guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <harry.dev...@faa.gov>
Subject RE: Configuring LDAP
Date Fri, 01 Dec 2017 18:37:35 GMT
OK I was able to get it to log in.  Here’s what I changed in my guacamole.properties to make
it work:
ldap-search-bind-dn:cn=”Directory Manager”
ldap-user-base-dn:cn=users,cn=accounts,dc=example,dc=com

So the user logs in fine, but in /var/log/messages, I get the following errors that I’m
not sure are relevant or not:
Dec  1 13:34:34 access server: 13:34:34.157 [http-bio-8080-exec-6] INFO  o.a.g.r.auth.AuthenticationService
- User "harry.devine" successfully authenticated from 172.31.26.216.
Dec  1 13:34:35 access server: 13:34:35.644 [http-bio-8080-exec-6] WARN  o.a.g.auth.ldap.user.UserService
- Possibly ambiguous user account: "Jon Moen".
Dec  1 13:34:36 access server: 13:34:36.122 [http-bio-8080-exec-6] WARN  o.a.g.auth.ldap.user.UserService
- Possibly ambiguous user account: "Steve Smith".
Dec  1 13:34:36 access server: 13:34:36.146 [http-bio-8080-exec-6] WARN  o.a.g.auth.ldap.user.UserService
- Could not query list of all users for attribute "cn": Error while querying users.

VERY close now!  Thoughts?
Harry

From: Erik Berndt [mailto:erikberndt@superiorpaving.net]
Sent: Friday, December 01, 2017 12:19 PM
To: user@guacamole.apache.org
Subject: Re: Configuring LDAP

I don't know if you paraphrased the config file, but I noticed the ldap-search-bind-dn common
name doesn't have the space escaped. I wonder if guacd is treating the ldap-search-bind-dn
cn as two separate entries, hence the "Multiple DNs possible" error?

I'm not sure if it's required or not, but I fully qualified each LDAP parameter i.e. ldap-search-bind-dn:
CN="Directory Manager",OU=foo,DC=faa,DC=gov" and it's working successfully for us. The search-bind-dn
user should be part of the base-dn in case it isn't already.

The relevant LDAP attributes from our working configuration are below.

ldap-hostname: dc.local
ldap-port: 389
ldap-user-base-dn: OU="Superior Paving Employees",DC=superiorpaving,DC=net
ldap-search-bind-dn: CN=guacamole,OU="Information Technology",OU=Office,OU="Superior Paving
Employees",DC=superiorpaving,DC=net
ldap-search-bind-password: XXXXX


Erik Berndt / Systems Administrator
5551 Wellington Rd, Gainesville, VA 20155
703.631.0004 x520 (Phone) / 703.257.1725 (Fax)
http://www.superiorpaving.net

Need to open an IT support ticket?
http://FixIT.superiorpaving.net/portal or FixIT@superiorpaving.net<mailto:FixIT@superiorpaving.net>

On Fri, Dec 1, 2017 at 11:11 AM, <harry.devine@faa.gov<mailto:harry.devine@faa.gov>>
wrote:
Just wondering if anyone has any ideas on how the LDAP is configured below?  This still isn’t
working for me and I’d like to know why.

Thanks,
Harry

From: Devine, Harry (FAA)
Sent: Monday, November 27, 2017 1:49 PM
To: user@guacamole.apache.org<mailto:user@guacamole.apache.org>
Subject: RE: Configuring LDAP

Here’s my current /etc/guacamole/guacamole.properties file:

#MySQL properties
mysql-hostname: localhost
mysql-port:3306
mysql-database: guacdb
mysql-username: guacuser
mysql-password: guacadmin
mysql-default-max-connections-per-user: 0
mysql-default-max-group-connections-per-user:0

#LDAP properties
ldap-hostname:my.hostname
ldap-port:389
ldap-encryption-method:none
ldap-dereference-aliases:never
ldap-search-bind-dn:cn=Directory Manager
ldap-search-bind-password:pass123
ldap-user-base-dn:dc=example,dc=com
#ldap-username-attribute=cn=users,cn=accounts,dc=example,dc=com
ldap-username-attribute:cn
ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com


When I use the ldap-username-attribute:cn setting, I get the error where the Multiple DNs
are what’s being complained about.  If I use the other one (the commented out one above),
I simply get “Authentication attempted …… failed”.  We use the “cn=users,cn=accounts”
string in other projects where we communicate with our LDAP server, so I’m pretty sure that’s
correct.

Thanks,
Harry

From: Jonathan Hankins [mailto:jhankins@homewood.k12.al.us]
Sent: Monday, November 27, 2017 12:38 PM
To: user@guacamole.apache.org<mailto:user@guacamole.apache.org>
Subject: Re: Configuring LDAP

Harry, you said you tried "modifying ldap-username-attribute to be cn=users,cn=accounts,dc=example,dc=com"
- just wanted to confirm. Ldap-username-attribute should be an LDAP attribute name like cn.
Could you post your complete (redacted) guacamole.properties as you have it currently?

Also, I saw that on a previous attempt today you got the log message:

Nov 27 09:42:01 access server: 09:42:01.909 [http-bio-8080-exec-6] WARN o.a.g.a.l.AuthenticationProviderService
- Multiple DNs possible for user "harry.devine": [uid=harry.devine,cn=users,cn=compat,dc=example,dc=com,
uid=harry.devine,cn=users,cn=accounts,dc=example,dc=com]

If you have two users under your search base with uid (or cn, or whatever you are using for
ldap-username-attribute) "harry.devine" you are going to have to use a more specific search
base or a more unique ldap-username-attribute or a more restrictive search filter so that
you don't get multiple matches for the username you are typing into the username field on
the login page.

I.e., the attribute you match against has to uniquely identify the user beneath your search
base for your query.

-Jonathan Hankins

On Mon, Nov 27, 2017, 10:10 AM Nick Couchman <vnick@apache.org<mailto:vnick@apache.org>>
wrote:
On Mon, Nov 27, 2017 at 10:02 AM, <harry.devine@faa.gov<mailto:harry.devine@faa.gov>>
wrote:
OK, so I tried that, including modifying ldap-username-attribute to be cn=users,cn=accounts,dc=example,dc=com,
and now I get a 403 error in the Developer Tools, and the following error in /var/log/messages:

Nov 27 10:00:34 access server: 10:00:34.766 [http-bio-8080-exec-8] WARN  o.a.g.r.auth.AuthenticationService
- Authentication attempt from xxx.xxx.xxx.xxx for user "harry.devine" failed.

However, I know that the password is 100% correct.  Where to look now?  I feel we’re getting
very close.


What LDAP server are you running?  You probably mentioned it already somewhere in this thread,
and I'm going to guess Active Directory, but just want to make sure?  If it's OpenLDAP then
it is quite possible it is configured to disallow logins without some form of encryption (although
I wouldn't expect the search bind to work in this case, but who knows).  AD doesn't usually
have those restrictions, but depending on the environment, it actually might require encryption,
as well.  Other than that, it would be useful to get a log from the LDAP server that indicates
why it is failing authentication - if it believes the password is wrong, or if it is throwing
some other sort of error.  I realize that you might be in an organization where you don't
have access to that server or those logs, but, if you do, that would be helpful.

-Nick

This e-mail is intended only for the recipient and may contain confidential or proprietary information. If you are not the intended recipient, the review, distribution, duplication or retention of this message and its attachments is prohibited. Please notify the sender of this error immediately by reply e-mail, and permanently delete this message and its attachments in any form in which they may have been preserved.

Mime
View raw message