[jira] [Commented] (GUACAMOLE-944) LDAP broken in 1.1.0
[ https://issues.apache.org/jira/browse/GUACAMOLE-944?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17030401#comment-17030401 ] Ross commented on GUACAMOLE-944: Thanks [~mjumper]. Using the full LDAP DN seems to have resolved the issue. > LDAP broken in 1.1.0 > > > Key: GUACAMOLE-944 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-944 > Project: Guacamole > Issue Type: Bug > Components: guacamole-auth-ldap >Affects Versions: 1.1.0 > Environment: Kubernetes 1.16.4 >Reporter: Ross >Priority: Major > > On upgrading our Guacamole container from 1.0.0 to 1.1.0, it fails to > authenticate. Error message in logs is: > 03-Feb-2020 13:37:15.136 INFO [main] > org.apache.catalina.startup.Catalina.start Server startup in 3675 > ms13:38:12.579 [http-nio-8080-exec-9] WARN > o.a.g.e.AuthenticationProviderFacade - The "ldap" authentication provider has > encountered an internal error which will halt the authentication process. If > this is unexpected or you are the developer of this authentication provider, > you may wish to enable debug-level logging. If this is expected and you wish > to ignore such failures in the future, please set "skip-if-unavailable: ldap" > within your guacamole.properties.13:38:12.579 [http-nio-8080-exec-9] WARN > o.a.g.r.auth.AuthenticationService - Authentication attempt from > [1.20.211.22, 10.42.4.0] for user "rossg" failed. > Workaround is to switch back to 1.0.0. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (GUACAMOLE-944) LDAP broken in 1.1.0
[ https://issues.apache.org/jira/browse/GUACAMOLE-944?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17030155#comment-17030155 ] Mike Jumper commented on GUACAMOLE-944: --- {quote} - name: LDAP_SEARCH_BIND_DN value: guacam...@agentdesign.co.uk {quote} I think this may be the issue. The changes from GUACAMOLE-234 effectively added DN validation around the search bind DN. The 1.1.0 version of the LDAP support is likely refusing to use this value as it isn't a DN, whereas there was no such validation in 1.0.0 and older. There may be an error to that effect earlier in the logs. [~rossg], assuming there is an LDAP DN equivalent for that user, can you try using the DN and see whether things start working? {quote} Not sure how to put it into debug mode. Do you have a link to some docs explaining how to do this? {quote} It looks like the documentation for this is missing, but the variable to set for the {{guacamole/guacamole}} Docker image would be {{LOGBACK_LEVEL}} (GUACAMOLE-713). If you set that variable to "debug", you should start seeing debug-level messages in your Docker logs. > LDAP broken in 1.1.0 > > > Key: GUACAMOLE-944 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-944 > Project: Guacamole > Issue Type: Bug > Components: guacamole-auth-ldap >Affects Versions: 1.1.0 > Environment: Kubernetes 1.16.4 >Reporter: Ross >Priority: Major > > On upgrading our Guacamole container from 1.0.0 to 1.1.0, it fails to > authenticate. Error message in logs is: > 03-Feb-2020 13:37:15.136 INFO [main] > org.apache.catalina.startup.Catalina.start Server startup in 3675 > ms13:38:12.579 [http-nio-8080-exec-9] WARN > o.a.g.e.AuthenticationProviderFacade - The "ldap" authentication provider has > encountered an internal error which will halt the authentication process. If > this is unexpected or you are the developer of this authentication provider, > you may wish to enable debug-level logging. If this is expected and you wish > to ignore such failures in the future, please set "skip-if-unavailable: ldap" > within your guacamole.properties.13:38:12.579 [http-nio-8080-exec-9] WARN > o.a.g.r.auth.AuthenticationService - Authentication attempt from > [1.20.211.22, 10.42.4.0] for user "rossg" failed. > Workaround is to switch back to 1.0.0. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (GUACAMOLE-944) LDAP broken in 1.1.0
[ https://issues.apache.org/jira/browse/GUACAMOLE-944?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17029670#comment-17029670 ] Ross commented on GUACAMOLE-944: [~mjumper] - Configuration values... containers: - env: - name: GUACAMOLE_HOME value: /opt/guacamole - name: GUACD_HOSTNAME value: guacd - name: GUACD_PORT value: "4822" - name: LDAP_ENCRYPTION_METHOD value: none - name: LDAP_HOSTNAME value: 127.0.0.1 - name: LDAP_PORT value: "389" - name: LDAP_SEARCH_BIND_DN value: guacam...@agentdesign.co.uk - name: LDAP_SEARCH_BIND_PASSWORD value: nottellingyou - name: LDAP_USERNAME_ATTRIBUTE value: sAMAccountName - name: LDAP_USER_BASE_DN value: CN=Users,DC=agent,DC=local - name: MYSQL_DATABASE value: guacamole - name: MYSQL_HOSTNAME value: master.db - name: MYSQL_PASSWORD value: alsonottellingyou - name: MYSQL_USER value: guacamole image: guacamole/guacamole:1.0.0 It's an ActiveDirectory server, standard structure. I can't provide the logs right now, as there will be staff using it. I'll run it with the new version again one morning before anyone is using it and provide the full logs. [~vnick] - Not sure how to put it into debug mode. Do you have a link to some docs explaining how to do this? The JRE/JDK and Tomcat versions will be those built into the official 1.1.0 container... https://hub.docker.com/layers/guacamole/guacamole/1.1.0/images/sha256-333a7f40c145f2487166f63bea671d5708750875259515a38d34ad304755583a > LDAP broken in 1.1.0 > > > Key: GUACAMOLE-944 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-944 > Project: Guacamole > Issue Type: Bug > Components: guacamole-auth-ldap >Affects Versions: 1.1.0 > Environment: Kubernetes 1.16.4 >Reporter: Ross >Priority: Major > > On upgrading our Guacamole container from 1.0.0 to 1.1.0, it fails to > authenticate. Error message in logs is: > 03-Feb-2020 13:37:15.136 INFO [main] > org.apache.catalina.startup.Catalina.start Server startup in 3675 > ms13:38:12.579 [http-nio-8080-exec-9] WARN > o.a.g.e.AuthenticationProviderFacade - The "ldap" authentication provider has > encountered an internal error which will halt the authentication process. If > this is unexpected or you are the developer of this authentication provider, > you may wish to enable debug-level logging. If this is expected and you wish > to ignore such failures in the future, please set "skip-if-unavailable: ldap" > within your guacamole.properties.13:38:12.579 [http-nio-8080-exec-9] WARN > o.a.g.r.auth.AuthenticationService - Authentication attempt from > [1.20.211.22, 10.42.4.0] for user "rossg" failed. > Workaround is to switch back to 1.0.0. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (GUACAMOLE-944) LDAP broken in 1.1.0
[ https://issues.apache.org/jira/browse/GUACAMOLE-944?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17029430#comment-17029430 ] Nick Couchman commented on GUACAMOLE-944: - We're going to need more logs than that to figure out what's going on, here - you'll likely need to put the web app into debug mode. Also please specify your environment - beyond Kubernetes, what JRE/JDK, Tomcat, etc., are you deploying into? > LDAP broken in 1.1.0 > > > Key: GUACAMOLE-944 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-944 > Project: Guacamole > Issue Type: Bug > Components: guacamole-auth-ldap >Affects Versions: 1.1.0 > Environment: Kubernetes 1.16.4 >Reporter: Ross >Priority: Major > > On upgrading our Guacamole container from 1.0.0 to 1.1.0, it fails to > authenticate. Error message in logs is: > 03-Feb-2020 13:37:15.136 INFO [main] > org.apache.catalina.startup.Catalina.start Server startup in 3675 > ms13:38:12.579 [http-nio-8080-exec-9] WARN > o.a.g.e.AuthenticationProviderFacade - The "ldap" authentication provider has > encountered an internal error which will halt the authentication process. If > this is unexpected or you are the developer of this authentication provider, > you may wish to enable debug-level logging. If this is expected and you wish > to ignore such failures in the future, please set "skip-if-unavailable: ldap" > within your guacamole.properties.13:38:12.579 [http-nio-8080-exec-9] WARN > o.a.g.r.auth.AuthenticationService - Authentication attempt from > [1.20.211.22, 10.42.4.0] for user "rossg" failed. > Workaround is to switch back to 1.0.0. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (GUACAMOLE-944) LDAP broken in 1.1.0
[ https://issues.apache.org/jira/browse/GUACAMOLE-944?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17029429#comment-17029429 ] Mike Jumper commented on GUACAMOLE-944: --- It's unlikely that LDAP is entirely broken in 1.1.0 - the support was thoroughly regression-tested prior to release. If things are not working in your case (but are working with 1.0.0), it does sound like a bug, but it is likely a bug specific to some aspect of your environment. Can you provide the LDAP configuration values you use for Guacamole? What specific LDAP server are you using and what does the structure of your LDAP directory look like? What messages do you see within the Guacamole logs if you enable debug-level logging? Can you provide the entire log, from the point of server startup through the first authentication failure? > LDAP broken in 1.1.0 > > > Key: GUACAMOLE-944 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-944 > Project: Guacamole > Issue Type: Bug > Components: guacamole-auth-ldap >Affects Versions: 1.1.0 > Environment: Kubernetes 1.16.4 >Reporter: Ross >Priority: Major > > On upgrading our Guacamole container from 1.0.0 to 1.1.0, it fails to > authenticate. Error message in logs is: > 03-Feb-2020 13:37:15.136 INFO [main] > org.apache.catalina.startup.Catalina.start Server startup in 3675 > ms13:38:12.579 [http-nio-8080-exec-9] WARN > o.a.g.e.AuthenticationProviderFacade - The "ldap" authentication provider has > encountered an internal error which will halt the authentication process. If > this is unexpected or you are the developer of this authentication provider, > you may wish to enable debug-level logging. If this is expected and you wish > to ignore such failures in the future, please set "skip-if-unavailable: ldap" > within your guacamole.properties.13:38:12.579 [http-nio-8080-exec-9] WARN > o.a.g.r.auth.AuthenticationService - Authentication attempt from > [1.20.211.22, 10.42.4.0] for user "rossg" failed. > Workaround is to switch back to 1.0.0. -- This message was sent by Atlassian Jira (v8.3.4#803005)