From user-return-4973-archive-asf-public=cust-asf.ponee.io@guacamole.apache.org Sun Jan 13 20:02:39 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 3DC8918062C for ; Sun, 13 Jan 2019 20:02:38 +0100 (CET) Received: (qmail 78752 invoked by uid 500); 13 Jan 2019 19:02:37 -0000 Mailing-List: contact user-help@guacamole.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@guacamole.apache.org Delivered-To: mailing list user@guacamole.apache.org Received: (qmail 78743 invoked by uid 99); 13 Jan 2019 19:02:37 -0000 Received: from mail-relay.apache.org (HELO mailrelay2-lw-us.apache.org) (207.244.88.137) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 13 Jan 2019 19:02:37 +0000 Received: from mail-ed1-f53.google.com (mail-ed1-f53.google.com [209.85.208.53]) by mailrelay2-lw-us.apache.org (ASF Mail Server at mailrelay2-lw-us.apache.org) with ESMTPSA id 2DF0B25A6 for ; Sun, 13 Jan 2019 19:02:36 +0000 (UTC) Received: by mail-ed1-f53.google.com with SMTP id o10so16947138edt.13 for ; Sun, 13 Jan 2019 11:02:36 -0800 (PST) X-Gm-Message-State: AJcUukc5PCD5vq7sEKhxR1VJ5Tde3SAw3atJaWXB4UmAHKoVffOCkNsO mTbZRG+ekmsNvraBxZwqK6jOcXvqwdKZM66aTtQ= X-Google-Smtp-Source: ALg8bN4PFPnJQABiVa+vqJZXZFgqiZGZGut936MgZsk9g9ooM+MGUiWqDeh5Z0IhRSIEuw1jtbMxQ6avudAGcVlIpvo= X-Received: by 2002:a50:aa31:: with SMTP id o46mr20315102edc.23.1547406155232; Sun, 13 Jan 2019 11:02:35 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Nick Couchman Date: Sun, 13 Jan 2019 14:02:22 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: ldap groups in 1.0.0 RC1 To: user@guacamole.apache.org Content-Type: multipart/alternative; boundary="00000000000034c570057f5b9226" --00000000000034c570057f5b9226 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sun, Jan 13, 2019 at 7:43 AM Philip Herbert wrote: > as it seems impossible to change the structure of an ldap, because a > single application expects users and groups > > In different parts oft the ldap directory, I would like to try to find ou= t > why this config is failing > > > > If I set ldap-user-base-dn and ldap-group base-dn to he same value > (pointng to the root of the directory like: > > > > DC=3DDOMAIN,DC=3DDE > > > > then any attempt to login causes an error: > > > > 13:12:15.772 [http-bio-8080-exec-4] INFO > o.a.g.r.auth.AuthenticationService - User "philip" successfully > authenticated from [192.168.121.212, 0:0:0:0:0:0:0:1]. > > 13:12:16.745 [http-bio-8080-exec-4] WARN > o.a.g.e.AuthenticationProviderFacade - The "ldap" authentication provider > has encountered an internal error which will halt the authentication > process. If this is unexpected or you are the developer of this > authentication provider, you may wish to enable debug-level logging. If > this is expected and you wish to ignore such failures in the future, plea= se > set "skip-if-unavailable: ldap" within your guacamole.properties. > > > > There is no additional output in catalina.out > > > > > > In my last post: > > dap-username-attribute:sAMAccountName > > was a copy/past error. The =E2=80=9Al=E2=80=98 before ldap is not missing= =E2=80=A6 > > > > I have managed to get clean user / group lists by modifying > > > > The function getGroupSearchFilter in UserGroupService.jar to return only > objectClass=3Dgroup > > > > //return "(objectClass=3D*)"; > > return "(objectClass=3Dgroup)"; > > > > > > > > with the following properties: > > > > > > ldap-hostname: dc.domain.de > > ldap-port:3269 > > ldap-encryption-method:ssl > > ldap-search-bind-dn:cn=3DGuacamoleLDAP,cn=3DUsers,dc=3Ddomain,dc=3Dde > > ldap-search-bind-password: > > ldap-user-base-dn:dc=3Ddomain,dc=3Dde > > ldap-group-base-dn:dc=3Ddomain,dc=3Dde > > ldap-username-attribute:sAMAccountName > > ldap-max-search-results:4000 > > ldap-follow-referrals:true > > ldap-user-search-filter:(objectClass=3Duser)(!(objectCategory=3Dcomputer)= ) > > > > > > With this config and change, I get a clean lisst of (person)users in the > user tab and a clean list of groups in the group tab. > > When I assign a connection profile to a group, the connection is visible > to the users, but he can not connect, due to missing permissions. > > =E2=80=9AYou do not have permissions to access this connection=E2=80=98 > > > > > > INFO: Server startup in 3508 ms > > 13:38:18.787 [http-bio-8080-exec-7] INFO > o.a.g.r.auth.AuthenticationService - User "philip" successfully > authenticated from [192.168.121.212, 127.0.0.1]. > > 13:38:20.167 [http-bio-8080-exec-9] INFO > o.a.g.r.auth.AuthenticationService - User "philip" successfully > authenticated from [192.168.121.212, 0:0:0:0:0:0:0:1]. > > 13:38:52.504 [http-bio-8080-exec-8] INFO > o.a.g.r.auth.AuthenticationService - User "testdv" successfully > authenticated from [192.168.121.212, 127.0.0.1]. > > 13:38:55.784 [http-bio-8080-exec-2] ERROR > o.a.g.w.GuacamoleWebSocketTunnelEndpoint - Creation of WebSocket tunnel t= o > guacd failed: Permission denied. > > 13:38:55.846 [http-bio-8080-exec-7] WARN > o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request rejected: > Permission denied. > > 13:39:12.699 [http-bio-8080-exec-5] ERROR > o.a.g.w.GuacamoleWebSocketTunnelEndpoint - Creation of WebSocket tunnel t= o > guacd failed: Permission denied. > > 13:39:12.754 [http-bio-8080-exec-3] WARN > o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request rejected: > Permission denied. > > > > > > Connections assigned to the user (not the group) are still working fine, > as the did in previous versions. > > > > Thanks, Philip > > > > > > > > *Von:* Mike Jumper > *Gesendet:* Sonntag, 6. Januar 2019 08:47 > *An:* user@guacamole.apache.org > *Betreff:* Re: ldap groups in 1.0.0 RC1 > > > > On Sat, Jan 5, 2019, 16:49 Philip Herbert > ... > > Because of global catalogue port(3269), all users in the entire directory > are returned and shown in Users, independant from the ou. > > > > Are you saying your LDAP server ignores the base DN for queries? > > > > > > ... > > dap-username-attribute:sAMAccountName > > > > Is this a correct copy of your guacamole.properties? The "ldap" in this > property name is missing the "l". > > > > ldap-user-search-filter:(objectClass=3Duser)(!(objectCategory=3Dcomputer)= ) > > > > Is "user" a valid objectClass? > > > > simply adding: > > ldap-user-base-dn:dc=3Dmydomain,dc=3Dde > > > > causes a failure: > > > > 01:32:21.232 [http-bio-8080-exec-9] WARN > o.a.g.r.auth.AuthenticationService - Authentication attempt from > [192.168.121.212, 127.0.0.1] for user "service" failed. > > 01:32:25.523 [http-bio-8080-exec-1] INFO > o.a.g.r.auth.AuthenticationService - User "philip" successfully > authenticated from [192.168.121.212, 0:0:0:0:0:0:0:1]. > > 01:32:26.498 [http-bio-8080-exec-1] WARN > o.a.g.e.AuthenticationProviderFacade - The "ldap" authentication provider > has encountered an internal error which will halt the authentication > process. If this is unexpected or you are the developer of this > authentication provider, you may wish to enable debug-level logging. If > this is expected and you wish to ignore such failures in the future, plea= se > set "skip-if-unavailable: ldap" within your guacamole.properties. > > > > There should be an earlier, more specific error. Anything else in your > logs? > > > > > > When I set: > > ldap-user-base-dn:cn=3DUsers,dc=3Dmydomain,dc=3Dde > > > > I can log in, but in the Administration Groups Tab > > I see all Users and Groups in the Users Container oft the Directory and > not only groups. > > > > You will also need to set the "ldap-group-base-dn" property. > > > > As long as your users and groups are beneath separate, distinct base DNs > (there are no users beneath the group DN and no groups beneath the user > DN), they will be properly distinguished from each other. If you keep you= r > groups in the same part of your LDAP directory as your users, Guacamole > will not be able to differentiate an LDAP group from an LDAP user when > attempting to list either within the admin interface. > > > > - Mike > > > --00000000000034c570057f5b9226 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


= On Sun, Jan 13, 2019 at 7:43 AM Philip Herbert <mail@pherbert.de> wrote:

as it seems impossible to change the structure= of an ldap, because a single application expects users and groups

In different parts oft the ldap directory, I w= ould like to try to find out why this config is failing

=C2=A0

If I set ldap-user-base-dn and ldap-group base= -dn to he same value (pointng to the =C2=A0root of the directory like:

=C2=A0

DC=3DDOMAIN,DC=3DDE

=C2=A0

then any attempt to login causes an error:<= /u>

=C2=A0

13:12:15.772 [http-bio-8080-exec-4] INFO=C2=A0= o.a.g.r.auth.AuthenticationService - User "philip" successfully = authenticated from [192.168.121.212, 0:0:0:0:0:0:0:1].=

13:12:16.745 [http-bio-8080-exec-4] WARN=C2=A0= o.a.g.e.AuthenticationProviderFacade - The "ldap" authentication= provider has encountered an internal error which will halt the authenticat= ion process. If this is unexpected or you are the developer of this authentication provide= r, you may wish to enable debug-level logging. If this is expected and you = wish to ignore such failures in the future, please set "skip-if-unavai= lable: ldap" within your guacamole.properties.

=C2=A0

There is no additional output in catalina.out<= u>

=C2=A0

=C2=A0

In my last post:

dap-username-attribute:sAMAccountName<= /p>

was a copy/past error. The =E2=80=9Al=E2=80=98= before ldap is not missing =E2=80=A6

=C2=A0

I have managed to get clean user / group lists= by modifying

=C2=A0

The function getGroupSearchFilter in UserGroup= Service.jar to return only objectClass=3Dgroup

=C2=A0

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 //return = "(objectClass=3D*)";

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ret= urn "(objectClass=3Dgroup)";

=C2=A0

=C2=A0

=C2=A0

with the following properties:

=C2=A0

=C2=A0

ldap-hostname: dc.domain.de

ldap-port:3269

ldap-encryption-method:ssl

ldap-search-bind-dn:cn=3DGuacamoleLDAP,cn=3DUs= ers,dc=3Ddomain,dc=3Dde

ldap-search-bind-password:<something>=

ldap-user-base-dn:dc=3Ddomain,dc=3Dde

ldap-group-base-dn:dc=3Ddomain,dc=3Dde<= u>

ldap-username-attribute:sAMAccountName<= u>

ldap-max-search-results:4000

ldap-follow-referrals:true

ldap-user-search-filter:(objectClass=3Duser)(!= (objectCategory=3Dcomputer))

=C2=A0

=C2=A0

With this config and change, I get a clean lis= st of (person)users in the user tab and a clean list of groups in the group= tab.

When I assign a connection profile to a group,= the connection is visible to the users, but he can not connect, due to mis= sing permissions.

=E2=80=9AYou do not have permissions to access= this connection=E2=80=98

=C2=A0

=C2=A0

INFO: Server startup in 3508 ms<= /span>

13:38:18.787 [http-bio-8080-exec-7] INFO=C2=A0= o.a.g.r.auth.AuthenticationService - User "philip" successfully = authenticated from [192.168.121.212, 127.0.0.1].

13:38:20.167 [http-bio-8080-exec-9] INFO=C2=A0= o.a.g.r.auth.AuthenticationService - User "philip" successfully = authenticated from [192.168.121.212, 0:0:0:0:0:0:0:1].=

13:38:52.504 [http-bio-8080-exec-8] INFO=C2=A0= o.a.g.r.auth.AuthenticationService - User "testdv" successfully = authenticated from [192.168.121.212, 127.0.0.1].

13:38:55.784 [http-bio-8080-exec-2] ERROR o.a.= g.w.GuacamoleWebSocketTunnelEndpoint - Creation of WebSocket tunnel to guac= d failed: Permission denied.

13:38:55.846 [http-bio-8080-exec-7] WARN=C2=A0= o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request rejected: Permiss= ion denied.

13:39:12.699 [http-bio-8080-exec-5] ERROR o.a.= g.w.GuacamoleWebSocketTunnelEndpoint - Creation of WebSocket tunnel to guac= d failed: Permission denied.

13:39:12.754 [http-bio-8080-exec-3] WARN=C2=A0= o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request rejected: Permiss= ion denied.

=C2=A0

=C2=A0

Connections assigned to the user (not the grou= p) are still working fine, as the did in previous versions.

=C2=A0

Thanks, Philip

=C2=A0

=C2=A0

=C2=A0

Von: Mike Jumper <mjumper@apache.org>
Gesendet: Sonntag, 6. Januar 2019 08:47
An: u= ser@guacamole.apache.org
Betreff: Re: ldap groups in 1.0.0 RC1

=C2=A0

On Sat, Jan 5, 2019, 16:49 Philip Herbert <mail@pherbert.de wrote:=

...

Because of global catalogue port(3269), all users in= the entire directory are returned and shown in Users, independant from the= ou.

=C2=A0

Are you saying your LDAP server ignores the base DN = for queries?

=C2=A0

=C2=A0

...

dap-username-attribute:sAMAccountName<= /p>

=C2=A0

Is this a correct copy of your guacamole.properties?= The "ldap" in this property name is missing the "l".

=C2=A0

ldap-user-search-filter:(objectClass=3Duser)(!(objec= tCategory=3Dcomputer))

=C2=A0

Is "user" a valid objectClass?

=C2=A0

simply adding:

ldap-user-base-dn:dc=3Dmydomain,dc=3Dde

=C2=A0

causes a failure:

=C2=A0

01:32:21.232 [http-bio-8080-exec-9] WARN=C2=A0 o.a.g= .r.auth.AuthenticationService - Authentication attempt from [192.168.121.21= 2, 127.0.0.1] for user "service" failed.

01:32:25.523 [http-bio-8080-exec-1] INFO=C2=A0 o.a.g= .r.auth.AuthenticationService - User "philip" successfully authen= ticated from [192.168.121.212, 0:0:0:0:0:0:0:1].

01:32:26.498 [http-bio-8080-exec-1] WARN=C2=A0 o.a.g= .e.AuthenticationProviderFacade - The "ldap" authentication provi= der has encountered an internal error which will halt the authentication process. If this is unexpected or you are the developer of this authentica= tion provider, you may wish to enable debug-level logging. If this is expec= ted and you wish to ignore such failures in the future, please set "sk= ip-if-unavailable: ldap" within your guacamole.properties.

=C2=A0

There should be an earlier, more specific error. Any= thing else in your logs?

=C2=A0

=C2=A0

When I set:

ldap-user-base-dn:cn=3DUsers,dc=3Dmydomain,dc=3Dde

=C2=A0

I can log in, but in the Administration Groups Tab

I see all Users and Groups in the Users Container of= t the Directory and not only groups.

=C2=A0

You will also need to set the "ldap-group-base-= dn" property.

=C2=A0

As long as your users and groups are beneath separat= e, distinct base DNs (there are no users beneath the group DN and no groups= beneath the user DN), they will be properly distinguished from each other.= If you keep your groups in the same part of your LDAP directory as your users, Guacamole will not be able to d= ifferentiate an LDAP group from an LDAP user when attempting to list either= within the admin interface.

=C2=A0

- Mike

=C2=A0

--00000000000034c570057f5b9226--