guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Thorn <al...@cam.ac.uk>
Subject Re: Path forward to get Guacamole working with AD LDAP?
Date Fri, 09 Aug 2019 17:48:40 GMT
On 08/08/2019 23:27, surfrock66 wrote:
> I'm pretty confused here, I see documentation that it should be relatively
> painless to get LDAP with AD working with Guacamole, but I can't for the
> life of me get it to work.  Our target clients will be Windows machines, so
> RDP is critical.
> 
> My AD has users nested under sites under our root, so I cannot provide a
> root DN that is not the root of my domain.  This is relevant later.  My
> LDAP_USER_BASE_DN="DC=AD,DC=DOMAIN,DC=org".
> 
> My preferred target platform is Ubuntu Server 19.04.  Using the docker
> image, I cannot get AD authentication to work.  When viewing the docker
> logs, I see this:

[your log messages were stripped out of the mailing list, so copying 
from the website...]

> 22:23:04.355 [http-nio-8080-exec-10] WARN  o.a.g.auth.ldap.ObjectQueryService - Given
a referral, but referrals are disabled. Error was: Referral
> 22:23:04.355 [http-nio-8080-exec-10] WARN  o.a.g.auth.ldap.ObjectQueryService - Given
a referral, but referrals are disabled. Error was: Referral
> 22:23:04.356 [http-nio-8080-exec-10] WARN  o.a.g.auth.ldap.ObjectQueryService - Given
a referral, but referrals are disabled. Error was: Referral
> 22:23:04.359 [http-nio-8080-exec-10] WARN  o.a.g.r.auth.AuthenticationService - Authentication
attempt from 10.1.18.39 for user "username" failed. 

> This error has been referenced before in GUACAMOLE-243 and a fix was applied
> in 0.9.14, but it appears to have regressed in 1.0.0?
> https://issues.apache.org/jira/browse/GUACAMOLE-243

GUACAMOLE-243 introduced the ability to follow LDAP referrals but that's 
disabled by default; see the ldap-follow-referrals option at

https://guacamole.apache.org/doc/gug/ldap-auth.html#guac-ldap-config

> Full docker commands (with org stuff commented out) for completeness:

[similarly copy/pasting back in...]

> docker run \
>         --name org-guacamole \
>         --link org-guacd:guacd \
>         -e LDAP_HOSTNAME="10.1.10.3" \
>         -e LDAP_PORT="389" \
>         -e lDAP-USERNAME-ATTRIBUTE=cn \
>         -e LDAP_USER_BASE_DN="DC=AD,DC=DOMAIN,DC=org" \
>         -e LDAP_SEARCH_BIND_DN="CN=svcLDAPLookup,OU=Service Accounts,DC=AD,DC=DOMAIN,DC=org"
\
>         -e LDAP_SEARCH_BIND_PASSWORD=********** \
>         -d -p 8080:8080 guacamole/guacamole 

I don't use the docker image but based upon the description of 
enable-environment-properties at:

https://guacamole.apache.org/doc/gug/configuring-guacamole.html#initial-setup

...I think you might also want to specify "-e 
LDAP_FOLLOW_REFERRALS=true". Note also that you've specified "-e 
lDAP-USERNAME-ATTRIBUTE=cn" which I think ought to be "-e 
LDAP_USERNAME_ATTRIBUTE=cn"

Adam

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org


Mime
View raw message