guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jonathan Hunter <>
Subject LDAP authentication - "Error while query user DNs"
Date Sat, 01 Apr 2017 07:46:24 GMT

I'm setting up guacamole for the first time, using the docker images,
and have been very impressed with the whole application - thanks to
all the dev team! The fact that this can work at all, in a web browser
using HTML, still feels like black magic to me :)

However I'm trying to progress beyond using the 'guacadmin' user, so
I'm trying to set up LDAP authentication (I'm using samba4 AD).

My docker run command is pasted in below (sanitised); this works fine
with the guacadmin user until I add the LDAP details, at which point
whenever I try to log in with an LDAP user, I get the following in the
guacamole logs (as viewed with '# docker logs -f gc-guacamole'):
3:06:51.671 [http-nio-8080-exec-3] ERROR
o.a.g.a.l.AuthenticationProviderService - Cannot bind with LDAP
server: Error while query user DNs.
23:06:51.672 [http-nio-8080-exec-3] WARN
o.a.g.r.auth.AuthenticationService - Authentication attempt from
[] for user "testuser" failed.

I checked the LDAP bind details using ldapsearch; these worked fine. I
then tried wireshark to capture the LDAP traffic to check what was
actually being queried. Details of how I captured the traffic are
below, in case this helps others in a similar situation, but I can
confirm that guacamole asks for:
baseObject: dc=mydomain,dc=org
scope: wholeSubtree (2)
Filter: (&(objectClass=*)(sAMAccountName=testuser))

and the LDAP server responds with:
objectName: CN=testuser,OU=Users,OU=myou,DC=mydomain,DC=org
attributes: 34 items

So, I'm not too sure why guacamole is reporting 'Error while query user DNs'.

I've had a look through the code at
and I can't see what might be wrong. As far as I can tell, guacamole
is asking for a user DN and one is being returned - so I'm not sure
where the error is. Perhaps I've missed out some other LDAP setting?

Can anyone point me in the right direction of what I could check next?
This is my first time setting this up, so unfortunately I don't have a
"known good" configuration yet :(

Once this is working, I'll see if I can figure out a way to specify
more than one LDAP server (I have multiple DCs), use groups, etc. etc.. - but
first steps first :)



"If we knew what it was we were doing, it would not be called
research, would it?"
      - Albert Einstein

My docker command (Copied and pasted, but sanitised):
# docker run --restart=always \
    --name gc-guacamole --link gc-guacd:guacd \
    -e MYSQL_HOSTNAME=   \
    -e MYSQL_DATABASE=guacamole_db  \
    -e MYSQL_USER=guacamole_user    \
    -e MYSQL_PASSWORD=thedatabasepassword \
    -e \
    -e LDAP_USER_BASE_DN=dc=mydomain,dc=org \
    -e LDAP_SEARCH_BIND_DN=cn=guacamole,cn=Users,dc=mydomain,dc=org \
    -e LDAP_SEARCH_BIND_PASSWORD=thecorrectpassword \
    -d -p 80:8080 glyptodon/guacamole
docker exec -i gc-guacamole /bin/bash -c 'cat > /tmp/myca.crt' <
docker exec -i gc-guacamole keytool -importcert -file /tmp/mycaca.crt
-noprompt -keystore /etc/ssl/certs/java/cacerts -storepass changeit

My method of capturing SSL LDAP traffic from samba4 was roughly as follows:

In the guacamole docker container, set up jSSLKeyLog, otherwise we are
defeated by Perfect Forward Secrecy (samba4 now insists on strong SSL
by default, post Badlock patches)
[root@server ~]# docker exec -it gc-guacamole bash
 apt-get install vim
 wget ""
 vi /usr/local/tomcat/bin/

Then restart the docker container, and
[root@server ~]# docker exec -it gc-guacamole 'tail -F /tmp/jsslkeylog.txt'
[ copy and paste the resultant output and save it to the laptop used
for wireshark ]

On the DC:
user@dc1:~ $ sudo scp /usr/local/samba/private/tls/key.pem wiresharklaptop:tmp/
user@dc1:~ $ sudo tcpdump -n host and port 636 -s16384
 [ capture relevant traffic ]
user@dc1:~ $ scp guacamole.cap wiresharklaptop:tmp/

View raw message