,
guacamole/guacd, nginx, and postgres:15.2-alpine and a docker compose
yaml file. All appears to be working. I've configured Guacamole to use a
local LDAP service, which is in development. For the most part, that's
working OK, but if we try to authenticate using a google email address
of the form 'gmail.user+te...@gmail.com
<mailto:gmail.user%2bte...@gmail.com>', the LDAP server never sees a
request from Guacamole. The Guacamole logs show
o.a.d.l.c.api.LdapNetworkConnection sending a BIND request, but it never
appears at the LDAP server. For example, this is in the docker logs (set
to DEBUG level):
...
Before finally this:
guacamole_compose | 15:31:09.618 [NioProcessor-12] DEBUG
org.apache.directory.api.CODEC_LOG - MSG_14002_DECODED_LDAP_MESSAGE
(MessageType : BIND_RESPONSE
guacamole_compose | Message ID : 1
guacamole_compose | BindResponse
guacamole_compose | Ldap Result
guacamole_compose | Result code :
(INVALID_DN_SYNTAX) invalidDNSyntax
guacamole_compose | Matched Dn : ''
guacamole_compose | Diagnostic message : ''
guacamole_compose | )
Removing the '+' sign from the email address works fine, as does
surrounding the entire email address with double-quotes. But of course
those fail authentication at the LDAP end.
LDAP appears to require certain characters to be escaped, including '+',
which probably explains why it's failing. Is this a bug in the LDAP auth
extension? Or some other configuration I'm missing?
We don't directly touch the LDAP protocol within Guacamole, but this may
be a bug in the Apache Directory LDAP API (the LDAP library that we use
inside Guacamole's LDAP support):
https://directory.apache.org/api/
I'll see if I can reproduce this with a test LDAP server and maybe glean
more info.
- Mike
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org