guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dawson Bessinger <dawsonbessin...@ls3p.com>
Subject RE: LDAP - Error while query user DNs.
Date Fri, 27 May 2016 01:23:14 GMT
It’s a basic Windows Active Directory domain (Server 2012 functional level).

Root
|-- Builtin
|-- Office1
|              |-- Users
|              | -- Computers
|
|-- Office2
|              |-- Users
|              |-- Computers


Clearly there is something the novell.ldap class doesn’t like … but I have no idea what.
We have plenty of other tools that we specify the base DN as the root for searching and they
work just fine (Openfire for example, which is Java also).

The referral exception did make me think the domain controller I specified in .properties
was the culprit, however, I tried 4 of our other domain controllers in total and they all
produced the same results (this includes our PDC).
There was an issue in Jira that came up when searching the error (https://glyptodon.org/jira/browse/GUAC-1473)
However, it looks like it was closed and nothing came out of it … however, that person did
do a network capture and verified that the request was returning a found user, but the exception
was still thrown. I am almost positive if we did a similar capture we would see the same thing.
That doesn’t really help the situation but there it is.

If you need any other information or have any ideas for us to try please let me know.

From: Mike Jumper [mailto:mike.jumper@guac-dev.org]
Sent: Thursday, May 26, 2016 8:14 PM
To: user@guacamole.incubator.apache.org
Subject: Re: LDAP - Error while query user DNs.

On Thu, May 26, 2016 at 7:09 AM, Dawson Bessinger <dawsonbessinger@ls3p.com<mailto:dawsonbessinger@ls3p.com>>
wrote:
Hello,
We have setup a test Guacamole server and are having an LDAP auth issue. If we list the root
of our AD in ldap-user-base-dn, guacamole throws an exception:
~~~
org.glyptodon.guacamole.GuacamoleServerException: Error while query user DNs.
        at org.glyptodon.guacamole.auth.ldap.user.UserService.getUserDNs(UserService.java:271)
~[guacamole-auth-ldap-0.9.9.jar:na]
~~~

I enabled debug error level and this is at the bottom of the stack trace:
~~~
Caused by: com.novell.ldap.LDAPReferralException: Referral
        at com.novell.ldap.LDAPSearchResults.next(Unknown Source) ~[guacamole-auth-ldap-0.9.9.jar:na]
        at org.glyptodon.guacamole.auth.ldap.user.UserService.getUserDNs(UserService.java:262)
~[guacamole-auth-ldap-0.9.9.jar:na]
~~~


Can you describe in more detail how your LDAP server is set up?

I've not seen this particular exception before. It's unfortunate that the error message itself
is so artfully useless, but looking at the JavaDoc for that LDAPReferralException[1], the
description reads:

    "Thrown when a server returns a referral and when a referral has not been followed. It
contains a list of URL strings corresponding to the referrals or search continuation references
received on an LDAP operation."

Until today, I had no idea that "referrals" were a concept in LDAP. From the description,
it sounds like LDAP deployments can potentially span multiple servers, with each server being
somewhat aware of its relatives' contents. If that is the case, it seems the sort of thing
that an LDAP library would want to abstract away from downstream users of said library ...
but then again perhaps not.

Thanks,

- Mike

[1] https://www.novell.com/documentation/developer/jldap/jldapenu/api/com/novell/ldap/LDAPReferralException.html

Mime
View raw message