guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jonathan Hunter <>
Subject Re: LDAP authentication - "Error while query user DNs"
Date Mon, 03 Apr 2017 00:02:37 GMT
Having seen the latest release notes, I'm wondering if I should just
use the new HTTP header based authentication (since I already have a
working .htaccess file that works with LDAP).

Is there much that the built-in LDAP authentication would offer, that
HTTP header authentication wouldn't? I understand that both of them
will allow a valid user to log in to Guacamole; and if using HTTP
header authentication this wouldn't give the opportunity to store
connection information in LDAP - but is there fundamentally anything

I don't know why I'm getting the errors I am seeing (probably my
inexperience with guacamole configuration) but the HTTP header
authentication would seem to be a good way round this..



On 1 April 2017 at 08:46, Jonathan Hunter <> wrote:
> Hi,
> I'm setting up guacamole for the first time, using the docker images,
> and have been very impressed with the whole application - thanks to
> all the dev team! The fact that this can work at all, in a web browser
> using HTML, still feels like black magic to me :)
> However I'm trying to progress beyond using the 'guacadmin' user, so
> I'm trying to set up LDAP authentication (I'm using samba4 AD).
> My docker run command is pasted in below (sanitised); this works fine
> with the guacadmin user until I add the LDAP details, at which point
> whenever I try to log in with an LDAP user, I get the following in the
> guacamole logs (as viewed with '# docker logs -f gc-guacamole'):
> 3:06:51.671 [http-nio-8080-exec-3] ERROR
> o.a.g.a.l.AuthenticationProviderService - Cannot bind with LDAP
> server: Error while query user DNs.
> 23:06:51.672 [http-nio-8080-exec-3] WARN
> o.a.g.r.auth.AuthenticationService - Authentication attempt from
> [] for user "testuser" failed.
> I checked the LDAP bind details using ldapsearch; these worked fine. I
> then tried wireshark to capture the LDAP traffic to check what was
> actually being queried. Details of how I captured the traffic are
> below, in case this helps others in a similar situation, but I can
> confirm that guacamole asks for:
> baseObject: dc=mydomain,dc=org
> scope: wholeSubtree (2)
> Filter: (&(objectClass=*)(sAMAccountName=testuser))
> and the LDAP server responds with:
> objectName: CN=testuser,OU=Users,OU=myou,DC=mydomain,DC=org
> attributes: 34 items
> [...]
> So, I'm not too sure why guacamole is reporting 'Error while query user DNs'.
> I've had a look through the code at
> and I can't see what might be wrong. As far as I can tell, guacamole
> is asking for a user DN and one is being returned - so I'm not sure
> where the error is. Perhaps I've missed out some other LDAP setting?
> Can anyone point me in the right direction of what I could check next?
> This is my first time setting this up, so unfortunately I don't have a
> "known good" configuration yet :(
> Once this is working, I'll see if I can figure out a way to specify
> more than one LDAP server (I have multiple DCs), use groups, etc. etc.. - but
> first steps first :)
> Thanks,
> Jonathan
> --
> "If we knew what it was we were doing, it would not be called
> research, would it?"
>       - Albert Einstein
> My docker command (Copied and pasted, but sanitised):
> # docker run --restart=always \
>     --name gc-guacamole --link gc-guacd:guacd \
>     -e MYSQL_HOSTNAME=   \
>     -e MYSQL_DATABASE=guacamole_db  \
>     -e MYSQL_USER=guacamole_user    \
>     -e MYSQL_PASSWORD=thedatabasepassword \
>     -e \
>     -e LDAP_USER_BASE_DN=dc=mydomain,dc=org \
>     -e LDAP_SEARCH_BIND_DN=cn=guacamole,cn=Users,dc=mydomain,dc=org \
>     -e LDAP_SEARCH_BIND_PASSWORD=thecorrectpassword \
>     -e LDAP_USERNAME_ATTRIBUTE=sAMAccountName  \
>     -d -p 80:8080 glyptodon/guacamole
> docker exec -i gc-guacamole /bin/bash -c 'cat > /tmp/myca.crt' <
> /var/www/html/myca/mycaca.crt
> docker exec -i gc-guacamole keytool -importcert -file /tmp/mycaca.crt
> -noprompt -keystore /etc/ssl/certs/java/cacerts -storepass changeit
> My method of capturing SSL LDAP traffic from samba4 was roughly as follows:
> In the guacamole docker container, set up jSSLKeyLog, otherwise we are
> defeated by Perfect Forward Secrecy (samba4 now insists on strong SSL
> by default, post Badlock patches)
> [root@server ~]# docker exec -it gc-guacamole bash
>  apt-get install vim
>  wget ""
>  unzip*
>  vi /usr/local/tomcat/bin/
>      Add:
>     CATALINA_OPTS="-javaagent:/usr/local/tomcat/jSSLKeyLog.jar=/tmp/jsslkeylog.txt"
> Then restart the docker container, and
> [root@server ~]# docker exec -it gc-guacamole 'tail -F /tmp/jsslkeylog.txt'
> [ copy and paste the resultant output and save it to the laptop used
> for wireshark ]
> On the DC:
> user@dc1:~ $ sudo scp /usr/local/samba/private/tls/key.pem wiresharklaptop:tmp/
> user@dc1:~ $ sudo tcpdump -n host and port 636 -s16384
> -wguacamole.cap
>  [ capture relevant traffic ]
> user@dc1:~ $ scp guacamole.cap wiresharklaptop:tmp/

"If we knew what it was we were doing, it would not be called
research, would it?"
      - Albert Einstein

View raw message