RE: MFA for some users only

2024-10-23 Thread Luciano Oliveira
I am also waiting for this feature. From what I've researched, it may be 
available in version 1.6.0.


De: Paul Burrett 
Enviado: quarta-feira, 23 de outubro de 2024 21:54
Para: user@guacamole.apache.org 
Assunto: MFA for some users only


I want to know if there is a way to set MFA for some users or a group of users 
or exempt users.






RE: ldap-servers.yml not working

2024-07-18 Thread Luciano Oliveira
Look, my ldap-servers.yml

- hostname: ldap.domain.local
  port: 636
  encryption-method: ssl
  user-base-dn: dc=domain,dc=local
  match-usernames:
- LOCAL\\(.*)
- (.*)@domain\.local
  username-attribute: sAMAccountName
  search-bind-dn: cn=srv_gcd,ou=ServicesAuth,dc=domain,dc=local
  search-bind-password: passwordXsds224e
  user-search-filter: 
(&(&(objectClass=user)(objectCategory=person))(memberof=cn=acess_guacd,ou=Groups,dc=domain,dc=local))

- hostname: ldap.sub.domain.local
  port: 636
  encryption-method: ssl
  user-base-dn: dc=sub,dc=domain,dc=local
  match-usernames:
- SUB\\(.*)
- (.*)@sub\.domain\.local
  username-attribute: sAMAccountName
  search-bind-dn: cn=srv_sub_gcd,ou=ServicesAuth,dc=sub,dc=domain,dc=local
  search-bind-password: passwordXX5485
  user-search-filter: 
(&(&(objectClass=user)(objectCategory=person))(memberof=cn=accesso_guaca_sub,ou=Groups,dc=sub,dc=domain,dc=local))

Remember that the guacamole.properties file should only contain the 
configuration:
"auth-provider: 
net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider" and others.

The LDAP parameters should only be in the ldap-servers.yml file.

At.te,

Luciano!



De: Michael Jumper 
Enviado: quarta-feira, 17 de julho de 2024 15:23
Para: user@guacamole.apache.org 
Assunto: Re: ldap-servers.yml not working

On 7/17/24 10:18 AM, Nic Fargo wrote:
> I’m trying to use the multiple LDAP servers settings discussed in the
> Apache Guacamole Manual v1.5.5.  I’m not sure if there’s a flag that
> needs to be in /etc/guacamole/guacamole.properties to use the
> ldap-servers.yml file, or if it uses it automatically when present.

It's automatically read and used when present and readable.

> My ldap-servers.yml has the following data: ...

What are the permissions on this file?

What do you see in your Guacamole logs?

- Mike

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org



RE: fail2ban included

2024-07-03 Thread Luciano Oliveira
I have Fail2ban running, and here I configured it just to alert me in case of 
attempts because my Guacamole is running on top of a firewall web portal. It is 
always the same IP that accesses Guacamole.

jail.conf

[guacamole]

enabled  = true
port = http,https,8080,8443
logpath  = /var/log/tomcat*/catalina.out
action   = %(action_mwl)s
maxretry = 7

At.te,

Luciano de Oliveira
---
Técnico em Telecomunicações - Registro CFT
Infraestrutura de Redes e Servidores


De: Nick Couchman 
Enviado: quarta-feira, 3 de julho de 2024 12:44
Para: user@guacamole.apache.org 
Assunto: Re: fail2ban included

On Wed, Jul 3, 2024 at 11:41 AM DEFAULT  wrote:

Hi,



I am using cloudron.io (https://www.cloudron.io/) as the 
base, sort of like cpanel, and then Guacamole is installed as a docker.



My questions are:

  *   does guacamole has fail2ban included?

No, we do not include fail2ban in Guacamole directly; however, it should be 
relatively easy to set up and install.


  *   if not, then should I install it at the guacamole level or cloudron level?

I would say at the Cloudron level - you need to deploy fail2ban in a place 
where it can monitor the logs of your guacamole container, and then put 
firewall rules in place to block the traffic.


  *   if at the guacamole level, how do I install and integrate it?



I've never done it before, and it isn't something you install in Guacamole; 
however, others on this forum ave and can probably provide you with 
instructions.

-Nick


RE: MariaDB authentication error

2023-10-06 Thread Luciano Oliveira
Hi!

Try adding the following configuration to your guacamole.properties

mysql-ssl-mode: disable

-> Lib

root@guacamole:/etc/guacamole/lib#
mariadb-java-client-2.7.5.jar

[ ]

Luciano de Oliveira
---
Técnico em Telecomunicações - CFT
Infraestrutura de Redes e Servidores
Certificado em Cabeamento Estruturado NEXANS

E-mail: olluci...@outlook.com
Mobile/WhatsApp: +55 51 99549-7999


De: maniardpa...@gmail.com 
Enviado: quinta-feira, 5 de outubro de 2023 13:55
Para: user@guacamole.apache.org 
Assunto: MariaDB authentication error


Respected members,



I am a self-funded student who has just installed (compiled version) of the 
Apache Guacamole. I've taken a DB approach to authentication via MariaDB. When 
accessing the Guacamole page (http://ip:8080/guacamole) I get the following 
error:



"An error has occurred and this action cannot be completed. If the problem 
persists, please notify your system administrator or check your system logs."



I can see the following logs in /var/log/syslog when the request is presented:

[Warning] Aborted connection 31 to db: 'unconnected' user: 'unauthenticated' 
host: 'localhost' (This connection closed normally without authentication)



I have attempted the following two connectors by placing them into the 
/etc/guacamole/lib/ folder:



  1.  mysql-connector-j-8.1.0.jar
  2.  mariadb-java-client-1.8.0.jar



I have further created the following links too:



  1.  ln -s /etc/guacamole /usr/share/tomcat/.guacamole && ln -s 
/etc/guacamole/guacamole.war /usr/share/tomcat/webapps/



I have added DBs using:



  1.  mysql -u root -p guacamoledb < 
/home/ra/guacamole-auth-jdbc/mysql/schema/001-create-schema.sql
  2.  mysql -u root -p guacamoledb < 
/home/ra/guacamole-auth-jdbc/mysql/schema/002-create-admin-user.sql



I added it using the root password of the OS and not the MariaDB password. I am 
not sure if this is what is causing the issue. When I am retrying with MariaDB 
password, I am getting:



  1.  ERROR 1050 (42S01) at line 24: Table 'guacamole_connection_group' already 
exists
  2.  ERROR 1062 (23000) at line 21: Duplicate entry 'USER-guacadmin' for key 
'guacamole_entity_name_scope'



I reckon this is where I am wrong, but I am uncertain. I have added a username 
and password in the "/etc/guacamole/guacamole.properties" that I did not use 
while adding the above configuration.



Following are the technical details:



  1.  Host type: VM
  2.  Host (technically guest) OS: Ubuntu Server 22.04.3 LTS
  3.  Apacha Guacamole version:  1.5.3
  4.  Tomcat version: 9
  5.  Java version: openjdk 11.0.20.1 2023-08-24
  6.  MariaDB version: mariadb  Ver 15.1 Distrib 10.6.12-MariaDB, for 
debian-linux-gnu (x86_64) using  EditLine wrapper



What is the most optimal way to diagnose and rectify the error?



Thank you very much.



Parth D. Maniar

CISSP, CDPSE, GCWN, CISM, CISA, SSCP(ret.)

Student Number: 1146383.

MSc in Software and Systems Security.

Kellogg College,

Oxford University.



Mobile Number: +91-966235

Alternate E-Mail ID: 
parth.man...@kellogg.ox.ac.uk

LinkedIn: https://www.linkedin.com/in/parthmaniar/




RE: LDAP - Multiple domains

2023-08-08 Thread Luciano Oliveira
Here's the ldap-servers.yml file!


Luciano


De: Michael Jumper 
Enviado: terça-feira, 8 de agosto de 2023 18:02
Para: user@guacamole.apache.org 
Assunto: Re: LDAP - Multiple domains

Can you provide an exact copy of the YAML that is being used, redacted
as needed?

- Mike

On 8/8/2023 9:22 AM, Luciano Oliveira wrote:
> Thanks, Mike!
>
> The original file is correct!
> Just a CTRL+C, CTRL+V on this email
>
>
> ***Luciano*
>
> 
> *De:* Michael Jumper 
> *Enviado:* terça-feira, 8 de agosto de 2023 12:56
> *Para:* user@guacamole.apache.org 
> *Assunto:* Re: LDAP - Multiple domains
> Watch out for your indentation. As-written, the YAML below is malformed
> due to misaligned indentation of properties and would fail to parse.
> There may be errors to that effect in your logs.
>
> - Mike
>
> On 8/8/2023 8:48 AM, Luciano Oliveira wrote:
>> Looked this:
>>
>> My ldap-servers.yml to login in usuario@domain.local or
>> usuario@sub.domain.local
>>
>> $cat /etc/guacamole/ldap-servers.yml
>> - hostname: dc.domain.local
>>port: 636
>>encryption-method: ssl
>>user-base-dn: dc=domain,dc=local
>>match-usernames:
>>  - LOCAL\\(.*)
>>  - (.*)@domain\.local
>>username-attribute: sAMAccountName
>>search-bind-dn: cn=srv_gcd,ou=ServicesAuth,dc=domain,dc=local
>>search-bind-password: passwordXsds224e
>>user-search-filter:
>> (&(&(objectClass=user)(objectCategory=person))(memberof=cn=acess_guacd,ou=Groups,dc=domain,dc=local))
>>
>> - hostname: dc.sub.domain.local
>> port: 636
>>encryption-method: ssl
>> user-base-dn: dc=sub,dc=domain,dc=local
>>match-usernames:
>>  - SUBDOM\\(.*)
>>  - (.*)@sub\.domain\.local
>>username-attribute: sAMAccountName
>>search-bind-dn: cn=srv_sub_gcd,ou=ServicesAuth,dc=sub,dc=domain,dc=local
>>search-bind-password: passwordXX5485
>>user-search-filter:
>> (&(&(objectClass=user)(objectCategory=person))(memberof=cn=accesso_guaca_sub,ou=Groups,dc=sub,dc=domain,dc=local))
>>
>>
>> ***Luciano*/
>> /**
>> *
>> *
>>
>> 
>> *De:* Michael Jumper 
>> *Enviado:* terça-feira, 8 de agosto de 2023 12:39
>> *Para:* user@guacamole.apache.org 
>> *Assunto:* Re: LDAP - Multiple domains
>> On 8/8/2023 12:41 AM, Molina de la Iglesia, Manuel wrote:
>>> Hello,
>>>
>>> Following with the challenge of authenticate users from two different
>>> domains, I'm applying the following settings because could be users
>>> and/or groups with exactly the same sAMAccountName on both domains:
>>>
>>> username-attribute: userPrincipalName (will be something like
>>> user@domain.local)
>>> match-username: (.*@domain\.local)
>>>
>>> This regex make sense to me because I want to capture user@domain to
>>> match with userPrincipalName but the authentication fails with the
>>> following errors:
>>>
>>> Note that "ldap-user-base-dn" is properly defined because before use
>>> this regex works properly.
>>
>> This suggests that something else has changed to cause
>> "ldap-user-base-dn" to no longer be defined, but there really is no
>> other possible cause of that error.
>>
>>> ...
>>> Aug  8 07:34:58 guacamole tomcat9[8489]: 07:34:58.924
>>> [https-openssl-nio-443-exec-3] ERROR o.a.g.rest.RESTExceptionMapper -
>>> Request could not be processed: Property ldap-user-base-dn is required.
>>>
>>
>> This error really does indicate exactly what it says: you have (somehow)
>> not specified the "ldap-user-base-dn" property that is required for LDAP
>> to be used. You must either specify this property or include the
>> "user-base-dn" property for each of the servers defined in your
>> "ldap-servers.yml".
>>
>> If you have specified "ldap-user-base-dn" in your guacamole.properties
>> but are still seeing this error, that suggests that the
>> guacamole.properties file in question is either not the file that
>> Guacamole is reading (this will be logged at startup) or possibly cannot
>> be read due to permissions (this should also be logged). It may also be
>> the case that there is a typo in your property name, or that it was
>> inadvertently commented out.
>>
>> - Mike
>>
>> -

RE: LDAP - Multiple domains

2023-08-08 Thread Luciano Oliveira
Thanks, Mike!

The original file is correct!
Just a CTRL+C, CTRL+V on this email


Luciano


De: Michael Jumper 
Enviado: terça-feira, 8 de agosto de 2023 12:56
Para: user@guacamole.apache.org 
Assunto: Re: LDAP - Multiple domains

Watch out for your indentation. As-written, the YAML below is malformed
due to misaligned indentation of properties and would fail to parse.
There may be errors to that effect in your logs.

- Mike

On 8/8/2023 8:48 AM, Luciano Oliveira wrote:
> Looked this:
>
> My ldap-servers.yml to login in usuario@domain.local or
> usuario@sub.domain.local
>
> $cat /etc/guacamole/ldap-servers.yml
> - hostname: dc.domain.local
>port: 636
>encryption-method: ssl
>user-base-dn: dc=domain,dc=local
>match-usernames:
>  - LOCAL\\(.*)
>  - (.*)@domain\.local
>username-attribute: sAMAccountName
>search-bind-dn: cn=srv_gcd,ou=ServicesAuth,dc=domain,dc=local
>search-bind-password: passwordXsds224e
>user-search-filter:
> (&(&(objectClass=user)(objectCategory=person))(memberof=cn=acess_guacd,ou=Groups,dc=domain,dc=local))
>
> - hostname: dc.sub.domain.local
> port: 636
>encryption-method: ssl
> user-base-dn: dc=sub,dc=domain,dc=local
>match-usernames:
>  - SUBDOM\\(.*)
>  - (.*)@sub\.domain\.local
>username-attribute: sAMAccountName
>search-bind-dn: cn=srv_sub_gcd,ou=ServicesAuth,dc=sub,dc=domain,dc=local
>search-bind-password: passwordXX5485
>user-search-filter:
> (&(&(objectClass=user)(objectCategory=person))(memberof=cn=accesso_guaca_sub,ou=Groups,dc=sub,dc=domain,dc=local))
>
>
> ***Luciano*/
> /**
> *
> *
>
> 
> *De:* Michael Jumper 
> *Enviado:* terça-feira, 8 de agosto de 2023 12:39
> *Para:* user@guacamole.apache.org 
> *Assunto:* Re: LDAP - Multiple domains
> On 8/8/2023 12:41 AM, Molina de la Iglesia, Manuel wrote:
>> Hello,
>>
>> Following with the challenge of authenticate users from two different
>> domains, I'm applying the following settings because could be users
>> and/or groups with exactly the same sAMAccountName on both domains:
>>
>> username-attribute: userPrincipalName (will be something like
>> user@domain.local)
>> match-username: (.*@domain\.local)
>>
>> This regex make sense to me because I want to capture user@domain to
>> match with userPrincipalName but the authentication fails with the
>> following errors:
>>
>> Note that "ldap-user-base-dn" is properly defined because before use
>> this regex works properly.
>
> This suggests that something else has changed to cause
> "ldap-user-base-dn" to no longer be defined, but there really is no
> other possible cause of that error.
>
>> ...
>> Aug  8 07:34:58 guacamole tomcat9[8489]: 07:34:58.924
>> [https-openssl-nio-443-exec-3] ERROR o.a.g.rest.RESTExceptionMapper -
>> Request could not be processed: Property ldap-user-base-dn is required.
>>
>
> This error really does indicate exactly what it says: you have (somehow)
> not specified the "ldap-user-base-dn" property that is required for LDAP
> to be used. You must either specify this property or include the
> "user-base-dn" property for each of the servers defined in your
> "ldap-servers.yml".
>
> If you have specified "ldap-user-base-dn" in your guacamole.properties
> but are still seeing this error, that suggests that the
> guacamole.properties file in question is either not the file that
> Guacamole is reading (this will be logged at startup) or possibly cannot
> be read due to permissions (this should also be logged). It may also be
> the case that there is a typo in your property name, or that it was
> inadvertently commented out.
>
> - Mike
>
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org
>

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org



RE: LDAP - Multiple domains

2023-08-08 Thread Luciano Oliveira
Looked this:

My ldap-servers.yml to login in usuario@domain.local or usuario@sub.domain.local

$cat /etc/guacamole/ldap-servers.yml
- hostname: dc.domain.local
  port: 636
  encryption-method: ssl
  user-base-dn: dc=domain,dc=local
  match-usernames:
- LOCAL\\(.*)
- (.*)@domain\.local
  username-attribute: sAMAccountName
  search-bind-dn: cn=srv_gcd,ou=ServicesAuth,dc=domain,dc=local
  search-bind-password: passwordXsds224e
  user-search-filter: 
(&(&(objectClass=user)(objectCategory=person))(memberof=cn=acess_guacd,ou=Groups,dc=domain,dc=local))

- hostname: dc.sub.domain.local
   port: 636
  encryption-method: ssl
   user-base-dn: dc=sub,dc=domain,dc=local
  match-usernames:
- SUBDOM\\(.*)
- (.*)@sub\.domain\.local
  username-attribute: sAMAccountName
  search-bind-dn: cn=srv_sub_gcd,ou=ServicesAuth,dc=sub,dc=domain,dc=local
  search-bind-password: passwordXX5485
  user-search-filter: 
(&(&(objectClass=user)(objectCategory=person))(memberof=cn=accesso_guaca_sub,ou=Groups,dc=sub,dc=domain,dc=local))


Luciano



De: Michael Jumper 
Enviado: terça-feira, 8 de agosto de 2023 12:39
Para: user@guacamole.apache.org 
Assunto: Re: LDAP - Multiple domains

On 8/8/2023 12:41 AM, Molina de la Iglesia, Manuel wrote:
> Hello,
>
> Following with the challenge of authenticate users from two different
> domains, I'm applying the following settings because could be users
> and/or groups with exactly the same sAMAccountName on both domains:
>
> username-attribute: userPrincipalName (will be something like
> user@domain.local)
> match-username: (.*@domain\.local)
>
> This regex make sense to me because I want to capture user@domain to
> match with userPrincipalName but the authentication fails with the
> following errors:
>
> Note that "ldap-user-base-dn" is properly defined because before use
> this regex works properly.

This suggests that something else has changed to cause
"ldap-user-base-dn" to no longer be defined, but there really is no
other possible cause of that error.

> ...
> Aug  8 07:34:58 guacamole tomcat9[8489]: 07:34:58.924
> [https-openssl-nio-443-exec-3] ERROR o.a.g.rest.RESTExceptionMapper -
> Request could not be processed: Property ldap-user-base-dn is required.
>

This error really does indicate exactly what it says: you have (somehow)
not specified the "ldap-user-base-dn" property that is required for LDAP
to be used. You must either specify this property or include the
"user-base-dn" property for each of the servers defined in your
"ldap-servers.yml".

If you have specified "ldap-user-base-dn" in your guacamole.properties
but are still seeing this error, that suggests that the
guacamole.properties file in question is either not the file that
Guacamole is reading (this will be logged at startup) or possibly cannot
be read due to permissions (this should also be logged). It may also be
the case that there is a typo in your property name, or that it was
inadvertently commented out.

- Mike

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org



RE: Guacamole Extensions troubles

2023-06-29 Thread Luciano Oliveira
Hi,

Make sure that the user "admin" has read access to the OU=AMG and 
OU=Utilisateur.

Best regards,

Luciano de Oliveira
---
Técnico em Telecomunicações - CFT
Infraestrutura de Redes e Servidores
Certificado em Cabeamento Estruturado NEXANS



De: Tifaine RIVOIRE OPTI Sécurité 
Enviado: quinta-feira, 29 de junho de 2023 06:21
Para: user@guacamole.apache.org 
Assunto: RE: Guacamole Extensions troubles


Hi,



After conducting further research following Nick's response, I discovered that 
I don't need a search filter, so I removed it. My goal is to allow all users in 
my Active Directory (AD) to connect to Guacamole.



However, I'm still encountering issues with LDAP authentication. Specifically, 
when I attempt to connect with a user named l.coelho from my AD, the following 
logs are generated:



08:29:44.881 [http-nio-8080-exec-2] INFO  
o.a.g.a.l.AuthenticationProviderService - Unable to determine DN of user 
"l.coelho" using LDAP server "192.168.87.20". Proceeding with next server...

08:29:44.882 [http-nio-8080-exec-2] INFO  
o.a.g.a.l.AuthenticationProviderService - User "l.coelho" did not successfully 
authenticate against any LDAP server.

08:29:44.883 [http-nio-8080-exec-2] WARN  o.a.g.r.auth.AuthenticationService - 
Authentication attempt from [X.X.X.X, 192.168.254.10] for user "l.coelho" 
failed.





I have already verified that I can successfully telnet to port 389 of my LDAP 
server, the encryption method is set correctly as "none," and I tested the LDAP 
connectivity using the ldapsearch command, which worked fine.



Interestingly, my admin can connect to the AD without any issues, as confirmed 
by the successful log entries in my AD logs.



I suspect that there might be a problem with my LDAP configuration in the 
Docker Compose file. Could you assist me in resolving this issue?

My users are in : OU=AMG,OU=Utilisateur,DC=AMG,DC=lan

My admin in :  OU=Users,DC=AMG,DC=lan



 # LDAP Connection

  LDAP_HOSTNAME: 192.168.87.20

  LDAP_PORT: 389

  LDAP_ENCRYPTION_METHOD: "none"



  # Mapping Guacamole usernames to LDAP DN’s

  LDAP_USER_BASE_DN: "dc=AMG,dc=LAN"



  # Indirect Username Mapping

  LDAP_SEARCH_BIND_DN: CN=admin,CN=Users,DC=AMG,DC=lan

  LDAP_SEARCH_BIND_PASSWORD: password

  LDAP-USERNAME-ATTRIBUTE: sAMAccountName





Best regards,

T. RIVOIRE



De : Nick Couchman 
Envoyé : mercredi 14 juin 2023 14:46
À : user@guacamole.apache.org
Objet : Re: Guacamole Extensions troubles



On Wed, Jun 14, 2023 at 8:26 AM Tifaine RIVOIRE OPTI Sécurité 
mailto:t.rivo...@optisecurite.fr>> wrote:

Hi,



I’m testing Guacamole and I want to configure some extensions.
I already set up guacamole with docker-compose and TOTP Extension.



I have some troubles with the LDAP extension. In fact, I follow a lot of 
tutorials that show me how I can set up this one.

I copy the .jar file in extension directory but after a restart I can’t log in 
with an AD user. I’va seen that a new directory called ldap was created (just 
like totp) with .jar & .ldif file.
I also try to create a user with same AD name and blank password in guacamole, 
I make sure to select create connection permission.

When I connect, Guacamole tell me wrong password but this is the correct one in 
my AD.
I also see some forwarded communications (through firewall) from my Guacamole 
server to my AD.



Can you help me to understand why I can’t log with an AD account ?



You'll need to take a look at the logs for the Guacamole Client container and 
see what errors might be logged to the container. You may also have to change 
the log level of Guacamole Client (LOGBACK_LEVEL environment variable) to get 
more useful information out of the system.



I do notice in the Docker Compose file you posted that you appear to be using a 
search filter that is supposed to make LDAP search nested AD groups. I'm not 
sure that this will actually work - I think there are some things that need to 
be implemented within Guacamole to support this, and I don't think those 
currently exist. You might, at the very least, try changing your search filter 
to something else - just create a single group with the users you want to have 
access and search that group, only - and see if that helps.



-Nick


RE: Guacamole 1.5.0

2023-01-03 Thread Luciano Oliveira
I am also eagerly awaiting version 1.5.0!!! 😉

Happy new year!

😄 😋

Luciano de Oliveira
E-mail: olluci...@outlook.com
Infraestrutura de Redes e Servidores



De: Alejandro Hernandez 
Enviado: segunda-feira, 2 de janeiro de 2023 18:11
Para: ApacheGuacamole MailingList 
Assunto: Guacamole 1.5.0


Although I really have the fidgetiness about version 1.5.0 (previously new 
guacamole versions were posted on the 1st day of the year) that's more like the 
technical justification to send the first mail of the year to this invaluable 
mail list which has solved a lot of issues for me, and wish a great and blessed 
2023 to all that contribute to help all of us out of problems!!!


Happy new year!


Get displayName ldap Active Directory

2022-08-05 Thread Luciano Oliveira
Hello!
Is it possible to fetch the displayName of the Active Directory user? In the 
database, the field would be the full name.

Currently it fetches
ldap-username-attribute: sAMAccountName

Something like:
ldap-fullname-attribute: displayName



Luciano de Oliveira
E-mail: olluci...@outlook.com



Access user guacamole by groups Active Directory

2022-07-12 Thread Luciano Oliveira
Hello,

How do you allow access to guacamole?

I configured the integration with Active Directory by groups, in this point 
everything is fine.

My issue is that every time I need to release a new user, I put him in one of 
these groups, and in order for him to be released in guacamole I have to 
restart the servlet, knocking everybody out.

Is there a sync tool?

[ ]'s


RE: NGINX LDAP Mariadb and DUO

2022-05-06 Thread Luciano Oliveira
Hello, Matt!

My configs:

Guacamole 1.4.0, NGINX, Duo Auth, MariaDB

guacamole.properties:

guacd-hostname: 127.0.0.1
guacd-port: 4822
user-mapping: /etc/guacamole/user-mapping.xml
#auth-provider: 
net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider
#auth-provider: 
net.sourceforge.guacamole.net.auth.mysql.MySQLAuthenticationProvider
auth-provider: 
net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider

# > MySQL Start config
mysql-hostname: <>
mysql-port: 3306
mysql-database: guacamole
mysql-username: usrguacamole
mysql-password: <>
mysql-user-password-min-length: 8
mysql-user-password-require-multiple-case: true
mysql-user-password-require-symbol: true
mysql-user-password-require-digit: true
mysql-user-password-prohibit-username: true
mysql-user-password-min-age: 7
mysql-user-password-max-age: 60
mysql-user-required: false
mysql-auto-create-accounts: true
# < end

# > LDAP Start config
ldap-hostname: <>
ldap-port: 389
ldap-encryption-method: none
ldap-user-base-dn: DC=domain,DC=local
ldap-username-attribute: sAMAccountName
ldap-search-bind-dn: CN=<>,OU=UsersServices,DC=domain,DC=local
ldap-search-bind-password: <>
ldap-group-name-attribute: cn
ldap-member-attribute: member
ldap-user-search-filter:(&(&(objectClass=user)(objectCategory=person))(memberof=CN=access_guacamole,OU=GroupsServices,DC=domain,DC=local))
# < end

#  MFA Start config
duo-api-hostname: <>.duosecurity.com
duo-integration-key: <>
duo-secret-key: <>
duo-application-key: <>

#  end

nginx default file start config
##
upstream guacamole {
server guacanew:8080;
}

server {
listen 80;
server_name guacamole.domain.loca;
return 301 https://$host$request_uri;
location / {
proxy_pass http://guacamole/guacamole/;
set_real_ip_from guacamole.domain.loca;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
proxy_buffering off;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
}

server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
ssl_certificate /etc/ssl/private/cert2022.crt;
ssl_certificate_key /etc/ssl/private/cert2022.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://guacamole/guacamole/;
set_real_ip_from guacamole.domain.local;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
proxy_buffering off;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}

}


[ ]'s
Luciano


De: Matt Fox 
Enviado: sexta-feira, 29 de abril de 2022 16:31
Para: user@guacamole.apache.org 
Assunto: NGINX LDAP Mariadb and DUO

Hi,

I have a functioning deployment of Guacamole 1.4 with matching extensions for 
LDAP and JDBC-MYSQL behind a NGINX proxy for SSL.  All appears to work fine.  
When I configure and deploy the DUO plugin authentication breaks.  If I remove 
the NGINX proxy and attach to Tomcat directly, DUO secondary authentication 
works.  Does anybody know of any document I could study for guidance on fixing 
my NGINX configuration?
My current config is:

server {
   listen 443 ssl http2 default_server;
   listen [::]:443 ssl http2 default_server;
   server_name taurus3.augie.edu;
   server_tokens off;
   ssl_certificate guacamole.crt;
   ssl_certificate_key guacamole.key;
   ssl_ciphers 
'TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384';
   ssl_protocols TLSv1.3 TLSv1.2;
   ssl_ecdh_curve secp521r1:se

RE: Passing parameters in RDP connection

2022-03-25 Thread Luciano Oliveira
Ah.. ok ok!

Sorry...

This site references a script, maybe it will help

Single Linux Remote Application · Issue #1038 · neutrinolabs/xrdp · 
GitHub<https://github.com/neutrinolabs/xrdp/issues/1038>
[https://opengraph.githubassets.com/9eab45eceb40a5c4f04d3af5d4a488daf86d41dd582dc15b5914a9f132854a57/neutrinolabs/xrdp/issues/1038]<https://github.com/neutrinolabs/xrdp/issues/1038>
Single Linux Remote Application · Issue #1038 · neutrinolabs/xrdp - 
GitHub<https://github.com/neutrinolabs/xrdp/issues/1038>
I am new to remote desktop and I have been searching for days. I am interested 
in exposing Linux remote applications on every other desktop (Linux, Windows). 
Windows offer that with the RemoteApp. Is there any way that xrdp may offer 
the...
github.com



De: Riccardo Ambrosio 
Enviado: sexta-feira, 25 de março de 2022 14:16
Para: user@guacamole.apache.org ; 
user@guacamole.apache.org 
Assunto: RE: Passing parameters in RDP connection

Unfortunately I cannot use RemoteApp; it's not yet implemented in xRDP (the RDP 
implementation I'm using on the linux server)
On 25 Mar 2022, 18:13 +0100, Luciano Oliveira , wrote:
Hi!

Do not have this option?

[cid:3588279d-5e0e-450d-9677-c1a3dc07fe2d]

thks



De: Riccardo Ambrosio 
Enviado: sexta-feira, 25 de março de 2022 13:50
Para: user@guacamole.apache.org 
Assunto: Passing parameters in RDP connection

Hi there everyone,
I have what I realize could be a weird question; a little bit of context:
I'm using Guacamole to give some users access (via xRDP) to an application 
running on a Linux Server. I don't need/want them to access anything other than 
the target app. Unfortunately I cannot use the RemoteApp feature, because xRDP 
doesn't yet implement it, so I'm just using the "initial_program" parameter. 
Everything is working as intended, but now I find myself in need of passing a 
parameter to the remote application. is this at all possible in your opinion?

thank you for your help and time

Riccardo Ambrosio


RE: Passing parameters in RDP connection

2022-03-25 Thread Luciano Oliveira
Hi!

Do not have this option?

[cid:3588279d-5e0e-450d-9677-c1a3dc07fe2d]

thks



De: Riccardo Ambrosio 
Enviado: sexta-feira, 25 de março de 2022 13:50
Para: user@guacamole.apache.org 
Assunto: Passing parameters in RDP connection

Hi there everyone,
I have what I realize could be a weird question; a little bit of context:
I'm using Guacamole to give some users access (via xRDP) to an application 
running on a Linux Server. I don't need/want them to access anything other than 
the target app. Unfortunately I cannot use the RemoteApp feature, because xRDP 
doesn't yet implement it, so I'm just using the "initial_program" parameter. 
Everything is working as intended, but now I find myself in need of passing a 
parameter to the remote application. is this at all possible in your opinion?

thank you for your help and time

Riccardo Ambrosio


RE: Guacamole 1.4.0 - Shared Connections

2022-01-25 Thread Luciano Oliveira
Hello,

Ok! Ok!

In connection, press shift+ctrl+alt, share, copy link and send to users!


[cid:39e9523a-d990-4a70-ad8c-78c7a79c544f]

In the connection configuration, new shared connection needs to be set!

De: Hankins, Jonathan 
Enviado: terça-feira, 25 de janeiro de 2022 15:43
Para: user@guacamole.apache.org 
Cc: Khoe, Yonathan 
Assunto: Re: Guacamole 1.4.0 - Shared Connections

See here: 
https://guacamole.apache.org/doc/gug/administration.html#connection-sharing

Specifically:

Unlike connections and groups, there is no “New Sharing Profile” button. 
Sharing profiles are created through clicking the “New Sharing Profile” 
placeholders which appear when connections are expanded. Just as expanding a 
connection group reveals the connections or groups therein, expanding a 
connection reveals the sharing profiles associated with that connection. This 
holds true with both the list of connections in the connection management 
screen and the list of connections in the user editor.

On Tue, Jan 25, 2022 at 12:13 PM CVAD IT Service Desk 
mailto:cvad.itservi...@unt.edu>> wrote:

Good afternoon everyone.



We are using Guacamole 1.4.0 and would like to create a shared connection as 
noted in the guacamole documentation, however don’t see the “share” dialogue 
anywhere on our instance. Is this something that we have to enable in the 
guacamole configuration files on the server? We have scoured the guacamole 
documentation and have found no inferences on how to enable this functionality.



Any guidance would be appreciated. Thank you!




--
Jonathan Hankins

Homewood City Schools

W: 205-877-4548

This e-mail is intended only for the recipient and may contain confidential or 
proprietary information. If you are not the intended recipient, the review, 
distribution, duplication or retention of this message and its attachments are 
prohibited. Please notify the sender of this error immediately by reply e-mail, 
and permanently delete this message and its attachments in any form in which 
they may have been preserved.


RE: Guacamole, MySQL and LDAP groups

2022-01-19 Thread Luciano Oliveira
hello!

My guacamole.properties

# > LDAP

ldap-hostname: ldap.contoso.local
ldap-port: 389
ldap-encryption-method: none
ldap-user-base-dn: DC=unisc,DC=br
ldap-username-attribute: sAMAccountName
ldap-search-bind-dn: CN=guacadmin,OU=services,DC=contoso,DC=local
ldap-search-bind-password:  password202020
ldap-group-name-attribute: cn
ldap-member-attribute: member
ldap-user-search-filter:(&(&(objectClass=user)(objectCategory=person))(memberof=CN=access_guacamole,OU=services,DC=contoso,DC=local))

Set to ldap-encryption-method: none

[ ]'s
Luciano



De: Brad Saxton 
Enviado: quarta-feira, 19 de janeiro de 2022 14:43
Para: user@guacamole.apache.org 
Assunto: Guacamole, MySQL and LDAP groups


So, I have gotten the integration of LDAP, MySQL and Active Directory working 
(using Guacamole 1.3) but the login process takes a large amount of time (> 2 
minutes). This appears to be because Guacamole is doing a large number of LDAP 
queries for groups that the user logging in belongs to even though there are no 
Guacamole groups defined with those names.

Am I missing something that could make this process quicker? My configuration 
is below but I've shortened/simplified the DN structure to be easier to read. 
Eliminating the ldap-group-base-dn & ldap-group-name-attribute has the login 
take less than 10 secs but with no group functionality of course.

Thanks in advance for any advice
Brad

guacd-hostname: localhost
guacd-port: 4822
user-mapping:   /etc/guacamole/user-mapping.xml
auth-provider:  
net.sourceforge.guacamole.net.auth.mariadb.MySQLDBAuthenticationProvider

ldap-port: 389
ldap-hostname: myDC.local
ldap-encryption-method: STARTTLS
ldap-search-bind-dn: CN=testacct,OU=Users,DC=local
ldap-search-bind-password: SomePassword
ldap-user-base-dn: OU=Users,DC=local
ldap-username-attribute: uid
ldap-member-attribute: member
ldap-member-attribute-type: dn
ldap-user-search-filter: (memberOf=CN=guacamoleaccess,OU=Security 
Groups,OU=Security,DC=local)
#
# Security groups I want to use are of the form DN=groupname,OU=Security 
Groups,DC=local. It should be noted
#   that there are other security groups of the form 
DN=othergroup,OU=otherou,OU=Security Groups,DC=local
# There are a large number of groups in this base DN but only one of them is 
defined as a Guacamole group
# groupname is used as the name for Guacamole groups
#
ldap-group-base-dn: OU=Security Groups,,DC=local
ldap-group-name-attribute: cn
#
# MySQL properties
#
mysql-driver: mariadb
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole
mysql-password: SomePassword
mysql-auto-create-accounts: true

--

Brad Saxton
Senior System Administrator
Infrastructure Team
Brock University | Information Technology Services
Niagara Region | 1812 Sir Isaac Brock Way | St. Catharines, ON, Canada L2S 3A1
brocku.ca | T 905-688-5550 x4761 | F 905-688-4191


RE: After Upgrade 1.3 to 1.4 no connection working

2022-01-11 Thread Luciano Oliveira
I had the same problems...

Unbelievable... Configure

guacamole.properties with

guacd-hostname: 127.0.0.1

and guacd.conf with:

[server]
bind_host = 127.0.0.1
bind_port = 4822

here worked


De: Mueller Florian | BMZ GmbH 
Enviado: terça-feira, 11 de janeiro de 2022 07:03
Para: user@guacamole.apache.org 
Assunto: After Upgrade 1.3 to 1.4 no connection working


Hi,



Update from 1.3 to 1.4 went ok. No errors and all is starting but i cannot 
connect to any configured connections. I get error message that connection to 
guacamole server is closed because an internal error within guacamole server. I 
only see log entries in catalina.out.

[http-nio-8080-exec-1] ERROR o.a.g.w.GuacamoleWebSocketTunnelEndpoint - 
Creation of WebSocket tunnel to guacd failed: java.net.ConnectException: 
Verbindungsaufbau abgelehnt (Connection refused)

[info] 07:57:46.894 [http-nio-8080-exec-3] ERROR 
o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: 
java.net.ConnectException: Verbindungsaufbau abgelehnt (Connection refused)



Hope you could help




RE: Proxy reverse Caddy

2022-01-06 Thread Luciano Oliveira
my server.xml

 



/var/log/tomcat9/catalina.out

[2022-01-06 09:54:35] [info] 09:54:35.449 [http-nio-8080-exec-7] INFO  
o.a.g.r.auth.AuthenticationService - User "guacaaduser" successfully 
authenticated from [192.168.16.48, 192.168.16.205]


display Remote Host in settings, history 192.168.16.205.


Debian 11, TomCat 9, MariaDB 15.1, Guacamole 1.4.0.


-Luciano


De: Timo Nisula 
Enviado: quinta-feira, 6 de janeiro de 2022 09:00
Para: user@guacamole.apache.org 
Assunto: RE: Proxy reverse Caddy


Just tested myself also.



You need to modify tomcat server.xml as in mentioned in here 
https://guacamole.apache.org/doc/gug/reverse-proxy.html#setting-up-the-remote-ip-valve



I am running guacamole on rootless podman so I have copied 
/usr/local/tomcat/conf/server.xml file from container image and added following 
lines jus before where Host section ends. You need to of course set your own 
internalProxies value, this ip (10.0.2.100) is for rootless podman yours maybe 
127.0.0.1 (if in same host).







I create guacamole with following command

podman run -dt --pod guac --name guacamole -v 
${PWD}/guac/server.xml:/usr/local/tomcat/conf/server.xml  
--env-file=${PWD}/.env-guac docker.io/guacamole/guacamole:1.4.0



-Timo



From: Luciano Oliveira 
Sent: torstai 6. tammikuuta 2022 13.39
To: user@guacamole.apache.org
Subject: RE: Proxy reverse Caddy



🙂



It really works great, but I'm still trying to display the remote host on 
Remote Host in settings, history



my /etc/caddy/Caddyfile



guacamole.domain.local:80 {

rewrite / /guacamole

uri strip_prefix /guacamole/*

reverse_proxy guacamole.domain.local:8080

}



Accessing via tomcat, I have the remote host information, 
http://guacamole.domain.local:8080/guacamole/





-Luciano







De: Timo Nisula 
mailto:timo.nis...@nisulaforest.com>>
Enviado: quarta-feira, 5 de janeiro de 2022 13:54
Para: user@guacamole.apache.org<mailto:user@guacamole.apache.org> 
mailto:user@guacamole.apache.org>>
Assunto: RE: Proxy reverse Caddy



I’m also interested using caddy v2. Yesterday I googled little bit and it 
should be really simple, not enough time test…

Doc https://caddyserver.com/docs/v2-upgrade#proxy



Reverse_proxy enables Host headers, X-Forwarded-For and websocket. So 
basically, following should be enough



guacamole.domaain.com {

rewrite / /guacamole

reverse_proxy /guacamole guacamole:8080

}

I will test this when I have little more time, perhaps on weekends.



-Timo





From: Luciano Oliveira mailto:olluci...@outlook.com>>
Sent: keskiviikko 5. tammikuuta 2022 18.42
To: user@guacamole.apache.org<mailto:user@guacamole.apache.org>
Subject: Proxy reverse Caddy



Anyone using Caddy as reverse proxy!?



thks






RE: Proxy reverse Caddy

2022-01-06 Thread Luciano Oliveira
🙂

It really works great, but I'm still trying to display the remote host on 
Remote Host in settings, history

my /etc/caddy/Caddyfile

guacamole.domain.local:80 {
rewrite / /guacamole
uri strip_prefix /guacamole/*
reverse_proxy guacamole.domain.local:8080
}

Accessing via tomcat, I have the remote host information, 
http://guacamole.domain.local:8080/guacamole/


-Luciano



De: Timo Nisula 
Enviado: quarta-feira, 5 de janeiro de 2022 13:54
Para: user@guacamole.apache.org 
Assunto: RE: Proxy reverse Caddy


I’m also interested using caddy v2. Yesterday I googled little bit and it 
should be really simple, not enough time test…

Doc https://caddyserver.com/docs/v2-upgrade#proxy



Reverse_proxy enables Host headers, X-Forwarded-For and websocket. So 
basically, following should be enough



guacamole.domaain.com {

rewrite / /guacamole

reverse_proxy /guacamole guacamole:8080

}

I will test this when I have little more time, perhaps on weekends.



-Timo





From: Luciano Oliveira 
Sent: keskiviikko 5. tammikuuta 2022 18.42
To: user@guacamole.apache.org
Subject: Proxy reverse Caddy



Anyone using Caddy as reverse proxy!?



thks






Proxy reverse Caddy

2022-01-05 Thread Luciano Oliveira
Anyone using Caddy as reverse proxy!?

thks




Settings, History -> Remote host

2021-12-21 Thread Luciano Oliveira
Hello everybody!


How to view Remote Host in settings, history?
Using Debian 11 + Guacamole 1.3.0 + Tomcat9+ MariaDB. Guacamole integrated AD.

Config server.xml




Best regards,
Luciano