guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jonathan Hankins <jhank...@homewood.k12.al.us>
Subject Re: Configuring LDAP
Date Mon, 27 Nov 2017 14:48:54 GMT
Harry,

Can you try ldapsearch from the command line against your LDAP server with
the same parameters you're using with guacamole and see if your bind still
fails?

On Mon, Nov 27, 2017, 9:32 AM <harry.devine@faa.gov> wrote:

> OK, I just tried it again with both 389/none and 636/ssl for those
> parameters, and both times I get the following errors:
>
>
>
> Nov 27 09:30:31 access server: 09:30:31.838 [http-bio-8080-exec-9] ERROR
> o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN
> "cn=Directory Manager,dc=example,dc=com"
>
> Nov 27 09:30:31 access server: 09:30:31.839 [http-bio-8080-exec-9] WARN
> o.a.g.r.auth.AuthenticationService - Authentication attempt from
> 172.31.26.216 for user "harry.devine" failed.
>
>
>
> Thanks,
>
> Harry
>
> *From:* Jonathan Hankins [mailto:jhankins@homewood.k12.al.us]
> *Sent:* Monday, November 27, 2017 9:27 AM
>
>
> *To:* user@guacamole.apache.org
> *Subject:* Re: Configuring LDAP
>
>
>
> Harry, if you are using ldap-port:636, you probably need to specify:
>
> ldap-encryption-method: ssl
>
> I believe the default is "none" .
>
> Assuming you are able to temporarily configure your LDAP server to allow
> unencrypted binds(if it isn't already), you may want to test with
> ldap-port: 389 and ldap-encryption-method: none  to make sure you have all
> of your LDAP settings correct before enabling encryption, then tackle the
> encryption.
>
> -Jonathan Hankins
>
>
>
> On Mon, Nov 27, 2017, 8:23 AM <harry.devine@faa.gov> wrote:
>
> I just got back into the office and tried what you suggested.  Whenever I
> don’t have quotes around the ldap-search-bind-dn value, the login button
> doesn’t seem to respond.  In the Network tab in Chrome’s Developer Tools,
> the /guacamole/api/tokens call always shows “(pending)” as the status
> instead of 200 or 403.
>
>
>
> Here’s what I have for my LDAP values in guacamole.properties (again,
> masking out the real values):
>
>
>
> ldap-hostname:ldap.hostname
>
> ldap-port:636
>
> ldap-search-bind-dn:cn=Directory Manager,dc=example,dc=com
>
> ldap-search-bind-password:pass123
>
> ldap-user-base-dn:dc=example,dc=com
>
> ldap-username-attribute:cn
>
> ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com
>
>
>
> Thanks,
>
> Harry
>
>
>
> *From:* Jonathan Hankins [mailto:jhankins@homewood.k12.al.us]
> *Sent:* Wednesday, November 22, 2017 1:41 PM
>
>
> *To:* user@guacamole.apache.org
> *Subject:* Re: Configuring LDAP
>
>
>
> Harry,
>
>
>
> I believe you need to fully qualify your ldap-search-bind-dn:
>
>
>
> ldap-search-bind-dn: cn=My User,dc=my,dc=example,dc=com
>
>
>
> And your ldap-username-attribute should be the name of an ldap attribute
> that you want to match usernames against, such as cn:
>
>
>
> ldap-username-attribute: cn
>
>
>
> Also, unsure if the config you posted was pseudo-code, but the
> guacamole.properties file should look like:
>
>
>
> varname: this is the value to end of line
>
>
>
> See my examples above.
>
>
>
> -Jonathan Hankins
>
>
>
>
>
> On Tue, Nov 21, 2017, 3:41 PM Hawkins, Richard <
> richard.hawkins@medctrbarbour.org> wrote:
>
>
>
> Restart tomcat
>
>
>
> Service tomcat restart..
>
>
>
> Tail –f /var/log/messages
>
>
>
>
>
> Authenticated
>
>
>
>
>
>
>
> *From:* harry.devine@faa.gov [mailto:harry.devine@faa.gov]
> *Sent:* Tuesday, November 21, 2017 2:01 PM
> *To:* user@guacamole.apache.org
> *Subject:* RE: Configuring LDAP
>
>
>
> OK, took me a little bit to weed through some OpenLDAP config issues (it
> wasn’t installed on the server I have guacamole installed on; didn’t
> realize that at first), but I got the ldapsearch working.  So I re-enabled
> the LDAP parameters and tried again.  The page shows “Invalid Login”, but
> the following is displayed in the /var/log/messages:
>
>
>
> Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR
> o.a.g.a.ldap.LDAPConnectionService - Unable to connect to LDAP server:
> Connect Error
>
> Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR
> o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN
> ""cn=My User""
>
> Nov 21 14:56:15 access server: 14:56:15.496 [http-bio-8080-exec-9] WARN
> o.a.g.r.auth.AuthenticationService - Authentication attempt from
> 172.31.26.216 for user "harry.devine" failed.
>
>
>
> I have the LDAP parameters defined as follows in guacamole properties (I
> am masking the usernames and such):
>
> ldap-hostname="my-host"
>
> ldap-port=636
>
> ldap-search-bind-dn="cn=My User"
>
> ldap-search-bind-password="Pass123"
>
> ldap-user-base-dn="dc=my,dc=example,dc=com"
>
> ldap-username-attribute="cn=users,cn=accounts,dc=my,dc=example,dc=com"
>
> ldap-group-base-dn="cn=groups,cn=accounts,dc=my,dc=example,dc=com"
>
>
>
> Ideas?
>
> Harry
>
>
>
> *From:* Nick Couchman [mailto:vnick@apache.org]
> *Sent:* Tuesday, November 21, 2017 9:20 AM
> *To:* user@guacamole.apache.org
> *Subject:* Re: Configuring LDAP
>
>
>
> On Tue, Nov 21, 2017 at 8:10 AM, <harry.devine@faa.gov> wrote:
>
> I set SELinux to permissive and put the LDAP extension back (its under
> /usr/share/tomcat/.guacamole/extensions), restarted tomcat and guacd, and
> try to log in using an LDAP user.  I click Login and on the Network tab, it
> shows tokens (/guacamole/api/tokens) as having a “pending” status.  Never
> gets any further.
>
>
>
>
>
> Okay...on the system where you're running Tomcat, can you make sure the
> OpenLDAP client utilities are installed and then use "ldapsearch" to query
> the same LDAP server that you're trying to use in Guacamole?  Something
> like this:
>
>
>
> ldapsearch -H ldap://<server> -D <Search User> -W -b <base dn> cn=<Some
> User In LDAP>
>
>
>
> ...substituting in the above parameters and make sure you get a response?
>
>
>
> -Nick
>
>
> This e-mail is intended only for the recipient and may contain
> confidential or proprietary information. If you are not the intended
> recipient, the review, distribution, duplication or retention of this
> message and its attachments is prohibited. Please notify the sender of this
> error immediately by reply e-mail, and permanently delete this message and
> its attachments in any form in which they may have been preserved.
>
>
> This e-mail is intended only for the recipient and may contain
> confidential or proprietary information. If you are not the intended
> recipient, the review, distribution, duplication or retention of this
> message and its attachments is prohibited. Please notify the sender of this
> error immediately by reply e-mail, and permanently delete this message and
> its attachments in any form in which they may have been preserved.
>

-- 
This e-mail is intended only for the recipient and may contain confidential 
or proprietary information. If you are not the intended recipient, the 
review, distribution, duplication or retention of this message and its 
attachments is prohibited. Please notify the sender of this error 
immediately by reply e-mail, and permanently delete this message and its 
attachments in any form in which they may have been preserved.

Mime
View raw message