guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ferron Nijland - Switch IT Solutions <f.nijl...@switch.nl>
Subject RE: LDAP Guacamole 9.14
Date Mon, 05 Feb 2018 08:08:08 GMT
Hello Mike,
Thanks for all the information!
After reading your mail thoroughly I moved the LDAP extension to the /etc/guacamole/extensions
folder.
After restarting everything worked 😊 I’ve also cleaned my guacamole.properties, so there
are no more deprecated properties.

- Ferron Nijland



Van: Mike Jumper [mailto:mike.jumper@guac-dev.org]
Verzonden: vrijdag 2 februari 2018 18:29
Aan: user@guacamole.apache.org
Onderwerp: Re: LDAP Guacamole 9.14

On Fri, Feb 2, 2018 at 5:25 AM, Ferron Nijland - Switch IT Solutions <f.nijland@switch.nl<mailto:f.nijland@switch.nl>>
wrote:
Hello Everyone,


Hello Ferron,

I’ve installed a new installation of Guacamole 9.14.
I can access the GUI and login with sql authentication.
Now I’ve added LDAP authentication, but it doesn’t seem to work.
The guacd service starts without problems, so I’ve no idea where to look.


guacd actually has nothing to do with the authentication mechanism in use; it handles only
the low-level remote desktop connection. If the LDAP authentication isn't working for you,
the first thing to check would be the logs from the web application. Assuming you are using
Tomcat, these will be logged to Tomcat's logs, most likely "catalina.out".

My guacamole.properties in /etc/guacamole contains is like:

# Hostname and port of guacamole proxy
guacd-hostname: localhost
guacd-port:     4822

Beware that these property values are actually the defaults. Having them will not hurt anything,
but Guacamole will assume these values if these properties are omitted.


# Location to read extra .jar's from
lib-directory:  /etc/guacamole/lib

The "lib-directory" property has actually been deprecated since 0.9.7, and as of 0.9.10-incubating
no longer has any effect:

http://guacamole.apache.org/releases/0.9.10-incubating/#removal-of-deprecated-lib-directory-and-auth-provider-properties

The lib directory used by Guacamole is now always GUACAMOLE_HOME/lib/, which matches the value
you are trying to use here.


# Authentication provider class
#auth-provider: net.sourceforge.guacamole.net<http://net.sourceforge.guacamole.net>.basic.BasicFileAuthenticationProvider

auth-provider: net.sourceforge.guacamole.net<http://net.sourceforge.guacamole.net>.auth.ldap.LDAPAuthenticationProvider


Like the "lib-directory" property, the "auth-provider" property has been deprecated since
0.9.7 and as of 0.9.10-incubating no longer has any effect:

The "lib-directory" property has actually been deprecated since 0.9.7, and as of 0.9.10-incubating
no longer has any effect:

http://guacamole.apache.org/releases/0.9.10-incubating/#removal-of-deprecated-lib-directory-and-auth-provider-properties

In prior releases which followed 0.9.7, attempting to use this property would have resulted
in a warning in the logs. With the property having now been fully removed, it is simply silently
ignored. The authentication mechanism in use is dictated purely by the extensions installed
within GUACAMOLE_HOME/extensions/.

#LDAP Properties
ldap-hostname: 10.75.10.12
ldap-port: 3268
ldap-user-base-dn: DC=domain,DC=local
ldap-search-bind-dn: CN=sa_ ldap_guac,OU=Service Accounts,DC=domain,DC=local
ldap-search-bind-password: password
ldap-username-attribute: sAMAccountName


Depending on what you see in the Tomcat logs from Guacamole, I suggest trying a few searches
against your LDAP directory, binding to the LDAP directory using the search DN and password
you've specified here, making sure you can execute queries against the "DC=domain,DC=local"
tree. If you cannot execute such searches, that is probably why things are failing, and there
should be corresponding errors in the logs.

# Properties used by BasicFileAuthenticationProvider
basic-user-mapping: /etc/guacamole/user-mapping.xml

The "basic-user-mapping" property has been deprecated since 0.9.10-incubating:

http://guacamole.apache.org/releases/0.9.10-incubating/#deprecation-of-the-basic-user-mapping-property

Its use would have resulted in a warning regarding its deprecation in the logs. Though still
supported in 0.9.14, support for this property has recently been removed entirely. It will
no longer be supported in future releases:

https://issues.apache.org/jira/browse/GUACAMOLE-494

- Mike

Mime
View raw message