Re: External keyboard with iPad

[Mike Jumper]

On Sat, Nov 25, 2017 at 10:48 PM, Greg Trasuk 
wrote:

> Hi Mike:
>
> Thanks for the reply.  Here’s the result from the keypress tester:
>
> keydown e.keyCode=0 e.which=0   e.keyIdentifier=Unidentified
> e.key=UIKeyInputEscape  e.altKey=false  e.ctrlKey=false
> e.altGraphKey=false e.metaKey=false e.shiftKey=false
> e.location=0e.keyLocation=0
> keypresse.keyCode=85e.which=85  e.keyIdentifier=
> e.key=UIKeyInputEscape  e.altKey=false  e.ctrlKey=false
> e.altGraphKey=false e.metaKey=false e.shiftKey=false
> e.location=0e.keyLocation=0
> keyup   e.keyCode=0 e.which=0   e.keyIdentifier=Unidentified
> e.key=UIKeyInputEscape  e.altKey=false
>
> So… looks kind of funny.  The keycode reported is ’85’ which is the U
> character, but the key that’s reported is ‘UIKeyInputEscape’, which is
> clearly not ‘U’, and also not ESC (27).  Googling ‘UIKeyInputEscape’
> suggests that this is UIKit’s name for the escape key, but the keycode is
> wrong.
>
>
It's unfortunately fairly common for at least one or two JavaScript key
events and their properties to be completely incorrect. Guacamole's
keyboard handling is actually one of the more complicated parts of the
JavaScript side of the stack. We employ retrospective inspection of key
events, looking over either or both of the keydown and keypress events
depending on how reliable the associated properties are given other factors:

https://github.com/apache/incubator-guacamole-client/blob/649fd8c036861014a6064f4af3e05f309cd92973/guacamole-common-js/src/main/webapp/modules/Keyboard.js#L934-L938

In this case, iOS Safari shouldn't actually be sending a keypress event, as
that event is supposed to only be sent for keys which would result in a
printable character. It is this event which is resulting in Guacamole
interpreting the key as a "U":

https://github.com/apache/incubator-guacamole-client/blob/649fd8c036861014a6064f4af3e05f309cd92973/guacamole-common-js/src/main/webapp/modules/Keyboard.js#L940-L944

Does Guacamole have some idea of an editable keymap?  And if it did, would
> it be looking at the ‘key’ value or the ‘keycode’ value?
>
>
The client side of things is meant to be independent of keyboard layout, so
not exactly, but it does have a mapping of known key identifiers and
known-accurate key codes (for the cases where a key code is always tied to
a specific key). In those cases, it would ignore the keypress event and
rely solely on keydown:

https://github.com/apache/incubator-guacamole-client/blob/649fd8c036861014a6064f4af3e05f309cd92973/guacamole-common-js/src/main/webapp/modules/Keyboard.js#L381-L506
https://github.com/apache/incubator-guacamole-client/blob/649fd8c036861014a6064f4af3e05f309cd92973/guacamole-common-js/src/main/webapp/modules/Keyboard.js#L174-L181

Though the "UIKeyInputEscape" identifier is non-standard, adding it to the
above list would solve the issue. Do you perhaps know of where a full list
of these UIKeyInput* names could be found? We could add them all in one
fell swoop to fix this Safari quirk going forward.

- Mike

RE: Configuring LDAP

[harry.devine]

Here’s my current /etc/guacamole/guacamole.properties file:

#MySQL properties
mysql-hostname: localhost
mysql-port:3306
mysql-database: guacdb
mysql-username: guacuser
mysql-password: guacadmin
mysql-default-max-connections-per-user: 0
mysql-default-max-group-connections-per-user:0

#LDAP properties
ldap-hostname:my.hostname
ldap-port:389
ldap-encryption-method:none
ldap-dereference-aliases:never
ldap-search-bind-dn:cn=Directory Manager
ldap-search-bind-password:pass123
ldap-user-base-dn:dc=example,dc=com
#ldap-username-attribute=cn=users,cn=accounts,dc=example,dc=com
ldap-username-attribute:cn
ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com


When I use the ldap-username-attribute:cn setting, I get the error where the 
Multiple DNs are what’s being complained about.  If I use the other one (the 
commented out one above), I simply get “Authentication attempted …… failed”.  
We use the “cn=users,cn=accounts” string in other projects where we communicate 
with our LDAP server, so I’m pretty sure that’s correct.

Thanks,
Harry

From: Jonathan Hankins [mailto:jhank...@homewood.k12.al.us]
Sent: Monday, November 27, 2017 12:38 PM
To: user@guacamole.apache.org
Subject: Re: Configuring LDAP

Harry, you said you tried "modifying ldap-username-attribute to be 
cn=users,cn=accounts,dc=example,dc=com" - just wanted to confirm. 
Ldap-username-attribute should be an LDAP attribute name like cn. Could you 
post your complete (redacted) guacamole.properties as you have it currently?

Also, I saw that on a previous attempt today you got the log message:

Nov 27 09:42:01 access server: 09:42:01.909 [http-bio-8080-exec-6] WARN 
o.a.g.a.l.AuthenticationProviderService - Multiple DNs possible for user 
"harry.devine": [uid=harry.devine,cn=users,cn=compat,dc=example,dc=com, 
uid=harry.devine,cn=users,cn=accounts,dc=example,dc=com]

If you have two users under your search base with uid (or cn, or whatever you 
are using for ldap-username-attribute) "harry.devine" you are going to have to 
use a more specific search base or a more unique ldap-username-attribute or a 
more restrictive search filter so that you don't get multiple matches for the 
username you are typing into the username field on the login page.

I.e., the attribute you match against has to uniquely identify the user beneath 
your search base for your query.

-Jonathan Hankins

On Mon, Nov 27, 2017, 10:10 AM Nick Couchman 
> wrote:
On Mon, Nov 27, 2017 at 10:02 AM, 
> wrote:
OK, so I tried that, including modifying ldap-username-attribute to be 
cn=users,cn=accounts,dc=example,dc=com, and now I get a 403 error in the 
Developer Tools, and the following error in /var/log/messages:

Nov 27 10:00:34 access server: 10:00:34.766 [http-bio-8080-exec-8] WARN  
o.a.g.r.auth.AuthenticationService - Authentication attempt from 
xxx.xxx.xxx.xxx for user "harry.devine" failed.

However, I know that the password is 100% correct.  Where to look now?  I feel 
we’re getting very close.


What LDAP server are you running?  You probably mentioned it already somewhere 
in this thread, and I'm going to guess Active Directory, but just want to make 
sure?  If it's OpenLDAP then it is quite possible it is configured to disallow 
logins without some form of encryption (although I wouldn't expect the search 
bind to work in this case, but who knows).  AD doesn't usually have those 
restrictions, but depending on the environment, it actually might require 
encryption, as well.  Other than that, it would be useful to get a log from the 
LDAP server that indicates why it is failing authentication - if it believes 
the password is wrong, or if it is throwing some other sort of error.  I 
realize that you might be in an organization where you don't have access to 
that server or those logs, but, if you do, that would be helpful.

-Nick

This e-mail is intended only for the recipient and may contain confidential or 
proprietary information. If you are not the intended recipient, the review, 
distribution, duplication or retention of this message and its attachments is 
prohibited. Please notify the sender of this error immediately by reply e-mail, 
and permanently delete this message and its attachments in any form in which 
they may have been preserved.

Re: Configuring LDAP

[Jonathan Hankins]

Harry, you said you tried "modifying ldap-username-attribute to be
cn=users,cn=accounts,dc=example,dc=com" - just wanted to confirm.
Ldap-username-attribute should be an LDAP attribute name like cn. Could you
post your complete (redacted) guacamole.properties as you have it currently?

Also, I saw that on a previous attempt today you got the log message:

Nov 27 09:42:01 access server: 09:42:01.909 [http-bio-8080-exec-6] WARN
o.a.g.a.l.AuthenticationProviderService - Multiple DNs possible for user
"harry.devine": [uid=harry.devine,cn=users,cn=compat,dc=example,dc=com,
uid=harry.devine,cn=users,cn=accounts,dc=example,dc=com]

If you have two users under your search base with uid (or cn, or whatever
you are using for ldap-username-attribute) "harry.devine" you are going to
have to use a more specific search base or a more unique
ldap-username-attribute or a more restrictive search filter so that you
don't get multiple matches for the username you are typing into the
username field on the login page.

I.e., the attribute you match against has to uniquely identify the user
beneath your search base for your query.

-Jonathan Hankins

On Mon, Nov 27, 2017, 10:10 AM Nick Couchman  wrote:

> On Mon, Nov 27, 2017 at 10:02 AM,  wrote:
>
>> OK, so I tried that, including modifying ldap-username-attribute to be
>> cn=users,cn=accounts,dc=example,dc=com, and now I get a 403 error in the
>> Developer Tools, and the following error in /var/log/messages:
>>
>>
>>
>> Nov 27 10:00:34 access server: 10:00:34.766 [http-bio-8080-exec-8] WARN
>> o.a.g.r.auth.AuthenticationService - Authentication attempt from
>> xxx.xxx.xxx.xxx for user "harry.devine" failed.
>>
>>
>>
>> However, I know that the password is 100% correct.  Where to look now?  I
>> feel we’re getting very close.
>>
>>
>>
>
> What LDAP server are you running?  You probably mentioned it already
> somewhere in this thread, and I'm going to guess Active Directory, but just
> want to make sure?  If it's OpenLDAP then it is quite possible it is
> configured to disallow logins without some form of encryption (although I
> wouldn't expect the search bind to work in this case, but who knows).  AD
> doesn't usually have those restrictions, but depending on the environment,
> it actually might require encryption, as well.  Other than that, it would
> be useful to get a log from the LDAP server that indicates why it is
> failing authentication - if it believes the password is wrong, or if it is
> throwing some other sort of error.  I realize that you might be in an
> organization where you don't have access to that server or those logs, but,
> if you do, that would be helpful.
>
> -Nick
>

-- 
This e-mail is intended only for the recipient and may contain confidential 
or proprietary information. If you are not the intended recipient, the 
review, distribution, duplication or retention of this message and its 
attachments is prohibited. Please notify the sender of this error 
immediately by reply e-mail, and permanently delete this message and its 
attachments in any form in which they may have been preserved.

Re: INFO REQUIRED : Support of Shell Mode in Guacamole

[Nick Couchman]

On Mon, Nov 27, 2017 at 11:41 AM, Mike Jumper 
wrote:

> On Mon, Nov 27, 2017 at 5:25 AM, Amarjeet Singh 
> wrote:
>
>> Hi Team,
>>
>>
>> I was trying to run a program using shell command instead of Remote app.
>>
>> It seems that Guacamole doesn't support the shell command.
>>
>>
> It does.
>
>
>> Below are the parameters of freeRDP  which is used to open any progam in
>> shell mode.
>>
>> */shell*
>> *Alternate shell*
>>
>
> The parameter for this in Guacamole is "initial-program":
>
> http://guacamole.apache.org/doc/gug/configuring-guacamole.
> html#rdp-session-settings
>

Oops...for some reason I was thinking "shell" and "initial-program" were
different settings within RDP.  Sorry about that.

-Nick

Re: INFO REQUIRED : Is Guacamole supoprt Bitmap Caching

[Mike Jumper]

On Mon, Nov 27, 2017 at 6:02 AM, Amarjeet Singh 
wrote:

> Hi Team,
>
> I haven't seen any parameter regarding bitmap caching in Guacamole.
>
> Is it supported in Guacamole ?
>
>
Yes. There is no parameter for controlling whether bitmap caching is used,
but it is supported. As long as the RDP server supports bitmap caching,
Guacamole will use it as well.

- Mike

RE: Configuring LDAP

[harry.devine]

OK, so I tried that, including modifying ldap-username-attribute to be 
cn=users,cn=accounts,dc=example,dc=com, and now I get a 403 error in the 
Developer Tools, and the following error in /var/log/messages:

Nov 27 10:00:34 access server: 10:00:34.766 [http-bio-8080-exec-8] WARN  
o.a.g.r.auth.AuthenticationService - Authentication attempt from 
xxx.xxx.xxx.xxx for user "harry.devine" failed.

However, I know that the password is 100% correct.  Where to look now?  I feel 
we’re getting very close.

Thanks,
Harry

From: Nick Couchman [mailto:vn...@apache.org]
Sent: Monday, November 27, 2017 9:56 AM
To: user@guacamole.apache.org
Subject: Re: Configuring LDAP

On Mon, Nov 27, 2017 at 9:46 AM, 
> wrote:
Update: using port 389 and none for encryption, and I had to change the search 
DN to be just cn=Directory Manager.  Now I get the following error:

Nov 27 09:42:01 access server: 09:42:01.909 [http-bio-8080-exec-6] WARN  
o.a.g.a.l.AuthenticationProviderService - Multiple DNs possible for user 
"harry.devine": [uid=harry.devine,cn=users,cn=compat,dc=example,dc=com, 
uid=harry.devine,cn=users,cn=accounts,dc=example,dc=com]


Try disabling LDAP alias dereferencing:

ldap-dereference-aliases: never

It looks like you probably have the cn=users,cn=compat area pointed to the real 
objects (cn=users,cn=accounts), and this could be confusing the LDAP client 
when it expects uniquely-named items.  Otherwise, you'll need to narrow your 
base DN such that it only locates one or the other account.

-Nick

Re: Configuring LDAP

[Nick Couchman]

On Mon, Nov 27, 2017 at 9:46 AM,  wrote:

> Update: using port 389 and none for encryption, and I had to change the
> search DN to be just cn=Directory Manager.  Now I get the following error:
>
>
>
> Nov 27 09:42:01 access server: 09:42:01.909 [http-bio-8080-exec-6] WARN
> o.a.g.a.l.AuthenticationProviderService - Multiple DNs possible for user
> "harry.devine": [uid=harry.devine,cn=users,cn=compat,dc=example,dc=com,
> uid=harry.devine,cn=users,cn=accounts,dc=example,dc=com]
>
>
>
Try disabling LDAP alias dereferencing:

ldap-dereference-aliases: never

It looks like you probably have the cn=users,cn=compat area pointed to the
real objects (cn=users,cn=accounts), and this could be confusing the LDAP
client when it expects uniquely-named items.  Otherwise, you'll need to
narrow your base DN such that it only locates one or the other account.

-Nick

Re: Configuring LDAP

[Jonathan Hankins]

Harry,

Can you try ldapsearch from the command line against your LDAP server with
the same parameters you're using with guacamole and see if your bind still
fails?

On Mon, Nov 27, 2017, 9:32 AM  wrote:

> OK, I just tried it again with both 389/none and 636/ssl for those
> parameters, and both times I get the following errors:
>
>
>
> Nov 27 09:30:31 access server: 09:30:31.838 [http-bio-8080-exec-9] ERROR
> o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN
> "cn=Directory Manager,dc=example,dc=com"
>
> Nov 27 09:30:31 access server: 09:30:31.839 [http-bio-8080-exec-9] WARN
> o.a.g.r.auth.AuthenticationService - Authentication attempt from
> 172.31.26.216 for user "harry.devine" failed.
>
>
>
> Thanks,
>
> Harry
>
> *From:* Jonathan Hankins [mailto:jhank...@homewood.k12.al.us]
> *Sent:* Monday, November 27, 2017 9:27 AM
>
>
> *To:* user@guacamole.apache.org
> *Subject:* Re: Configuring LDAP
>
>
>
> Harry, if you are using ldap-port:636, you probably need to specify:
>
> ldap-encryption-method: ssl
>
> I believe the default is "none" .
>
> Assuming you are able to temporarily configure your LDAP server to allow
> unencrypted binds(if it isn't already), you may want to test with
> ldap-port: 389 and ldap-encryption-method: none  to make sure you have all
> of your LDAP settings correct before enabling encryption, then tackle the
> encryption.
>
> -Jonathan Hankins
>
>
>
> On Mon, Nov 27, 2017, 8:23 AM  wrote:
>
> I just got back into the office and tried what you suggested.  Whenever I
> don’t have quotes around the ldap-search-bind-dn value, the login button
> doesn’t seem to respond.  In the Network tab in Chrome’s Developer Tools,
> the /guacamole/api/tokens call always shows “(pending)” as the status
> instead of 200 or 403.
>
>
>
> Here’s what I have for my LDAP values in guacamole.properties (again,
> masking out the real values):
>
>
>
> ldap-hostname:ldap.hostname
>
> ldap-port:636
>
> ldap-search-bind-dn:cn=Directory Manager,dc=example,dc=com
>
> ldap-search-bind-password:pass123
>
> ldap-user-base-dn:dc=example,dc=com
>
> ldap-username-attribute:cn
>
> ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com
>
>
>
> Thanks,
>
> Harry
>
>
>
> *From:* Jonathan Hankins [mailto:jhank...@homewood.k12.al.us]
> *Sent:* Wednesday, November 22, 2017 1:41 PM
>
>
> *To:* user@guacamole.apache.org
> *Subject:* Re: Configuring LDAP
>
>
>
> Harry,
>
>
>
> I believe you need to fully qualify your ldap-search-bind-dn:
>
>
>
> ldap-search-bind-dn: cn=My User,dc=my,dc=example,dc=com
>
>
>
> And your ldap-username-attribute should be the name of an ldap attribute
> that you want to match usernames against, such as cn:
>
>
>
> ldap-username-attribute: cn
>
>
>
> Also, unsure if the config you posted was pseudo-code, but the
> guacamole.properties file should look like:
>
>
>
> varname: this is the value to end of line
>
>
>
> See my examples above.
>
>
>
> -Jonathan Hankins
>
>
>
>
>
> On Tue, Nov 21, 2017, 3:41 PM Hawkins, Richard <
> richard.hawk...@medctrbarbour.org> wrote:
>
>
>
> Restart tomcat
>
>
>
> Service tomcat restart..
>
>
>
> Tail –f /var/log/messages
>
>
>
>
>
> Authenticated
>
>
>
>
>
>
>
> *From:* harry.dev...@faa.gov [mailto:harry.dev...@faa.gov]
> *Sent:* Tuesday, November 21, 2017 2:01 PM
> *To:* user@guacamole.apache.org
> *Subject:* RE: Configuring LDAP
>
>
>
> OK, took me a little bit to weed through some OpenLDAP config issues (it
> wasn’t installed on the server I have guacamole installed on; didn’t
> realize that at first), but I got the ldapsearch working.  So I re-enabled
> the LDAP parameters and tried again.  The page shows “Invalid Login”, but
> the following is displayed in the /var/log/messages:
>
>
>
> Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR
> o.a.g.a.ldap.LDAPConnectionService - Unable to connect to LDAP server:
> Connect Error
>
> Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR
> o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN
> ""cn=My User""
>
> Nov 21 14:56:15 access server: 14:56:15.496 [http-bio-8080-exec-9] WARN
> o.a.g.r.auth.AuthenticationService - Authentication attempt from
> 172.31.26.216 for user "harry.devine" failed.
>
>
>
> I have the LDAP parameters defined as follows in guacamole properties (I
> am masking the usernames and such):
>
> ldap-hostname="my-host"
>
> ldap-port=636
>
> ldap-search-bind-dn="cn=My User"
>
> ldap-search-bind-password="Pass123"
>
> ldap-user-base-dn="dc=my,dc=example,dc=com"
>
> ldap-username-attribute="cn=users,cn=accounts,dc=my,dc=example,dc=com"
>
> ldap-group-base-dn="cn=groups,cn=accounts,dc=my,dc=example,dc=com"
>
>
>
> Ideas?
>
> Harry
>
>
>
> *From:* Nick Couchman [mailto:vn...@apache.org]
> *Sent:* Tuesday, November 21, 2017 9:20 AM
> *To:* user@guacamole.apache.org
> *Subject:* Re: Configuring LDAP
>
>
>
> On Tue, Nov 21, 2017 at 8:10 AM,  wrote:
>
> I set 

RE: Configuring LDAP

[harry.devine]

Update: using port 389 and none for encryption, and I had to change the search 
DN to be just cn=Directory Manager.  Now I get the following error:

Nov 27 09:42:01 access server: 09:42:01.909 [http-bio-8080-exec-6] WARN  
o.a.g.a.l.AuthenticationProviderService - Multiple DNs possible for user 
"harry.devine": [uid=harry.devine,cn=users,cn=compat,dc=example,dc=com, 
uid=harry.devine,cn=users,cn=accounts,dc=example,dc=com]
Nov 27 09:42:01 access server: 09:42:01.917 [http-bio-8080-exec-6] WARN  
o.a.g.r.auth.AuthenticationService - Authentication attempt from 
xxx.xxx.xxx.xxx for user "harry.devine" failed.

When I tried port 636 and encryption set to SSL, I get “Unable to bind using 
search DN “cn=Directory Manager”.  Ultimately, we need to have SSL working, so 
any help with first: logging in, then second, logging in via SSL/636 would be 
great.

Thanks,
Harry

From: Devine, Harry (FAA)
Sent: Monday, November 27, 2017 9:32 AM
To: user@guacamole.apache.org
Subject: RE: Configuring LDAP

OK, I just tried it again with both 389/none and 636/ssl for those parameters, 
and both times I get the following errors:

Nov 27 09:30:31 access server: 09:30:31.838 [http-bio-8080-exec-9] ERROR 
o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN 
"cn=Directory Manager,dc=example,dc=com"
Nov 27 09:30:31 access server: 09:30:31.839 [http-bio-8080-exec-9] WARN  
o.a.g.r.auth.AuthenticationService - Authentication attempt from 172.31.26.216 
for user "harry.devine" failed.

Thanks,
Harry
From: Jonathan Hankins [mailto:jhank...@homewood.k12.al.us]
Sent: Monday, November 27, 2017 9:27 AM
To: user@guacamole.apache.org
Subject: Re: Configuring LDAP

Harry, if you are using ldap-port:636, you probably need to specify:

ldap-encryption-method: ssl

I believe the default is "none" .

Assuming you are able to temporarily configure your LDAP server to allow 
unencrypted binds(if it isn't already), you may want to test with ldap-port: 
389 and ldap-encryption-method: none  to make sure you have all of your LDAP 
settings correct before enabling encryption, then tackle the encryption.
-Jonathan Hankins

On Mon, Nov 27, 2017, 8:23 AM 
> wrote:
I just got back into the office and tried what you suggested.  Whenever I don’t 
have quotes around the ldap-search-bind-dn value, the login button doesn’t seem 
to respond.  In the Network tab in Chrome’s Developer Tools, the 
/guacamole/api/tokens call always shows “(pending)” as the status instead of 
200 or 403.

Here’s what I have for my LDAP values in guacamole.properties (again, masking 
out the real values):

ldap-hostname:ldap.hostname
ldap-port:636
ldap-search-bind-dn:cn=Directory Manager,dc=example,dc=com
ldap-search-bind-password:pass123
ldap-user-base-dn:dc=example,dc=com
ldap-username-attribute:cn
ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com

Thanks,
Harry

From: Jonathan Hankins 
[mailto:jhank...@homewood.k12.al.us]
Sent: Wednesday, November 22, 2017 1:41 PM

To: user@guacamole.apache.org
Subject: Re: Configuring LDAP

Harry,

I believe you need to fully qualify your ldap-search-bind-dn:

ldap-search-bind-dn: cn=My User,dc=my,dc=example,dc=com

And your ldap-username-attribute should be the name of an ldap attribute that 
you want to match usernames against, such as cn:


ldap-username-attribute: cn

Also, unsure if the config you posted was pseudo-code, but the 
guacamole.properties file should look like:

varname: this is the value to end of line

See my examples above.

-Jonathan Hankins


On Tue, Nov 21, 2017, 3:41 PM Hawkins, Richard 
> 
wrote:

Restart tomcat

Service tomcat restart..

Tail –f /var/log/messages


Authenticated



From: harry.dev...@faa.gov 
[mailto:harry.dev...@faa.gov]
Sent: Tuesday, November 21, 2017 2:01 PM
To: user@guacamole.apache.org
Subject: RE: Configuring LDAP

OK, took me a little bit to weed through some OpenLDAP config issues (it wasn’t 
installed on the server I have guacamole installed on; didn’t realize that at 
first), but I got the ldapsearch working.  So I re-enabled the LDAP parameters 
and tried again.  The page shows “Invalid Login”, but the following is 
displayed in the /var/log/messages:

Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR 
o.a.g.a.ldap.LDAPConnectionService - Unable to connect to LDAP server: Connect 
Error
Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR 
o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN 
""cn=My User""
Nov 21 14:56:15 access server: 14:56:15.496 [http-bio-8080-exec-9] WARN  
o.a.g.r.auth.AuthenticationService - Authentication attempt from 172.31.26.216 
for user "harry.devine" 

RE: Configuring LDAP

[harry.devine]

OK, I just tried it again with both 389/none and 636/ssl for those parameters, 
and both times I get the following errors:

Nov 27 09:30:31 access server: 09:30:31.838 [http-bio-8080-exec-9] ERROR 
o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN 
"cn=Directory Manager,dc=example,dc=com"
Nov 27 09:30:31 access server: 09:30:31.839 [http-bio-8080-exec-9] WARN  
o.a.g.r.auth.AuthenticationService - Authentication attempt from 172.31.26.216 
for user "harry.devine" failed.

Thanks,
Harry
From: Jonathan Hankins [mailto:jhank...@homewood.k12.al.us]
Sent: Monday, November 27, 2017 9:27 AM
To: user@guacamole.apache.org
Subject: Re: Configuring LDAP

Harry, if you are using ldap-port:636, you probably need to specify:

ldap-encryption-method: ssl

I believe the default is "none" .

Assuming you are able to temporarily configure your LDAP server to allow 
unencrypted binds(if it isn't already), you may want to test with ldap-port: 
389 and ldap-encryption-method: none  to make sure you have all of your LDAP 
settings correct before enabling encryption, then tackle the encryption.
-Jonathan Hankins

On Mon, Nov 27, 2017, 8:23 AM 
> wrote:
I just got back into the office and tried what you suggested.  Whenever I don’t 
have quotes around the ldap-search-bind-dn value, the login button doesn’t seem 
to respond.  In the Network tab in Chrome’s Developer Tools, the 
/guacamole/api/tokens call always shows “(pending)” as the status instead of 
200 or 403.

Here’s what I have for my LDAP values in guacamole.properties (again, masking 
out the real values):

ldap-hostname:ldap.hostname
ldap-port:636
ldap-search-bind-dn:cn=Directory Manager,dc=example,dc=com
ldap-search-bind-password:pass123
ldap-user-base-dn:dc=example,dc=com
ldap-username-attribute:cn
ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com

Thanks,
Harry

From: Jonathan Hankins 
[mailto:jhank...@homewood.k12.al.us]
Sent: Wednesday, November 22, 2017 1:41 PM

To: user@guacamole.apache.org
Subject: Re: Configuring LDAP

Harry,

I believe you need to fully qualify your ldap-search-bind-dn:

ldap-search-bind-dn: cn=My User,dc=my,dc=example,dc=com

And your ldap-username-attribute should be the name of an ldap attribute that 
you want to match usernames against, such as cn:


ldap-username-attribute: cn

Also, unsure if the config you posted was pseudo-code, but the 
guacamole.properties file should look like:

varname: this is the value to end of line

See my examples above.

-Jonathan Hankins


On Tue, Nov 21, 2017, 3:41 PM Hawkins, Richard 
> 
wrote:

Restart tomcat

Service tomcat restart..

Tail –f /var/log/messages


Authenticated



From: harry.dev...@faa.gov 
[mailto:harry.dev...@faa.gov]
Sent: Tuesday, November 21, 2017 2:01 PM
To: user@guacamole.apache.org
Subject: RE: Configuring LDAP

OK, took me a little bit to weed through some OpenLDAP config issues (it wasn’t 
installed on the server I have guacamole installed on; didn’t realize that at 
first), but I got the ldapsearch working.  So I re-enabled the LDAP parameters 
and tried again.  The page shows “Invalid Login”, but the following is 
displayed in the /var/log/messages:

Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR 
o.a.g.a.ldap.LDAPConnectionService - Unable to connect to LDAP server: Connect 
Error
Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR 
o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN 
""cn=My User""
Nov 21 14:56:15 access server: 14:56:15.496 [http-bio-8080-exec-9] WARN  
o.a.g.r.auth.AuthenticationService - Authentication attempt from 172.31.26.216 
for user "harry.devine" failed.

I have the LDAP parameters defined as follows in guacamole properties (I am 
masking the usernames and such):
ldap-hostname="my-host"
ldap-port=636
ldap-search-bind-dn="cn=My User"
ldap-search-bind-password="Pass123"
ldap-user-base-dn="dc=my,dc=example,dc=com"
ldap-username-attribute="cn=users,cn=accounts,dc=my,dc=example,dc=com"
ldap-group-base-dn="cn=groups,cn=accounts,dc=my,dc=example,dc=com"

Ideas?
Harry

From: Nick Couchman [mailto:vn...@apache.org]
Sent: Tuesday, November 21, 2017 9:20 AM
To: user@guacamole.apache.org
Subject: Re: Configuring LDAP

On Tue, Nov 21, 2017 at 8:10 AM, 
> wrote:
I set SELinux to permissive and put the LDAP extension back (its under 
/usr/share/tomcat/.guacamole/extensions), restarted tomcat and guacd, and try 
to log in using an LDAP user.  I click Login and on the Network tab, it shows 
tokens (/guacamole/api/tokens) as having a “pending” status.  Never gets any 
further.

Re: Configuring LDAP

[Jonathan Hankins]

Harry, if you are using ldap-port:636, you probably need to specify:

ldap-encryption-method: ssl

I believe the default is "none" .

Assuming you are able to temporarily configure your LDAP server to allow
unencrypted binds(if it isn't already), you may want to test with
ldap-port: 389 and ldap-encryption-method: none  to make sure you have all
of your LDAP settings correct before enabling encryption, then tackle the
encryption.
-Jonathan Hankins

On Mon, Nov 27, 2017, 8:23 AM  wrote:

> I just got back into the office and tried what you suggested.  Whenever I
> don’t have quotes around the ldap-search-bind-dn value, the login button
> doesn’t seem to respond.  In the Network tab in Chrome’s Developer Tools,
> the /guacamole/api/tokens call always shows “(pending)” as the status
> instead of 200 or 403.
>
>
>
> Here’s what I have for my LDAP values in guacamole.properties (again,
> masking out the real values):
>
>
>
> ldap-hostname:ldap.hostname
>
> ldap-port:636
>
> ldap-search-bind-dn:cn=Directory Manager,dc=example,dc=com
>
> ldap-search-bind-password:pass123
>
> ldap-user-base-dn:dc=example,dc=com
>
> ldap-username-attribute:cn
>
> ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com
>
>
>
> Thanks,
>
> Harry
>
>
>
> *From:* Jonathan Hankins [mailto:jhank...@homewood.k12.al.us]
> *Sent:* Wednesday, November 22, 2017 1:41 PM
>
>
> *To:* user@guacamole.apache.org
> *Subject:* Re: Configuring LDAP
>
>
>
> Harry,
>
>
>
> I believe you need to fully qualify your ldap-search-bind-dn:
>
>
>
> ldap-search-bind-dn: cn=My User,dc=my,dc=example,dc=com
>
>
>
> And your ldap-username-attribute should be the name of an ldap attribute
> that you want to match usernames against, such as cn:
>
>
>
> ldap-username-attribute: cn
>
>
>
> Also, unsure if the config you posted was pseudo-code, but the
> guacamole.properties file should look like:
>
>
>
> varname: this is the value to end of line
>
>
>
> See my examples above.
>
>
>
> -Jonathan Hankins
>
>
>
>
>
> On Tue, Nov 21, 2017, 3:41 PM Hawkins, Richard <
> richard.hawk...@medctrbarbour.org> wrote:
>
>
>
> Restart tomcat
>
>
>
> Service tomcat restart..
>
>
>
> Tail –f /var/log/messages
>
>
>
>
>
> Authenticated
>
>
>
>
>
>
>
> *From:* harry.dev...@faa.gov [mailto:harry.dev...@faa.gov]
> *Sent:* Tuesday, November 21, 2017 2:01 PM
> *To:* user@guacamole.apache.org
> *Subject:* RE: Configuring LDAP
>
>
>
> OK, took me a little bit to weed through some OpenLDAP config issues (it
> wasn’t installed on the server I have guacamole installed on; didn’t
> realize that at first), but I got the ldapsearch working.  So I re-enabled
> the LDAP parameters and tried again.  The page shows “Invalid Login”, but
> the following is displayed in the /var/log/messages:
>
>
>
> Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR
> o.a.g.a.ldap.LDAPConnectionService - Unable to connect to LDAP server:
> Connect Error
>
> Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR
> o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN
> ""cn=My User""
>
> Nov 21 14:56:15 access server: 14:56:15.496 [http-bio-8080-exec-9] WARN
> o.a.g.r.auth.AuthenticationService - Authentication attempt from
> 172.31.26.216 for user "harry.devine" failed.
>
>
>
> I have the LDAP parameters defined as follows in guacamole properties (I
> am masking the usernames and such):
>
> ldap-hostname="my-host"
>
> ldap-port=636
>
> ldap-search-bind-dn="cn=My User"
>
> ldap-search-bind-password="Pass123"
>
> ldap-user-base-dn="dc=my,dc=example,dc=com"
>
> ldap-username-attribute="cn=users,cn=accounts,dc=my,dc=example,dc=com"
>
> ldap-group-base-dn="cn=groups,cn=accounts,dc=my,dc=example,dc=com"
>
>
>
> Ideas?
>
> Harry
>
>
>
> *From:* Nick Couchman [mailto:vn...@apache.org]
> *Sent:* Tuesday, November 21, 2017 9:20 AM
> *To:* user@guacamole.apache.org
> *Subject:* Re: Configuring LDAP
>
>
>
> On Tue, Nov 21, 2017 at 8:10 AM,  wrote:
>
> I set SELinux to permissive and put the LDAP extension back (its under
> /usr/share/tomcat/.guacamole/extensions), restarted tomcat and guacd, and
> try to log in using an LDAP user.  I click Login and on the Network tab, it
> shows tokens (/guacamole/api/tokens) as having a “pending” status.  Never
> gets any further.
>
>
>
>
>
> Okay...on the system where you're running Tomcat, can you make sure the
> OpenLDAP client utilities are installed and then use "ldapsearch" to query
> the same LDAP server that you're trying to use in Guacamole?  Something
> like this:
>
>
>
> ldapsearch -H ldap:// -D  -W -b  cn= User In LDAP>
>
>
>
> ...substituting in the above parameters and make sure you get a response?
>
>
>
> -Nick
>
>
> This e-mail is intended only for the recipient and may contain
> confidential or proprietary information. If you are not the intended
> recipient, the review, distribution, duplication or retention of this
> message and its attachments is prohibited. Please notify 

INFO REQUIRED : Is Guacamole supoprt Bitmap Caching

[Amarjeet Singh]

Hi Team,


I haven't seen any parameter regarding bitmap caching in Guacamole.

Is it supported in Guacamole ?


Thanks and Regards,
Amarjeet Singh

RE: Configuring LDAP

[harry.devine]

I just got back into the office and tried what you suggested.  Whenever I don’t 
have quotes around the ldap-search-bind-dn value, the login button doesn’t seem 
to respond.  In the Network tab in Chrome’s Developer Tools, the 
/guacamole/api/tokens call always shows “(pending)” as the status instead of 
200 or 403.

Here’s what I have for my LDAP values in guacamole.properties (again, masking 
out the real values):

ldap-hostname:ldap.hostname
ldap-port:636
ldap-search-bind-dn:cn=Directory Manager,dc=example,dc=com
ldap-search-bind-password:pass123
ldap-user-base-dn:dc=example,dc=com
ldap-username-attribute:cn
ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com

Thanks,
Harry

From: Jonathan Hankins [mailto:jhank...@homewood.k12.al.us]
Sent: Wednesday, November 22, 2017 1:41 PM
To: user@guacamole.apache.org
Subject: Re: Configuring LDAP

Harry,

I believe you need to fully qualify your ldap-search-bind-dn:

ldap-search-bind-dn: cn=My User,dc=my,dc=example,dc=com

And your ldap-username-attribute should be the name of an ldap attribute that 
you want to match usernames against, such as cn:


ldap-username-attribute: cn

Also, unsure if the config you posted was pseudo-code, but the 
guacamole.properties file should look like:

varname: this is the value to end of line

See my examples above.

-Jonathan Hankins


On Tue, Nov 21, 2017, 3:41 PM Hawkins, Richard 
> 
wrote:

Restart tomcat

Service tomcat restart..

Tail –f /var/log/messages


Authenticated



From: harry.dev...@faa.gov 
[mailto:harry.dev...@faa.gov]
Sent: Tuesday, November 21, 2017 2:01 PM
To: user@guacamole.apache.org
Subject: RE: Configuring LDAP

OK, took me a little bit to weed through some OpenLDAP config issues (it wasn’t 
installed on the server I have guacamole installed on; didn’t realize that at 
first), but I got the ldapsearch working.  So I re-enabled the LDAP parameters 
and tried again.  The page shows “Invalid Login”, but the following is 
displayed in the /var/log/messages:

Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR 
o.a.g.a.ldap.LDAPConnectionService - Unable to connect to LDAP server: Connect 
Error
Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR 
o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN 
""cn=My User""
Nov 21 14:56:15 access server: 14:56:15.496 [http-bio-8080-exec-9] WARN  
o.a.g.r.auth.AuthenticationService - Authentication attempt from 172.31.26.216 
for user "harry.devine" failed.

I have the LDAP parameters defined as follows in guacamole properties (I am 
masking the usernames and such):
ldap-hostname="my-host"
ldap-port=636
ldap-search-bind-dn="cn=My User"
ldap-search-bind-password="Pass123"
ldap-user-base-dn="dc=my,dc=example,dc=com"
ldap-username-attribute="cn=users,cn=accounts,dc=my,dc=example,dc=com"
ldap-group-base-dn="cn=groups,cn=accounts,dc=my,dc=example,dc=com"

Ideas?
Harry

From: Nick Couchman [mailto:vn...@apache.org]
Sent: Tuesday, November 21, 2017 9:20 AM
To: user@guacamole.apache.org
Subject: Re: Configuring LDAP

On Tue, Nov 21, 2017 at 8:10 AM, 
> wrote:
I set SELinux to permissive and put the LDAP extension back (its under 
/usr/share/tomcat/.guacamole/extensions), restarted tomcat and guacd, and try 
to log in using an LDAP user.  I click Login and on the Network tab, it shows 
tokens (/guacamole/api/tokens) as having a “pending” status.  Never gets any 
further.


Okay...on the system where you're running Tomcat, can you make sure the 
OpenLDAP client utilities are installed and then use "ldapsearch" to query the 
same LDAP server that you're trying to use in Guacamole?  Something like this:

ldapsearch -H ldap:// -D  -W -b  cn=

...substituting in the above parameters and make sure you get a response?

-Nick

This e-mail is intended only for the recipient and may contain confidential or 
proprietary information. If you are not the intended recipient, the review, 
distribution, duplication or retention of this message and its attachments is 
prohibited. Please notify the sender of this error immediately by reply e-mail, 
and permanently delete this message and its attachments in any form in which 
they may have been preserved.

Re: cconfig.setParameter not setting parameter on specific Paramaters

[Mike Jumper]

On Sun, Nov 26, 2017 at 7:31 AM, messido  wrote:

> ...
>
> Here's my code after completely squeezing my brain trying to figure it
> out..
>
>
Your code seems to have been filtered before it went out on the mailing
list, I presume by Nabble. It wasn't actually included in the email. Could
you post your code somewhere and link to it?

- Mike