Re: X Forwarding on an SSH connection

[Nick Couchman]

On Fri, Dec 1, 2017 at 15:53  wrote:

> Is it possible to forward X  when connected to an SSH session in
> guacamole?  For example, if I was connected and wanted to edit a file using
> gedit in Linux, how can we make that work?
>
>
>

Not using SSH, no.  Guacamole does not implement an X server.  You could do
this with VNC or run xrdp on the Linux host, but that's about it.  Mike is
currently working on a X.org video driver that talks the guacamole
protocol,  which will also work, but that's not done, yet.

-Nick

X Forwarding on an SSH connection

[harry.devine]

Is it possible to forward X  when connected to an SSH session in guacamole?  
For example, if I was connected and wanted to edit a file using gedit in Linux, 
how can we make that work?

Thanks,
Harry

Harry Devine
DOT/FAA/AJM-2412
Common ARTS Software Development
Terminal Server (NASDAC) Adminstrator
Red Hat Certfied System Adminstrator (RHCSA)
harry.dev...@faa.gov
(609)485-4218
Building 300, 3rd Floor, Column L20 (3L20)

RE: Configuring LDAP

[harry.devine]

OK, I was able to get it working better now.  In our system, cn is the Common 
Name, but the user id is retrieved by the uid property.  Once I set it to that, 
I was able to get in fine.  Now onto trying to get port 636 to work.

Thanks,
Harry

From: Mike Jumper [mailto:mike.jum...@guac-dev.org]
Sent: Friday, December 01, 2017 2:59 PM
To: user@guacamole.apache.org
Subject: Re: Configuring LDAP

On Fri, Dec 1, 2017 at 10:37 AM, 
> wrote:
OK I was able to get it to log in.  Here’s what I changed in my 
guacamole.properties to make it work:
ldap-search-bind-dn:cn=”Directory Manager”
ldap-user-base-dn:cn=users,cn=accounts,dc=example,dc=com

So the user logs in fine, but in /var/log/messages, I get the following errors 
that I’m not sure are relevant or not:
Dec  1 13:34:34 access server: 13:34:34.157 [http-bio-8080-exec-6] INFO  
o.a.g.r.auth.AuthenticationService - User "harry.devine" successfully 
authenticated from 172.31.26.216.
Dec  1 13:34:35 access server: 13:34:35.644 [http-bio-8080-exec-6] WARN  
o.a.g.auth.ldap.user.UserService - Possibly ambiguous user account: "Jon Moen".
Dec  1 13:34:36 access server: 13:34:36.122 [http-bio-8080-exec-6] WARN  
o.a.g.auth.ldap.user.UserService - Possibly ambiguous user account: "Steve 
Smith".
Dec  1 13:34:36 access server: 13:34:36.146 [http-bio-8080-exec-6] WARN  
o.a.g.auth.ldap.user.UserService - Could not query list of all users for 
attribute "cn": Error while querying users.

Guacamole is warning you that you have multiple users which map to the same 
username. Those users will likely be unable to log in, as Guacamole will not be 
able to determine with certainty which DN corresponds to those usernames.

You need to double-check your LDAP directory structure with respect to the 
configuration within guacamole.properties to determine why multiple users 
(multiple, distinct DNs) map to the same username. Something within the LDAP 
directory structure, the configuration, or both, is causing sanity checks for 
username uniqueness to fail, and the underlying problem needs to be corrected 
for things to work as expected.

- Mike

RE: Configuring LDAP

[harry.devine]

Just wondering if anyone has any ideas on how the LDAP is configured below?  
This still isn’t working for me and I’d like to know why.

Thanks,
Harry

From: Devine, Harry (FAA)
Sent: Monday, November 27, 2017 1:49 PM
To: user@guacamole.apache.org
Subject: RE: Configuring LDAP

Here’s my current /etc/guacamole/guacamole.properties file:

#MySQL properties
mysql-hostname: localhost
mysql-port:3306
mysql-database: guacdb
mysql-username: guacuser
mysql-password: guacadmin
mysql-default-max-connections-per-user: 0
mysql-default-max-group-connections-per-user:0

#LDAP properties
ldap-hostname:my.hostname
ldap-port:389
ldap-encryption-method:none
ldap-dereference-aliases:never
ldap-search-bind-dn:cn=Directory Manager
ldap-search-bind-password:pass123
ldap-user-base-dn:dc=example,dc=com
#ldap-username-attribute=cn=users,cn=accounts,dc=example,dc=com
ldap-username-attribute:cn
ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com


When I use the ldap-username-attribute:cn setting, I get the error where the 
Multiple DNs are what’s being complained about.  If I use the other one (the 
commented out one above), I simply get “Authentication attempted …… failed”.  
We use the “cn=users,cn=accounts” string in other projects where we communicate 
with our LDAP server, so I’m pretty sure that’s correct.

Thanks,
Harry

From: Jonathan Hankins [mailto:jhank...@homewood.k12.al.us]
Sent: Monday, November 27, 2017 12:38 PM
To: user@guacamole.apache.org
Subject: Re: Configuring LDAP

Harry, you said you tried "modifying ldap-username-attribute to be 
cn=users,cn=accounts,dc=example,dc=com" - just wanted to confirm. 
Ldap-username-attribute should be an LDAP attribute name like cn. Could you 
post your complete (redacted) guacamole.properties as you have it currently?

Also, I saw that on a previous attempt today you got the log message:

Nov 27 09:42:01 access server: 09:42:01.909 [http-bio-8080-exec-6] WARN 
o.a.g.a.l.AuthenticationProviderService - Multiple DNs possible for user 
"harry.devine": [uid=harry.devine,cn=users,cn=compat,dc=example,dc=com, 
uid=harry.devine,cn=users,cn=accounts,dc=example,dc=com]

If you have two users under your search base with uid (or cn, or whatever you 
are using for ldap-username-attribute) "harry.devine" you are going to have to 
use a more specific search base or a more unique ldap-username-attribute or a 
more restrictive search filter so that you don't get multiple matches for the 
username you are typing into the username field on the login page.

I.e., the attribute you match against has to uniquely identify the user beneath 
your search base for your query.

-Jonathan Hankins

On Mon, Nov 27, 2017, 10:10 AM Nick Couchman 
> wrote:
On Mon, Nov 27, 2017 at 10:02 AM, 
> wrote:
OK, so I tried that, including modifying ldap-username-attribute to be 
cn=users,cn=accounts,dc=example,dc=com, and now I get a 403 error in the 
Developer Tools, and the following error in /var/log/messages:

Nov 27 10:00:34 access server: 10:00:34.766 [http-bio-8080-exec-8] WARN  
o.a.g.r.auth.AuthenticationService - Authentication attempt from 
xxx.xxx.xxx.xxx for user "harry.devine" failed.

However, I know that the password is 100% correct.  Where to look now?  I feel 
we’re getting very close.


What LDAP server are you running?  You probably mentioned it already somewhere 
in this thread, and I'm going to guess Active Directory, but just want to make 
sure?  If it's OpenLDAP then it is quite possible it is configured to disallow 
logins without some form of encryption (although I wouldn't expect the search 
bind to work in this case, but who knows).  AD doesn't usually have those 
restrictions, but depending on the environment, it actually might require 
encryption, as well.  Other than that, it would be useful to get a log from the 
LDAP server that indicates why it is failing authentication - if it believes 
the password is wrong, or if it is throwing some other sort of error.  I 
realize that you might be in an organization where you don't have access to 
that server or those logs, but, if you do, that would be helpful.

-Nick

This e-mail is intended only for the recipient and may contain confidential or 
proprietary information. If you are not the intended recipient, the review, 
distribution, duplication or retention of this message and its attachments is 
prohibited. Please notify the sender of this error immediately by reply e-mail, 
and permanently delete this message and its attachments in any form in which 
they may have been preserved.

Re: cconfig.setParameter not setting parameter on specific Paramaters

[messido]

This is the connection url I use to connect guacamole-common-js to
guacamole-common (I've cut out some headers that mean nothing to guacamole)

"host=109.168.97.XXX=rdp=3389=ItsAFreeRDP=NoReally=false=true=1080=720=true=true=true"

P.S. if there's a better way to communicate my host password please let me
know :)


Apologies for the repeated inquiries.



--
Sent from: 
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/