guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Erik Berndt <erikber...@superiorpaving.net>
Subject Re: Configuring LDAP
Date Fri, 01 Dec 2017 19:22:35 GMT
>Dec  1 13:34:35 access server: 13:34:35.644 [http-bio-8080-exec-6] WARN
o.a.g.auth.ldap.user.UserService - Possibly ambiguous user account: "Jon
Moen".
>Dec  1 13:34:36 access server: 13:34:36.122 [http-bio-8080-exec-6] WARN
o.a.g.auth.ldap.user.UserService - Possibly ambiguous user account: "Steve
Smith".

Are these users able to login successfully? Do they appear in the user list
when logged in to the admin console?

Double check that the ldap-user-base-dn is at the root of the AD structure
and the ldap-search-bind-dn user is correctly qualified. As Mike said, try
fully qualifying the base-dn attribute and post results. It may be that the
ldap-auth module is querying your AD and returning incomplete information
do this not being fully qualified.

Erik Berndt / Systems Administrator
5551 Wellington Rd, Gainesville, VA 20155
703.631.0004 x520 (Phone) / 703.257.1725 (Fax)
http://www.superiorpaving.net

Need to open an IT support ticket?
http://FixIT.superiorpaving.net/portal or FixIT@superiorpaving.net

On Fri, Dec 1, 2017 at 1:37 PM, <harry.devine@faa.gov> wrote:

> OK I was able to get it to log in.  Here’s what I changed in my
> guacamole.properties to make it work:
>
> ldap-search-bind-dn:cn=”Directory Manager”
>
> ldap-user-base-dn:cn=users,cn=accounts,dc=example,dc=com
>
>
>
> So the user logs in fine, but in /var/log/messages, I get the following
> errors that I’m not sure are relevant or not:
>
> Dec  1 13:34:34 access server: 13:34:34.157 [http-bio-8080-exec-6] INFO
> o.a.g.r.auth.AuthenticationService - User "harry.devine" successfully
> authenticated from 172.31.26.216.
>
> Dec  1 13:34:35 access server: 13:34:35.644 [http-bio-8080-exec-6] WARN
> o.a.g.auth.ldap.user.UserService - Possibly ambiguous user account: "Jon
> Moen".
>
> Dec  1 13:34:36 access server: 13:34:36.122 [http-bio-8080-exec-6] WARN
> o.a.g.auth.ldap.user.UserService - Possibly ambiguous user account:
> "Steve Smith".
>
> Dec  1 13:34:36 access server: 13:34:36.146 [http-bio-8080-exec-6] WARN
> o.a.g.auth.ldap.user.UserService - Could not query list of all users for
> attribute "cn": Error while querying users.
>
>
>
> VERY close now!  Thoughts?
>
> Harry
>
>
>
> *From:* Erik Berndt [mailto:erikberndt@superiorpaving.net]
> *Sent:* Friday, December 01, 2017 12:19 PM
> *To:* user@guacamole.apache.org
> *Subject:* Re: Configuring LDAP
>
>
>
> I don't know if you paraphrased the config file, but I noticed the
> ldap-search-bind-dn common name doesn't have the space escaped. I wonder if
> guacd is treating the ldap-search-bind-dn cn as two separate entries, hence
> the "Multiple DNs possible" error?
>
>
>
> I'm not sure if it's required or not, but I fully qualified each LDAP
> parameter i.e. ldap-search-bind-dn: CN="Directory
> Manager",OU=foo,DC=faa,DC=gov" and it's working successfully for us. The
> search-bind-dn user should be part of the base-dn in case it isn't already.
>
>
>
> The relevant LDAP attributes from our working configuration are below.
>
>
>
> ldap-hostname: dc.local
> ldap-port: 389
> ldap-user-base-dn: OU="Superior Paving Employees",DC=superiorpaving,DC=net
> ldap-search-bind-dn: CN=guacamole,OU="Information
> Technology",OU=Office,OU="Superior Paving Employees",DC=superiorpaving,
> DC=net
> ldap-search-bind-password: XXXXX
>
>
>
>
> Erik Berndt / Systems Administrator
> 5551 Wellington Rd, Gainesville, VA 20155
> <https://maps.google.com/?q=5551+Wellington+Rd,+Gainesville,+VA+20155+%0D+703&entry=gmail&source=g>
> 703.631.0004 x520 (Phone) / 703.257.1725 (Fax)
> http://www.superiorpaving.net
>
> Need to open an IT support ticket?
> http://FixIT.superiorpaving.net/portal or FixIT@superiorpaving.net
>
>
>
> On Fri, Dec 1, 2017 at 11:11 AM, <harry.devine@faa.gov> wrote:
>
> Just wondering if anyone has any ideas on how the LDAP is configured
> below?  This still isn’t working for me and I’d like to know why.
>
>
>
> Thanks,
>
> Harry
>
>
>
> *From:* Devine, Harry (FAA)
> *Sent:* Monday, November 27, 2017 1:49 PM
> *To:* user@guacamole.apache.org
> *Subject:* RE: Configuring LDAP
>
>
>
> Here’s my current /etc/guacamole/guacamole.properties file:
>
>
>
> #MySQL properties
>
> mysql-hostname: localhost
>
> mysql-port:3306
>
> mysql-database: guacdb
>
> mysql-username: guacuser
>
> mysql-password: guacadmin
>
> mysql-default-max-connections-per-user: 0
>
> mysql-default-max-group-connections-per-user:0
>
>
>
> #LDAP properties
>
> ldap-hostname:my.hostname
>
> ldap-port:389
>
> ldap-encryption-method:none
>
> ldap-dereference-aliases:never
>
> ldap-search-bind-dn:cn=Directory Manager
>
> ldap-search-bind-password:pass123
>
> ldap-user-base-dn:dc=example,dc=com
>
> #ldap-username-attribute=cn=users,cn=accounts,dc=example,dc=com
>
> ldap-username-attribute:cn
>
> ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com
>
>
>
>
>
> When I use the ldap-username-attribute:cn setting, I get the error where
> the Multiple DNs are what’s being complained about.  If I use the other one
> (the commented out one above), I simply get “Authentication attempted ……
> failed”.  We use the “cn=users,cn=accounts” string in other projects where
> we communicate with our LDAP server, so I’m pretty sure that’s correct.
>
>
>
> Thanks,
>
> Harry
>
>
>
> *From:* Jonathan Hankins [mailto:jhankins@homewood.k12.al.us
> <jhankins@homewood.k12.al.us>]
> *Sent:* Monday, November 27, 2017 12:38 PM
> *To:* user@guacamole.apache.org
> *Subject:* Re: Configuring LDAP
>
>
>
> Harry, you said you tried "modifying ldap-username-attribute to be
> cn=users,cn=accounts,dc=example,dc=com" - just wanted to confirm.
> Ldap-username-attribute should be an LDAP attribute name like cn. Could you
> post your complete (redacted) guacamole.properties as you have it currently?
>
>
>
> Also, I saw that on a previous attempt today you got the log message:
>
>
>
> Nov 27 09:42:01 access server: 09:42:01.909 [http-bio-8080-exec-6] WARN
> o.a.g.a.l.AuthenticationProviderService - Multiple DNs possible for user
> "harry.devine": [uid=harry.devine,cn=users,cn=compat,dc=example,dc=com,
> uid=harry.devine,cn=users,cn=accounts,dc=example,dc=com]
>
>
>
> If you have two users under your search base with uid (or cn, or whatever
> you are using for ldap-username-attribute) "harry.devine" you are going to
> have to use a more specific search base or a more unique
> ldap-username-attribute or a more restrictive search filter so that you
> don't get multiple matches for the username you are typing into the
> username field on the login page.
>
>
>
> I.e., the attribute you match against has to uniquely identify the user
> beneath your search base for your query.
>
>
>
> -Jonathan Hankins
>
>
>
> On Mon, Nov 27, 2017, 10:10 AM Nick Couchman <vnick@apache.org> wrote:
>
> On Mon, Nov 27, 2017 at 10:02 AM, <harry.devine@faa.gov> wrote:
>
> OK, so I tried that, including modifying ldap-username-attribute to be
> cn=users,cn=accounts,dc=example,dc=com, and now I get a 403 error in the
> Developer Tools, and the following error in /var/log/messages:
>
>
>
> Nov 27 10:00:34 access server: 10:00:34.766 [http-bio-8080-exec-8] WARN
> o.a.g.r.auth.AuthenticationService - Authentication attempt from
> xxx.xxx.xxx.xxx for user "harry.devine" failed.
>
>
>
> However, I know that the password is 100% correct.  Where to look now?  I
> feel we’re getting very close.
>
>
>
>
>
> What LDAP server are you running?  You probably mentioned it already
> somewhere in this thread, and I'm going to guess Active Directory, but just
> want to make sure?  If it's OpenLDAP then it is quite possible it is
> configured to disallow logins without some form of encryption (although I
> wouldn't expect the search bind to work in this case, but who knows).  AD
> doesn't usually have those restrictions, but depending on the environment,
> it actually might require encryption, as well.  Other than that, it would
> be useful to get a log from the LDAP server that indicates why it is
> failing authentication - if it believes the password is wrong, or if it is
> throwing some other sort of error.  I realize that you might be in an
> organization where you don't have access to that server or those logs, but,
> if you do, that would be helpful.
>
>
>
> -Nick
>
>
> This e-mail is intended only for the recipient and may contain
> confidential or proprietary information. If you are not the intended
> recipient, the review, distribution, duplication or retention of this
> message and its attachments is prohibited. Please notify the sender of this
> error immediately by reply e-mail, and permanently delete this message and
> its attachments in any form in which they may have been preserved.
>
>
>

Mime
View raw message