guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <harry.dev...@faa.gov>
Subject RE: Configuring LDAP
Date Mon, 27 Nov 2017 13:23:00 GMT
I just got back into the office and tried what you suggested.  Whenever I don’t have quotes
around the ldap-search-bind-dn value, the login button doesn’t seem to respond.  In the
Network tab in Chrome’s Developer Tools, the /guacamole/api/tokens call always shows “(pending)”
as the status instead of 200 or 403.

Here’s what I have for my LDAP values in guacamole.properties (again, masking out the real
values):

ldap-hostname:ldap.hostname
ldap-port:636
ldap-search-bind-dn:cn=Directory Manager,dc=example,dc=com
ldap-search-bind-password:pass123
ldap-user-base-dn:dc=example,dc=com
ldap-username-attribute:cn
ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com

Thanks,
Harry

From: Jonathan Hankins [mailto:jhankins@homewood.k12.al.us]
Sent: Wednesday, November 22, 2017 1:41 PM
To: user@guacamole.apache.org
Subject: Re: Configuring LDAP

Harry,

I believe you need to fully qualify your ldap-search-bind-dn:

ldap-search-bind-dn: cn=My User,dc=my,dc=example,dc=com

And your ldap-username-attribute should be the name of an ldap attribute that you want to
match usernames against, such as cn:


ldap-username-attribute: cn

Also, unsure if the config you posted was pseudo-code, but the guacamole.properties file should
look like:

varname: this is the value to end of line

See my examples above.

-Jonathan Hankins


On Tue, Nov 21, 2017, 3:41 PM Hawkins, Richard <richard.hawkins@medctrbarbour.org<mailto:richard.hawkins@medctrbarbour.org>>
wrote:

Restart tomcat

Service tomcat restart..

Tail –f /var/log/messages


Authenticated



From: harry.devine@faa.gov<mailto:harry.devine@faa.gov> [mailto:harry.devine@faa.gov<mailto:harry.devine@faa.gov>]
Sent: Tuesday, November 21, 2017 2:01 PM
To: user@guacamole.apache.org<mailto:user@guacamole.apache.org>
Subject: RE: Configuring LDAP

OK, took me a little bit to weed through some OpenLDAP config issues (it wasn’t installed
on the server I have guacamole installed on; didn’t realize that at first), but I got the
ldapsearch working.  So I re-enabled the LDAP parameters and tried again.  The page shows
“Invalid Login”, but the following is displayed in the /var/log/messages:

Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR o.a.g.a.ldap.LDAPConnectionService
- Unable to connect to LDAP server: Connect Error
Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR o.a.g.a.l.AuthenticationProviderService
- Unable to bind using search DN ""cn=My User""
Nov 21 14:56:15 access server: 14:56:15.496 [http-bio-8080-exec-9] WARN  o.a.g.r.auth.AuthenticationService
- Authentication attempt from 172.31.26.216 for user "harry.devine" failed.

I have the LDAP parameters defined as follows in guacamole properties (I am masking the usernames
and such):
ldap-hostname="my-host"
ldap-port=636
ldap-search-bind-dn="cn=My User"
ldap-search-bind-password="Pass123"
ldap-user-base-dn="dc=my,dc=example,dc=com"
ldap-username-attribute="cn=users,cn=accounts,dc=my,dc=example,dc=com"
ldap-group-base-dn="cn=groups,cn=accounts,dc=my,dc=example,dc=com"

Ideas?
Harry

From: Nick Couchman [mailto:vnick@apache.org<mailto:vnick@apache.org>]
Sent: Tuesday, November 21, 2017 9:20 AM
To: user@guacamole.apache.org<mailto:user@guacamole.apache.org>
Subject: Re: Configuring LDAP

On Tue, Nov 21, 2017 at 8:10 AM, <harry.devine@faa.gov<mailto:harry.devine@faa.gov>>
wrote:
I set SELinux to permissive and put the LDAP extension back (its under /usr/share/tomcat/.guacamole/extensions),
restarted tomcat and guacd, and try to log in using an LDAP user.  I click Login and on the
Network tab, it shows tokens (/guacamole/api/tokens) as having a “pending” status.  Never
gets any further.


Okay...on the system where you're running Tomcat, can you make sure the OpenLDAP client utilities
are installed and then use "ldapsearch" to query the same LDAP server that you're trying to
use in Guacamole?  Something like this:

ldapsearch -H ldap://<server> -D <Search User> -W -b <base dn> cn=<Some
User In LDAP>

...substituting in the above parameters and make sure you get a response?

-Nick

This e-mail is intended only for the recipient and may contain confidential or proprietary information. If you are not the intended recipient, the review, distribution, duplication or retention of this message and its attachments is prohibited. Please notify the sender of this error immediately by reply e-mail, and permanently delete this message and its attachments in any form in which they may have been preserved.
Mime
View raw message