guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Philip Herbert <m...@pherbert.de>
Subject AW: ldap groups in 1.0.0 RC1
Date Sun, 13 Jan 2019 20:29:42 GMT
for some reason I do not understand, I can not enable debug logging.
I have added the logback.xml to /etc/gucamamole (where guacamole.properties is located)

startup in catalina.out show

Loading logback configuration from "/usr/share/tomcat7/.guacamole/logback.xml

(this file i seither copied or contains the same information, however I only get info level
logging.

What am I doing wrong ?
(see appended startup messages)

Regarding https://issues.apache.org/jira/browse/GUACAMOLE-696

group based-dn is set tot he root oft the directory, I this is should cause matching groups
…?

Thanks, a lot

--Philip




INFO: Starting Servlet Engine: Apache Tomcat/7.0.68 (Ubuntu)
Jan 13, 2019 9:21:48 PM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive /var/lib/tomcat7/webapps/guacamole.war
Jan 13, 2019 9:21:49 PM org.apache.catalina.startup.TldConfig execute
INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for
this logger for a complete list of JARs that were scanned but no TLDs were found in them.
Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
21:21:49.364 [localhost-startStop-1] INFO  o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME
is "/usr/share/tomcat7/.guacamole".
21:21:49.425 [localhost-startStop-1] INFO  o.a.g.rest.auth.HashTokenSessionMap - Sessions
will expire after 60 minutes of inactivity.
21:21:49.489 [localhost-startStop-1] INFO  org.apache.guacamole.log.LogModule - Loading logback
configuration from "/usr/share/tomcat7/.guacamole/logback.xml".
Jan 13, 2019 9:21:50 PM com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory register
INFO: Registering org.apache.guacamole.rest.RESTExceptionMapper as a provider class
Jan 13, 2019 9:21:50 PM com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory register
INFO: Registering org.apache.guacamole.rest.extension.ExtensionRESTService as a root resource
class
Jan 13, 2019 9:21:50 PM com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory register
INFO: Registering org.apache.guacamole.rest.language.LanguageRESTService as a root resource
class
Jan 13, 2019 9:21:50 PM com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory register
INFO: Registering org.apache.guacamole.rest.patch.PatchRESTService as a root resource class
Jan 13, 2019 9:21:50 PM com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory register
INFO: Registering org.apache.guacamole.rest.auth.TokenRESTService as a root resource class
Jan 13, 2019 9:21:50 PM com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory register
INFO: Registering org.apache.guacamole.rest.session.SessionRESTService as a root resource
class
Jan 13, 2019 9:21:50 PM com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory register
INFO: Registering org.codehaus.jackson.jaxrs.JacksonJsonProvider as a provider class
Jan 13, 2019 9:21:50 PM com.sun.jersey.server.impl.application.WebApplicationImpl _initiate
INFO: Initiating Jersey application, version 'Jersey: 1.17.1 02/28/2013 12:47 PM'
Jan 13, 2019 9:21:51 PM com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory getComponentProvider
INFO: Binding org.apache.guacamole.rest.RESTExceptionMapper to GuiceManagedComponentProvider
with the scope "Singleton"
Jan 13, 2019 9:21:51 PM com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory getComponentProvider
INFO: Binding org.codehaus.jackson.jaxrs.JacksonJsonProvider to GuiceManagedComponentProvider
with the scope "Singleton"
Jan 13, 2019 9:21:51 PM com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory getComponentProvider
INFO: Binding org.apache.guacamole.rest.extension.ExtensionRESTService to GuiceManagedComponentProvider
with the scope "PerRequest"
Jan 13, 2019 9:21:51 PM com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory getComponentProvider
INFO: Binding org.apache.guacamole.rest.language.LanguageRESTService to GuiceManagedComponentProvider
with the scope "PerRequest"
Jan 13, 2019 9:21:51 PM com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory getComponentProvider
INFO: Binding org.apache.guacamole.rest.patch.PatchRESTService to GuiceManagedComponentProvider
with the scope "PerRequest"
Jan 13, 2019 9:21:51 PM com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory getComponentProvider
INFO: Binding org.apache.guacamole.rest.auth.TokenRESTService to GuiceManagedComponentProvider
with the scope "PerRequest"
Jan 13, 2019 9:21:51 PM com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory getComponentProvider
INFO: Binding org.apache.guacamole.rest.session.SessionRESTService to GuiceManagedComponentProvider
with the scope "PerRequest"
Jan 13, 2019 9:21:51 PM org.webjars.servlet.WebjarsServlet init
INFO: WebjarsServlet initialization completed
Jan 13, 2019 9:21:51 PM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deployment of web application archive /var/lib/tomcat7/webapps/guacamole.war has finished
in 3,271 ms
Jan 13, 2019 9:21:51 PM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /var/lib/tomcat7/webapps/ROOT
Jan 13, 2019 9:21:51 PM org.apache.catalina.core.StandardContext setPath
WARNING: A context path must either be an empty string or start with a '/' and do not end
with a '/'. The path [/] does not meet these criteria and has been changed to []
Jan 13, 2019 9:21:51 PM org.apache.catalina.startup.TldConfig execute
INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for
this logger for a complete list of JARs that were scanned but no TLDs were found in them.
Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
Jan 13, 2019 9:21:51 PM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deployment of web application directory /var/lib/tomcat7/webapps/ROOT has finished in
186 ms
Jan 13, 2019 9:21:51 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8080"]

Von: Nick Couchman <vnick@apache.org>
Gesendet: Sonntag, 13. Januar 2019 20:23
An: user@guacamole.apache.org
Betreff: Re: ldap groups in 1.0.0 RC1

On Sun, Jan 13, 2019 at 7:43 AM Philip Herbert <mail@pherbert.de<mailto:mail@pherbert.de>>
wrote:
as it seems impossible to change the structure of an ldap, because a single application expects
users and groups
In different parts oft the ldap directory, I would like to try to find out why this config
is failing

We certainly do not try to design the LDAP authentication extension with the notion of having
you reorganize your entire tree to suite the needs of Guacamole.  The Guacamole extension
does not expect users and groups to be in different parts of the tree - it simply gives you
different options for searching for users, groups, and connections, and leaving them out allows
you to disable items that you don't use.  For example, I use Guacamole, with Active Directory,
but don't care about having either LDAP groups or connections pulled in from AD - I'm only
interested in authentication and users.  Hopefully this helps explain why it is structured
the way it is.


If I set ldap-user-base-dn and ldap-group base-dn to he same value (pointng to the  root of
the directory like:

DC=DOMAIN,DC=DE

then any attempt to login causes an error:

13:12:15.772 [http-bio-8080-exec-4] INFO  o.a.g.r.auth.AuthenticationService - User "philip"
successfully authenticated from [192.168.121.212, 0:0:0:0:0:0:0:1].
13:12:16.745 [http-bio-8080-exec-4] WARN  o.a.g.e.AuthenticationProviderFacade - The "ldap"
authentication provider has encountered an internal error which will halt the authentication
process. If this is unexpected or you are the developer of this authentication provider, you
may wish to enable debug-level logging. If this is expected and you wish to ignore such failures
in the future, please set "skip-if-unavailable: ldap" within your guacamole.properties.

There is no additional output in catalina.out

Might be worth putting logging into DEBUG mode and see if anything else is captured.  Instructions
for that is here:

http://guacamole.apache.org/doc/gug/configuring-guacamole.html#webapp-logging

This looks like it could be a bug, but hard to know for sure without some more detailed logging.


In my last post:
dap-username-attribute:sAMAccountName
was a copy/past error. The ‚l‘ before ldap is not missing …

I have managed to get clean user / group lists by modifying

The function getGroupSearchFilter in UserGroupService.jar to return only objectClass=group

       //return "(objectClass=*)";
        return "(objectClass=group)";



with the following properties:


ldap-hostname: dc.domain.de<http://dc.domain.de>
ldap-port:3269
ldap-encryption-method:ssl
ldap-search-bind-dn:cn=GuacamoleLDAP,cn=Users,dc=domain,dc=de
ldap-search-bind-password:<something>
ldap-user-base-dn:dc=domain,dc=de
ldap-group-base-dn:dc=domain,dc=de
ldap-username-attribute:sAMAccountName
ldap-max-search-results:4000
ldap-follow-referrals:true
ldap-user-search-filter:(objectClass=user)(!(objectCategory=computer))


With this config and change, I get a clean lisst of (person)users in the user tab and a clean
list of groups in the group tab.
When I assign a connection profile to a group, the connection is visible to the users, but
he can not connect, due to missing permissions.
‚You do not have permissions to access this connection‘


Hmmm.  I wonder if this is related to this issue:

https://issues.apache.org/jira/browse/GUACAMOLE-696

??

-Nick
Mime
View raw message