Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 03C65200C4F for ; Sat, 1 Apr 2017 09:46:30 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 02339160B9D; Sat, 1 Apr 2017 07:46:30 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 21417160B8D for ; Sat, 1 Apr 2017 09:46:28 +0200 (CEST) Received: (qmail 97864 invoked by uid 500); 1 Apr 2017 07:46:27 -0000 Mailing-List: contact user-help@guacamole.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@guacamole.incubator.apache.org Delivered-To: mailing list user@guacamole.incubator.apache.org Received: (qmail 97851 invoked by uid 99); 1 Apr 2017 07:46:27 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 01 Apr 2017 07:46:27 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 3BF48C1724 for ; Sat, 1 Apr 2017 07:46:27 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.13 X-Spam-Level: X-Spam-Status: No, score=0.13 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id 6ks4zOPAN7W3 for ; Sat, 1 Apr 2017 07:46:25 +0000 (UTC) Received: from mail-yw0-f180.google.com (mail-yw0-f180.google.com [209.85.161.180]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 09D3D5F1A0 for ; Sat, 1 Apr 2017 07:46:25 +0000 (UTC) Received: by mail-yw0-f180.google.com with SMTP id p77so46914625ywg.1 for ; Sat, 01 Apr 2017 00:46:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=3tKHAS77OlCpLmAfBn6SI4ILHpCbvk3/7FNvJC6LRnY=; b=X2UjWqNBOWtzJgp3Z+Wdm0Q68zg06ESAKpM1yAilgML6amCCN2VE42+D+BTsxYh0/b QTr5Sy17JYh0dbmq++HsxEafCEby5OCiqZZZb+CHexhyn+dIj2iJzuI8KUX9U3ouO9tu uZrRm8r8bbduE99YWd4mGF8Bfg6LgErqpHU7tpROpwt/ND6NjPdCRw4TuC7D559mQKdh h/iU4WMSSPrHMBU0BzJD8Bkhqg32WrU95Kwfg5fUKSqQcZuyYCwNFcpTarlanPv1qfai KtBDB67lDiWCNUQEspNiIIXx8kfAEjnuCwpT5FeNLuq8BRwh9/SuZ6S9qMPPs6juL/Um opkg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=3tKHAS77OlCpLmAfBn6SI4ILHpCbvk3/7FNvJC6LRnY=; b=Kh3MAg5uHUWouo0EodQCpB6jO9HT0QPtc9+FfiMnrO96ABI2pSs0IZIMZVP6gzdiIe NJlmNAPiL1qBRq6g0qAgj4fJk5lu/GSmaHp+lr1Qvvy0V0jPruWGn5l1FemQhEbGTw/f cXdwRbEad2mbOXaPGwc1y9qpyHW0sAK07FopR32d7v9wvb+4eJod/mVVxbhZ7CVa4THK banVAa4nFGp8dFxDTGDZ7TAwCdMvY6jmiS6nE0u3dppVG0ScJJmFsNJc1h3MdirzeP+1 I07hAMr4gYFiVwuCVdBS4P28yDrF5TP4nxjhvkhJN+zefDVSYOptQXHgl66dXxp8Kwwz QZug== X-Gm-Message-State: AFeK/H0lCnxWO7ccEAI7c1aDxQlESbAxyNZGSBS5TXpSyRjUuqbtIjA45qon97CRq3/wHmgZiEJYOdEUkb0gjg== X-Received: by 10.13.208.195 with SMTP id s186mr5199817ywd.158.1491032784451; Sat, 01 Apr 2017 00:46:24 -0700 (PDT) MIME-Version: 1.0 Received: by 10.129.161.79 with HTTP; Sat, 1 Apr 2017 00:46:24 -0700 (PDT) From: Jonathan Hunter Date: Sat, 1 Apr 2017 08:46:24 +0100 Message-ID: Subject: LDAP authentication - "Error while query user DNs" To: user@guacamole.incubator.apache.org Content-Type: text/plain; charset=UTF-8 archived-at: Sat, 01 Apr 2017 07:46:30 -0000 Hi, I'm setting up guacamole for the first time, using the docker images, and have been very impressed with the whole application - thanks to all the dev team! The fact that this can work at all, in a web browser using HTML, still feels like black magic to me :) However I'm trying to progress beyond using the 'guacadmin' user, so I'm trying to set up LDAP authentication (I'm using samba4 AD). My docker run command is pasted in below (sanitised); this works fine with the guacadmin user until I add the LDAP details, at which point whenever I try to log in with an LDAP user, I get the following in the guacamole logs (as viewed with '# docker logs -f gc-guacamole'): 3:06:51.671 [http-nio-8080-exec-3] ERROR o.a.g.a.l.AuthenticationProviderService - Cannot bind with LDAP server: Error while query user DNs. 23:06:51.672 [http-nio-8080-exec-3] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from [192.168.5.10] for user "testuser" failed. I checked the LDAP bind details using ldapsearch; these worked fine. I then tried wireshark to capture the LDAP traffic to check what was actually being queried. Details of how I captured the traffic are below, in case this helps others in a similar situation, but I can confirm that guacamole asks for: baseObject: dc=mydomain,dc=org scope: wholeSubtree (2) Filter: (&(objectClass=*)(sAMAccountName=testuser)) and the LDAP server responds with: objectName: CN=testuser,OU=Users,OU=myou,DC=mydomain,DC=org attributes: 34 items [...] So, I'm not too sure why guacamole is reporting 'Error while query user DNs'. I've had a look through the code at https://github.com/apache/incubator-guacamole-client/blob/master/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java and I can't see what might be wrong. As far as I can tell, guacamole is asking for a user DN and one is being returned - so I'm not sure where the error is. Perhaps I've missed out some other LDAP setting? Can anyone point me in the right direction of what I could check next? This is my first time setting this up, so unfortunately I don't have a "known good" configuration yet :( Once this is working, I'll see if I can figure out a way to specify more than one LDAP server (I have multiple DCs), use groups, etc. etc.. - but first steps first :) Thanks, Jonathan -- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein My docker command (Copied and pasted, but sanitised): # docker run --restart=always \ --name gc-guacamole --link gc-guacd:guacd \ -e MYSQL_HOSTNAME=192.168.2.3 \ -e MYSQL_DATABASE=guacamole_db \ -e MYSQL_USER=guacamole_user \ -e MYSQL_PASSWORD=thedatabasepassword \ -e LDAP_HOSTNAME=dc1.mydomain.org \ -e LDAP_USER_BASE_DN=dc=mydomain,dc=org \ -e LDAP_SEARCH_BIND_DN=cn=guacamole,cn=Users,dc=mydomain,dc=org \ -e LDAP_SEARCH_BIND_PASSWORD=thecorrectpassword \ -e LDAP_USERNAME_ATTRIBUTE=sAMAccountName \ -e LDAP_ENCRYPTION_METHOD=ssl \ -d -p 80:8080 glyptodon/guacamole docker exec -i gc-guacamole /bin/bash -c 'cat > /tmp/myca.crt' < /var/www/html/myca/mycaca.crt docker exec -i gc-guacamole keytool -importcert -file /tmp/mycaca.crt -noprompt -keystore /etc/ssl/certs/java/cacerts -storepass changeit My method of capturing SSL LDAP traffic from samba4 was roughly as follows: In the guacamole docker container, set up jSSLKeyLog, otherwise we are defeated by Perfect Forward Secrecy (samba4 now insists on strong SSL by default, post Badlock patches) [root@server ~]# docker exec -it gc-guacamole bash apt-get install vim wget "https://downloads.sourceforge.net/project/jsslkeylog/jsslkeylog-1.1/jSSLKeyLog-1.1.zip?r=http%3A%2F%2Fjsslkeylog.sourceforge.net%2F&ts=1491004374&use_mirror=netcologne" unzip jSSLKeyLog-1.1.zip* vi /usr/local/tomcat/bin/catalina.sh Add: CATALINA_OPTS="-javaagent:/usr/local/tomcat/jSSLKeyLog.jar=/tmp/jsslkeylog.txt" Then restart the docker container, and [root@server ~]# docker exec -it gc-guacamole 'tail -F /tmp/jsslkeylog.txt' [ copy and paste the resultant output and save it to the laptop used for wireshark ] On the DC: user@dc1:~ $ sudo scp /usr/local/samba/private/tls/key.pem wiresharklaptop:tmp/ user@dc1:~ $ sudo tcpdump -n host 192.168.2.4 and port 636 -s16384 -wguacamole.cap [ capture relevant traffic ] user@dc1:~ $ scp guacamole.cap wiresharklaptop:tmp/