guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From JoelB <nab...@joelbest.ca>
Subject LDAP problems with 1.0.0 (but working with 0.9.14)
Date Fri, 16 Nov 2018 23:02:48 GMT
I'm encountering errors when using LDAP authentication via Active Directory
with the 1.0.0 version from Github that aren't present in 0.9.14. I'm using
the docker images to confirm the problem so hopefully someone can reproduce.
I've been banging my head against this for a while and just cannot find a
thread to pull on.

Here's the process I'm doing to run the 0.9.14 version from Dockerhub (which
works). I've also confirmed this works with a custom-built docker image of
the 0.9.14 release just in case the dockerhub version was special in some
way:

docker run --name my-guacd -d guacamole/guacd

docker run --name my-mysql --detach --env="MYSQL_ROOT_PASSWORD=password"
mysql

docker run --rm guacamole/guacamole /opt/guacamole/bin/initdb.sh --mysql >
initdb.sql

# Create the database and guacamole_user in MySQL
mysql -uroot -ppassword -h <mysql IP> -P 3306 < create-database.sql

# Initialize database
mysql -uroot -ppassword -h <mysql IP> guacamole_db < initdb.sql

# Run the Guacamole server and associate with MySQL (config storage) and
LDAP (authentication)
docker run --name my-guacamole --link my-guacd:guacd --link my-mysql:mysql
-d -p 8888:8080 \
                -e MYSQL_DATABASE='guacamole_db' \
                -e MYSQL_USER='guacamole_user' \
                -e MYSQL_PASSWORD='password' \
                -e LDAP_HOSTNAME="172.17.0.5" \
                -e
LDAP_SEARCH_BIND_DN="CN=mybindname,OU=myou,dc=example,dc=com" \
                -e LDAP_SEARCH_BIND_PASSWORD="bindpassword" \
                -e LDAP_USERNAME_ATTRIBUTE=sAMAccountName \
                -e LDAP_USER_BASE_DN="dc=example,dc=com" guacamole/guacamole

In this example, everything works and I am able to login with an LDAP
account. However, if I do the same example with the Docker image built from
Github (docker image build . -t joelb/guacamole-client --no-cache), it fails
and I'm presented with this error: 

ERROR
APP.ERROR_PAGE_UNAVAILABLE

I enabled debugging for this scenario and have attached the debug log here:

guacamole-ldap-errors.log
<http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/file/t755/guacamole-ldap-errors.log>
 

It seems early on that things are going okay:

22:37:13.981 [http-nio-8080-exec-6] INFO  o.a.g.r.auth.AuthenticationService
- User "my-ldap-test-account" successfully authenticated from 172.17.0.1.
22:37:13.981 [http-nio-8080-exec-6] DEBUG o.a.i.t.jdbc.JdbcTransaction -
Opening JDBC Connection
22:37:13.981 [http-nio-8080-exec-6] DEBUG o.a.i.d.pooled.PooledDataSource -
Checked out connection 162828375 from pool.
22:37:13.981 [http-nio-8080-exec-6] DEBUG o.a.i.d.pooled.PooledDataSource -
Testing connection 162828375 ...
22:37:13.981 [http-nio-8080-exec-6] DEBUG o.a.i.d.pooled.PooledDataSource -
Connection 162828375 is GOOD!

On the LDAP server logs, the search also looks successful:

bef4a74 conn=1001 fd=14 ACCEPT from IP=172.17.0.4:38316 (IP=0.0.0.0:389)
5bef4a74 conn=1001 op=0 BIND dn="cn=mybinddn,OU=myou,dc=example,dc=com"
method=128
5bef4a74 conn=1001 op=0 BIND dn="cn=mybinddn,OU=myou,dc=example,dc=com"
mech=SIMPLE ssf=0
5bef4a74 conn=1001 op=0 RESULT tag=97 err=0 text=
5bef4a74 conn=1001 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0
filter="(&(objectClass=*)(?SAMACCOUNTNAME=soe-exam50))"
5bef4a74 conn=1001 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
5bef4a74 conn=1001 op=2 UNBIND
5bef4a74 conn=1001 fd=14 closed


However, later on the process fails with:
WARN  o.a.g.e.AuthenticationProviderFacade - The "ldap" authentication
provider has encountered an internal error which will halt the
authentication process. If this is unexpected or you are the developer of
this authentication provider, you may wish to enable debug-level logging. If
this is expected and you wish to ignore such failures in the future, please
set "skip-if-unavailable: ldap" within your guacamole.properties.

I noticed referral errors in the logs so I decided to try enabling
ldap-enable-referrals in guacamole.properties by modifying the start.sh file
to read the LDAP_FOLLOW_REFERRALS variable and then restarting my
guacamole-client container:

docker exec -it my-guacamole /bin/bash
sed -i 's/\(    set_optional_property "ldap-config-base-dn"    
"$LDAP_CONFIG_BASE_DN"\)/\1\n    set_optional_property
"ldap-follow-referrals"   "$LDAP_FOLLOW_REFERRALS"/'
/opt/guacamole/bin/start.sh
exit
docker restart my-guacamole

I then passed "-e LDAP_FOLLOW_REFERRALS=true" to the docker run command.
This led me to get "Invalid Login" errors when logging in with my LDAP
account. The debug log file for this scenario is attached here:

guacamole-ldap-errors_referrals-enabled.log
<http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/file/t755/guacamole-ldap-errors_referrals-enabled.log>
 

At this point I'm out of ideas and would appreciate if someone could do a
sanity check on my troubleshooting so far. I'm really eager to use the new
LDAP group features in 1.0.0 for a project but this has stopped me dead in
my tracks.

Thanks!
-Joel





--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Mime
View raw message