subject:"Re\: Configuring LDAP"

RE: Configuring LDAP

2017-12-01 Thread harry.devine

OK, I was able to get it working better now.  In our system, cn is the Common 
Name, but the user id is retrieved by the uid property.  Once I set it to that, 
I was able to get in fine.  Now onto trying to get port 636 to work.

Thanks,
Harry

From: Mike Jumper [mailto:mike.jum...@guac-dev.org]
Sent: Friday, December 01, 2017 2:59 PM
To: user@guacamole.apache.org
Subject: Re: Configuring LDAP

On Fri, Dec 1, 2017 at 10:37 AM, 
<harry.dev...@faa.gov<mailto:harry.dev...@faa.gov>> wrote:
OK I was able to get it to log in.  Here’s what I changed in my 
guacamole.properties to make it work:
ldap-search-bind-dn:cn=”Directory Manager”
ldap-user-base-dn:cn=users,cn=accounts,dc=example,dc=com

So the user logs in fine, but in /var/log/messages, I get the following errors 
that I’m not sure are relevant or not:
Dec  1 13:34:34 access server: 13:34:34.157 [http-bio-8080-exec-6] INFO  
o.a.g.r.auth.AuthenticationService - User "harry.devine" successfully 
authenticated from 172.31.26.216.
Dec  1 13:34:35 access server: 13:34:35.644 [http-bio-8080-exec-6] WARN  
o.a.g.auth.ldap.user.UserService - Possibly ambiguous user account: "Jon Moen".
Dec  1 13:34:36 access server: 13:34:36.122 [http-bio-8080-exec-6] WARN  
o.a.g.auth.ldap.user.UserService - Possibly ambiguous user account: "Steve 
Smith".
Dec  1 13:34:36 access server: 13:34:36.146 [http-bio-8080-exec-6] WARN  
o.a.g.auth.ldap.user.UserService - Could not query list of all users for 
attribute "cn": Error while querying users.

Guacamole is warning you that you have multiple users which map to the same 
username. Those users will likely be unable to log in, as Guacamole will not be 
able to determine with certainty which DN corresponds to those usernames.

You need to double-check your LDAP directory structure with respect to the 
configuration within guacamole.properties to determine why multiple users 
(multiple, distinct DNs) map to the same username. Something within the LDAP 
directory structure, the configuration, or both, is causing sanity checks for 
username uniqueness to fail, and the underlying problem needs to be corrected 
for things to work as expected.

- Mike

RE: Configuring LDAP

2017-12-01 Thread harry.devine

Just wondering if anyone has any ideas on how the LDAP is configured below?  
This still isn’t working for me and I’d like to know why.

Thanks,
Harry

From: Devine, Harry (FAA)
Sent: Monday, November 27, 2017 1:49 PM
To: user@guacamole.apache.org
Subject: RE: Configuring LDAP

Here’s my current /etc/guacamole/guacamole.properties file:

#MySQL properties
mysql-hostname: localhost
mysql-port:3306
mysql-database: guacdb
mysql-username: guacuser
mysql-password: guacadmin
mysql-default-max-connections-per-user: 0
mysql-default-max-group-connections-per-user:0

#LDAP properties
ldap-hostname:my.hostname
ldap-port:389
ldap-encryption-method:none
ldap-dereference-aliases:never
ldap-search-bind-dn:cn=Directory Manager
ldap-search-bind-password:pass123
ldap-user-base-dn:dc=example,dc=com
#ldap-username-attribute=cn=users,cn=accounts,dc=example,dc=com
ldap-username-attribute:cn
ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com

When I use the ldap-username-attribute:cn setting, I get the error where the 
Multiple DNs are what’s being complained about.  If I use the other one (the 
commented out one above), I simply get “Authentication attempted …… failed”.  
We use the “cn=users,cn=accounts” string in other projects where we communicate 
with our LDAP server, so I’m pretty sure that’s correct.

Thanks,
Harry

From: Jonathan Hankins [mailto:jhank...@homewood.k12.al.us]
Sent: Monday, November 27, 2017 12:38 PM
To: user@guacamole.apache.org<mailto:user@guacamole.apache.org>
Subject: Re: Configuring LDAP

Harry, you said you tried "modifying ldap-username-attribute to be 
cn=users,cn=accounts,dc=example,dc=com" - just wanted to confirm. 
Ldap-username-attribute should be an LDAP attribute name like cn. Could you 
post your complete (redacted) guacamole.properties as you have it currently?

Also, I saw that on a previous attempt today you got the log message:

Nov 27 09:42:01 access server: 09:42:01.909 [http-bio-8080-exec-6] WARN 
o.a.g.a.l.AuthenticationProviderService - Multiple DNs possible for user 
"harry.devine": [uid=harry.devine,cn=users,cn=compat,dc=example,dc=com, 
uid=harry.devine,cn=users,cn=accounts,dc=example,dc=com]

If you have two users under your search base with uid (or cn, or whatever you 
are using for ldap-username-attribute) "harry.devine" you are going to have to 
use a more specific search base or a more unique ldap-username-attribute or a 
more restrictive search filter so that you don't get multiple matches for the 
username you are typing into the username field on the login page.

I.e., the attribute you match against has to uniquely identify the user beneath 
your search base for your query.

-Jonathan Hankins

On Mon, Nov 27, 2017, 10:10 AM Nick Couchman 
<vn...@apache.org<mailto:vn...@apache.org>> wrote:
On Mon, Nov 27, 2017 at 10:02 AM, 
<harry.dev...@faa.gov<mailto:harry.dev...@faa.gov>> wrote:
OK, so I tried that, including modifying ldap-username-attribute to be 
cn=users,cn=accounts,dc=example,dc=com, and now I get a 403 error in the 
Developer Tools, and the following error in /var/log/messages:

Nov 27 10:00:34 access server: 10:00:34.766 [http-bio-8080-exec-8] WARN  
o.a.g.r.auth.AuthenticationService - Authentication attempt from 
xxx.xxx.xxx.xxx for user "harry.devine" failed.

However, I know that the password is 100% correct.  Where to look now?  I feel 
we’re getting very close.

What LDAP server are you running?  You probably mentioned it already somewhere 
in this thread, and I'm going to guess Active Directory, but just want to make 
sure?  If it's OpenLDAP then it is quite possible it is configured to disallow 
logins without some form of encryption (although I wouldn't expect the search 
bind to work in this case, but who knows).  AD doesn't usually have those 
restrictions, but depending on the environment, it actually might require 
encryption, as well.  Other than that, it would be useful to get a log from the 
LDAP server that indicates why it is failing authentication - if it believes 
the password is wrong, or if it is throwing some other sort of error.  I 
realize that you might be in an organization where you don't have access to 
that server or those logs, but, if you do, that would be helpful.

-Nick

This e-mail is intended only for the recipient and may contain confidential or 
proprietary information. If you are not the intended recipient, the review, 
distribution, duplication or retention of this message and its attachments is 
prohibited. Please notify the sender of this error immediately by reply e-mail, 
and permanently delete this message and its attachments in any form in which 
they may have been preserved.

RE: Configuring LDAP

2017-11-27 Thread harry.devine

Here’s my current /etc/guacamole/guacamole.properties file:

#MySQL properties
mysql-hostname: localhost
mysql-port:3306
mysql-database: guacdb
mysql-username: guacuser
mysql-password: guacadmin
mysql-default-max-connections-per-user: 0
mysql-default-max-group-connections-per-user:0

#LDAP properties
ldap-hostname:my.hostname
ldap-port:389
ldap-encryption-method:none
ldap-dereference-aliases:never
ldap-search-bind-dn:cn=Directory Manager
ldap-search-bind-password:pass123
ldap-user-base-dn:dc=example,dc=com
#ldap-username-attribute=cn=users,cn=accounts,dc=example,dc=com
ldap-username-attribute:cn
ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com


When I use the ldap-username-attribute:cn setting, I get the error where the 
Multiple DNs are what’s being complained about.  If I use the other one (the 
commented out one above), I simply get “Authentication attempted …… failed”.  
We use the “cn=users,cn=accounts” string in other projects where we communicate 
with our LDAP server, so I’m pretty sure that’s correct.

Thanks,
Harry

From: Jonathan Hankins [mailto:jhank...@homewood.k12.al.us]
Sent: Monday, November 27, 2017 12:38 PM
To: user@guacamole.apache.org
Subject: Re: Configuring LDAP

Harry, you said you tried "modifying ldap-username-attribute to be 
cn=users,cn=accounts,dc=example,dc=com" - just wanted to confirm. 
Ldap-username-attribute should be an LDAP attribute name like cn. Could you 
post your complete (redacted) guacamole.properties as you have it currently?

Also, I saw that on a previous attempt today you got the log message:

Nov 27 09:42:01 access server: 09:42:01.909 [http-bio-8080-exec-6] WARN 
o.a.g.a.l.AuthenticationProviderService - Multiple DNs possible for user 
"harry.devine": [uid=harry.devine,cn=users,cn=compat,dc=example,dc=com, 
uid=harry.devine,cn=users,cn=accounts,dc=example,dc=com]

If you have two users under your search base with uid (or cn, or whatever you 
are using for ldap-username-attribute) "harry.devine" you are going to have to 
use a more specific search base or a more unique ldap-username-attribute or a 
more restrictive search filter so that you don't get multiple matches for the 
username you are typing into the username field on the login page.

I.e., the attribute you match against has to uniquely identify the user beneath 
your search base for your query.

-Jonathan Hankins

On Mon, Nov 27, 2017, 10:10 AM Nick Couchman 
<vn...@apache.org<mailto:vn...@apache.org>> wrote:
On Mon, Nov 27, 2017 at 10:02 AM, 
<harry.dev...@faa.gov<mailto:harry.dev...@faa.gov>> wrote:
OK, so I tried that, including modifying ldap-username-attribute to be 
cn=users,cn=accounts,dc=example,dc=com, and now I get a 403 error in the 
Developer Tools, and the following error in /var/log/messages:

Nov 27 10:00:34 access server: 10:00:34.766 [http-bio-8080-exec-8] WARN  
o.a.g.r.auth.AuthenticationService - Authentication attempt from 
xxx.xxx.xxx.xxx for user "harry.devine" failed.

However, I know that the password is 100% correct.  Where to look now?  I feel 
we’re getting very close.


What LDAP server are you running?  You probably mentioned it already somewhere 
in this thread, and I'm going to guess Active Directory, but just want to make 
sure?  If it's OpenLDAP then it is quite possible it is configured to disallow 
logins without some form of encryption (although I wouldn't expect the search 
bind to work in this case, but who knows).  AD doesn't usually have those 
restrictions, but depending on the environment, it actually might require 
encryption, as well.  Other than that, it would be useful to get a log from the 
LDAP server that indicates why it is failing authentication - if it believes 
the password is wrong, or if it is throwing some other sort of error.  I 
realize that you might be in an organization where you don't have access to 
that server or those logs, but, if you do, that would be helpful.

-Nick

This e-mail is intended only for the recipient and may contain confidential or 
proprietary information. If you are not the intended recipient, the review, 
distribution, duplication or retention of this message and its attachments is 
prohibited. Please notify the sender of this error immediately by reply e-mail, 
and permanently delete this message and its attachments in any form in which 
they may have been preserved.

Re: Configuring LDAP

2017-11-27 Thread Jonathan Hankins

Harry, you said you tried "modifying ldap-username-attribute to be
cn=users,cn=accounts,dc=example,dc=com" - just wanted to confirm.
Ldap-username-attribute should be an LDAP attribute name like cn. Could you
post your complete (redacted) guacamole.properties as you have it currently?

Also, I saw that on a previous attempt today you got the log message:

Nov 27 09:42:01 access server: 09:42:01.909 [http-bio-8080-exec-6] WARN
o.a.g.a.l.AuthenticationProviderService - Multiple DNs possible for user
"harry.devine": [uid=harry.devine,cn=users,cn=compat,dc=example,dc=com,
uid=harry.devine,cn=users,cn=accounts,dc=example,dc=com]

If you have two users under your search base with uid (or cn, or whatever
you are using for ldap-username-attribute) "harry.devine" you are going to
have to use a more specific search base or a more unique
ldap-username-attribute or a more restrictive search filter so that you
don't get multiple matches for the username you are typing into the
username field on the login page.

I.e., the attribute you match against has to uniquely identify the user
beneath your search base for your query.

-Jonathan Hankins

On Mon, Nov 27, 2017, 10:10 AM Nick Couchman  wrote:

> On Mon, Nov 27, 2017 at 10:02 AM,  wrote:
>
>> OK, so I tried that, including modifying ldap-username-attribute to be
>> cn=users,cn=accounts,dc=example,dc=com, and now I get a 403 error in the
>> Developer Tools, and the following error in /var/log/messages:
>>
>>
>>
>> Nov 27 10:00:34 access server: 10:00:34.766 [http-bio-8080-exec-8] WARN
>> o.a.g.r.auth.AuthenticationService - Authentication attempt from
>> xxx.xxx.xxx.xxx for user "harry.devine" failed.
>>
>>
>>
>> However, I know that the password is 100% correct.  Where to look now?  I
>> feel we’re getting very close.
>>
>>
>>
>
> What LDAP server are you running?  You probably mentioned it already
> somewhere in this thread, and I'm going to guess Active Directory, but just
> want to make sure?  If it's OpenLDAP then it is quite possible it is
> configured to disallow logins without some form of encryption (although I
> wouldn't expect the search bind to work in this case, but who knows).  AD
> doesn't usually have those restrictions, but depending on the environment,
> it actually might require encryption, as well.  Other than that, it would
> be useful to get a log from the LDAP server that indicates why it is
> failing authentication - if it believes the password is wrong, or if it is
> throwing some other sort of error.  I realize that you might be in an
> organization where you don't have access to that server or those logs, but,
> if you do, that would be helpful.
>
> -Nick
>

-- 
This e-mail is intended only for the recipient and may contain confidential 
or proprietary information. If you are not the intended recipient, the 
review, distribution, duplication or retention of this message and its 
attachments is prohibited. Please notify the sender of this error 
immediately by reply e-mail, and permanently delete this message and its 
attachments in any form in which they may have been preserved.

RE: Configuring LDAP

2017-11-27 Thread harry.devine

OK, so I tried that, including modifying ldap-username-attribute to be 
cn=users,cn=accounts,dc=example,dc=com, and now I get a 403 error in the 
Developer Tools, and the following error in /var/log/messages:

Nov 27 10:00:34 access server: 10:00:34.766 [http-bio-8080-exec-8] WARN  
o.a.g.r.auth.AuthenticationService - Authentication attempt from 
xxx.xxx.xxx.xxx for user "harry.devine" failed.

However, I know that the password is 100% correct.  Where to look now?  I feel 
we’re getting very close.

Thanks,
Harry

From: Nick Couchman [mailto:vn...@apache.org]
Sent: Monday, November 27, 2017 9:56 AM
To: user@guacamole.apache.org
Subject: Re: Configuring LDAP

On Mon, Nov 27, 2017 at 9:46 AM, 
<harry.dev...@faa.gov<mailto:harry.dev...@faa.gov>> wrote:
Update: using port 389 and none for encryption, and I had to change the search 
DN to be just cn=Directory Manager.  Now I get the following error:

Nov 27 09:42:01 access server: 09:42:01.909 [http-bio-8080-exec-6] WARN  
o.a.g.a.l.AuthenticationProviderService - Multiple DNs possible for user 
"harry.devine": [uid=harry.devine,cn=users,cn=compat,dc=example,dc=com, 
uid=harry.devine,cn=users,cn=accounts,dc=example,dc=com]


Try disabling LDAP alias dereferencing:

ldap-dereference-aliases: never

It looks like you probably have the cn=users,cn=compat area pointed to the real 
objects (cn=users,cn=accounts), and this could be confusing the LDAP client 
when it expects uniquely-named items.  Otherwise, you'll need to narrow your 
base DN such that it only locates one or the other account.

-Nick

Re: Configuring LDAP

2017-11-27 Thread Nick Couchman

On Mon, Nov 27, 2017 at 9:46 AM,  wrote:

> Update: using port 389 and none for encryption, and I had to change the
> search DN to be just cn=Directory Manager.  Now I get the following error:
>
>
>
> Nov 27 09:42:01 access server: 09:42:01.909 [http-bio-8080-exec-6] WARN
> o.a.g.a.l.AuthenticationProviderService - Multiple DNs possible for user
> "harry.devine": [uid=harry.devine,cn=users,cn=compat,dc=example,dc=com,
> uid=harry.devine,cn=users,cn=accounts,dc=example,dc=com]
>
>
>
Try disabling LDAP alias dereferencing:

ldap-dereference-aliases: never

It looks like you probably have the cn=users,cn=compat area pointed to the
real objects (cn=users,cn=accounts), and this could be confusing the LDAP
client when it expects uniquely-named items.  Otherwise, you'll need to
narrow your base DN such that it only locates one or the other account.

-Nick

Re: Configuring LDAP

2017-11-27 Thread Jonathan Hankins

Harry,

Can you try ldapsearch from the command line against your LDAP server with
the same parameters you're using with guacamole and see if your bind still
fails?

On Mon, Nov 27, 2017, 9:32 AM <harry.dev...@faa.gov> wrote:

> OK, I just tried it again with both 389/none and 636/ssl for those
> parameters, and both times I get the following errors:
>
>
>
> Nov 27 09:30:31 access server: 09:30:31.838 [http-bio-8080-exec-9] ERROR
> o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN
> "cn=Directory Manager,dc=example,dc=com"
>
> Nov 27 09:30:31 access server: 09:30:31.839 [http-bio-8080-exec-9] WARN
> o.a.g.r.auth.AuthenticationService - Authentication attempt from
> 172.31.26.216 for user "harry.devine" failed.
>
>
>
> Thanks,
>
> Harry
>
> *From:* Jonathan Hankins [mailto:jhank...@homewood.k12.al.us]
> *Sent:* Monday, November 27, 2017 9:27 AM
>
>
> *To:* user@guacamole.apache.org
> *Subject:* Re: Configuring LDAP
>
>
>
> Harry, if you are using ldap-port:636, you probably need to specify:
>
> ldap-encryption-method: ssl
>
> I believe the default is "none" .
>
> Assuming you are able to temporarily configure your LDAP server to allow
> unencrypted binds(if it isn't already), you may want to test with
> ldap-port: 389 and ldap-encryption-method: none  to make sure you have all
> of your LDAP settings correct before enabling encryption, then tackle the
> encryption.
>
> -Jonathan Hankins
>
>
>
> On Mon, Nov 27, 2017, 8:23 AM <harry.dev...@faa.gov> wrote:
>
> I just got back into the office and tried what you suggested.  Whenever I
> don’t have quotes around the ldap-search-bind-dn value, the login button
> doesn’t seem to respond.  In the Network tab in Chrome’s Developer Tools,
> the /guacamole/api/tokens call always shows “(pending)” as the status
> instead of 200 or 403.
>
>
>
> Here’s what I have for my LDAP values in guacamole.properties (again,
> masking out the real values):
>
>
>
> ldap-hostname:ldap.hostname
>
> ldap-port:636
>
> ldap-search-bind-dn:cn=Directory Manager,dc=example,dc=com
>
> ldap-search-bind-password:pass123
>
> ldap-user-base-dn:dc=example,dc=com
>
> ldap-username-attribute:cn
>
> ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com
>
>
>
> Thanks,
>
> Harry
>
>
>
> *From:* Jonathan Hankins [mailto:jhank...@homewood.k12.al.us]
> *Sent:* Wednesday, November 22, 2017 1:41 PM
>
>
> *To:* user@guacamole.apache.org
> *Subject:* Re: Configuring LDAP
>
>
>
> Harry,
>
>
>
> I believe you need to fully qualify your ldap-search-bind-dn:
>
>
>
> ldap-search-bind-dn: cn=My User,dc=my,dc=example,dc=com
>
>
>
> And your ldap-username-attribute should be the name of an ldap attribute
> that you want to match usernames against, such as cn:
>
>
>
> ldap-username-attribute: cn
>
>
>
> Also, unsure if the config you posted was pseudo-code, but the
> guacamole.properties file should look like:
>
>
>
> varname: this is the value to end of line
>
>
>
> See my examples above.
>
>
>
> -Jonathan Hankins
>
>
>
>
>
> On Tue, Nov 21, 2017, 3:41 PM Hawkins, Richard <
> richard.hawk...@medctrbarbour.org> wrote:
>
>
>
> Restart tomcat
>
>
>
> Service tomcat restart..
>
>
>
> Tail –f /var/log/messages
>
>
>
>
>
> Authenticated
>
>
>
>
>
>
>
> *From:* harry.dev...@faa.gov [mailto:harry.dev...@faa.gov]
> *Sent:* Tuesday, November 21, 2017 2:01 PM
> *To:* user@guacamole.apache.org
> *Subject:* RE: Configuring LDAP
>
>
>
> OK, took me a little bit to weed through some OpenLDAP config issues (it
> wasn’t installed on the server I have guacamole installed on; didn’t
> realize that at first), but I got the ldapsearch working.  So I re-enabled
> the LDAP parameters and tried again.  The page shows “Invalid Login”, but
> the following is displayed in the /var/log/messages:
>
>
>
> Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR
> o.a.g.a.ldap.LDAPConnectionService - Unable to connect to LDAP server:
> Connect Error
>
> Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR
> o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN
> ""cn=My User""
>
> Nov 21 14:56:15 access server: 14:56:15.496 [http-bio-8080-exec-9] WARN
> o.a.g.r.auth.AuthenticationService - Authentication attempt from
> 172.31.26.216 for user "harry.devine" failed.
>
>
>
> I have the LDAP parameters defined as follows in guacamole prop

RE: Configuring LDAP

2017-11-27 Thread harry.devine

Update: using port 389 and none for encryption, and I had to change the search 
DN to be just cn=Directory Manager.  Now I get the following error:

Nov 27 09:42:01 access server: 09:42:01.909 [http-bio-8080-exec-6] WARN  
o.a.g.a.l.AuthenticationProviderService - Multiple DNs possible for user 
"harry.devine": [uid=harry.devine,cn=users,cn=compat,dc=example,dc=com, 
uid=harry.devine,cn=users,cn=accounts,dc=example,dc=com]
Nov 27 09:42:01 access server: 09:42:01.917 [http-bio-8080-exec-6] WARN  
o.a.g.r.auth.AuthenticationService - Authentication attempt from 
xxx.xxx.xxx.xxx for user "harry.devine" failed.

When I tried port 636 and encryption set to SSL, I get “Unable to bind using 
search DN “cn=Directory Manager”.  Ultimately, we need to have SSL working, so 
any help with first: logging in, then second, logging in via SSL/636 would be 
great.

Thanks,
Harry

From: Devine, Harry (FAA)
Sent: Monday, November 27, 2017 9:32 AM
To: user@guacamole.apache.org
Subject: RE: Configuring LDAP

OK, I just tried it again with both 389/none and 636/ssl for those parameters, 
and both times I get the following errors:

Nov 27 09:30:31 access server: 09:30:31.838 [http-bio-8080-exec-9] ERROR 
o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN 
"cn=Directory Manager,dc=example,dc=com"
Nov 27 09:30:31 access server: 09:30:31.839 [http-bio-8080-exec-9] WARN  
o.a.g.r.auth.AuthenticationService - Authentication attempt from 172.31.26.216 
for user "harry.devine" failed.

Thanks,
Harry
From: Jonathan Hankins [mailto:jhank...@homewood.k12.al.us]
Sent: Monday, November 27, 2017 9:27 AM
To: user@guacamole.apache.org<mailto:user@guacamole.apache.org>
Subject: Re: Configuring LDAP

Harry, if you are using ldap-port:636, you probably need to specify:

ldap-encryption-method: ssl

I believe the default is "none" .

Assuming you are able to temporarily configure your LDAP server to allow 
unencrypted binds(if it isn't already), you may want to test with ldap-port: 
389 and ldap-encryption-method: none  to make sure you have all of your LDAP 
settings correct before enabling encryption, then tackle the encryption.
-Jonathan Hankins

On Mon, Nov 27, 2017, 8:23 AM 
<harry.dev...@faa.gov<mailto:harry.dev...@faa.gov>> wrote:
I just got back into the office and tried what you suggested.  Whenever I don’t 
have quotes around the ldap-search-bind-dn value, the login button doesn’t seem 
to respond.  In the Network tab in Chrome’s Developer Tools, the 
/guacamole/api/tokens call always shows “(pending)” as the status instead of 
200 or 403.

Here’s what I have for my LDAP values in guacamole.properties (again, masking 
out the real values):

ldap-hostname:ldap.hostname
ldap-port:636
ldap-search-bind-dn:cn=Directory Manager,dc=example,dc=com
ldap-search-bind-password:pass123
ldap-user-base-dn:dc=example,dc=com
ldap-username-attribute:cn
ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com

Thanks,
Harry

From: Jonathan Hankins 
[mailto:jhank...@homewood.k12.al.us<mailto:jhank...@homewood.k12.al.us>]
Sent: Wednesday, November 22, 2017 1:41 PM

To: user@guacamole.apache.org<mailto:user@guacamole.apache.org>
Subject: Re: Configuring LDAP

Harry,

I believe you need to fully qualify your ldap-search-bind-dn:

ldap-search-bind-dn: cn=My User,dc=my,dc=example,dc=com

And your ldap-username-attribute should be the name of an ldap attribute that 
you want to match usernames against, such as cn:


ldap-username-attribute: cn

Also, unsure if the config you posted was pseudo-code, but the 
guacamole.properties file should look like:

varname: this is the value to end of line

See my examples above.

-Jonathan Hankins


On Tue, Nov 21, 2017, 3:41 PM Hawkins, Richard 
<richard.hawk...@medctrbarbour.org<mailto:richard.hawk...@medctrbarbour.org>> 
wrote:

Restart tomcat

Service tomcat restart..

Tail –f /var/log/messages


Authenticated



From: harry.dev...@faa.gov<mailto:harry.dev...@faa.gov> 
[mailto:harry.dev...@faa.gov<mailto:harry.dev...@faa.gov>]
Sent: Tuesday, November 21, 2017 2:01 PM
To: user@guacamole.apache.org<mailto:user@guacamole.apache.org>
Subject: RE: Configuring LDAP

OK, took me a little bit to weed through some OpenLDAP config issues (it wasn’t 
installed on the server I have guacamole installed on; didn’t realize that at 
first), but I got the ldapsearch working.  So I re-enabled the LDAP parameters 
and tried again.  The page shows “Invalid Login”, but the following is 
displayed in the /var/log/messages:

Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR 
o.a.g.a.ldap.LDAPConnectionService - Unable to connect to LDAP server: Connect 
Error
Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR 
o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN 
""cn=My User""
Nov 21 14:56:15 access server: 14:56:15.496 [h

RE: Configuring LDAP

2017-11-27 Thread harry.devine

OK, I just tried it again with both 389/none and 636/ssl for those parameters, 
and both times I get the following errors:

Nov 27 09:30:31 access server: 09:30:31.838 [http-bio-8080-exec-9] ERROR 
o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN 
"cn=Directory Manager,dc=example,dc=com"
Nov 27 09:30:31 access server: 09:30:31.839 [http-bio-8080-exec-9] WARN  
o.a.g.r.auth.AuthenticationService - Authentication attempt from 172.31.26.216 
for user "harry.devine" failed.

Thanks,
Harry
From: Jonathan Hankins [mailto:jhank...@homewood.k12.al.us]
Sent: Monday, November 27, 2017 9:27 AM
To: user@guacamole.apache.org
Subject: Re: Configuring LDAP

Harry, if you are using ldap-port:636, you probably need to specify:

ldap-encryption-method: ssl

I believe the default is "none" .

Assuming you are able to temporarily configure your LDAP server to allow 
unencrypted binds(if it isn't already), you may want to test with ldap-port: 
389 and ldap-encryption-method: none  to make sure you have all of your LDAP 
settings correct before enabling encryption, then tackle the encryption.
-Jonathan Hankins

On Mon, Nov 27, 2017, 8:23 AM 
<harry.dev...@faa.gov<mailto:harry.dev...@faa.gov>> wrote:
I just got back into the office and tried what you suggested.  Whenever I don’t 
have quotes around the ldap-search-bind-dn value, the login button doesn’t seem 
to respond.  In the Network tab in Chrome’s Developer Tools, the 
/guacamole/api/tokens call always shows “(pending)” as the status instead of 
200 or 403.

Here’s what I have for my LDAP values in guacamole.properties (again, masking 
out the real values):

ldap-hostname:ldap.hostname
ldap-port:636
ldap-search-bind-dn:cn=Directory Manager,dc=example,dc=com
ldap-search-bind-password:pass123
ldap-user-base-dn:dc=example,dc=com
ldap-username-attribute:cn
ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com

Thanks,
Harry

From: Jonathan Hankins 
[mailto:jhank...@homewood.k12.al.us<mailto:jhank...@homewood.k12.al.us>]
Sent: Wednesday, November 22, 2017 1:41 PM

To: user@guacamole.apache.org<mailto:user@guacamole.apache.org>
Subject: Re: Configuring LDAP

Harry,

I believe you need to fully qualify your ldap-search-bind-dn:

ldap-search-bind-dn: cn=My User,dc=my,dc=example,dc=com

And your ldap-username-attribute should be the name of an ldap attribute that 
you want to match usernames against, such as cn:


ldap-username-attribute: cn

Also, unsure if the config you posted was pseudo-code, but the 
guacamole.properties file should look like:

varname: this is the value to end of line

See my examples above.

-Jonathan Hankins


On Tue, Nov 21, 2017, 3:41 PM Hawkins, Richard 
<richard.hawk...@medctrbarbour.org<mailto:richard.hawk...@medctrbarbour.org>> 
wrote:

Restart tomcat

Service tomcat restart..

Tail –f /var/log/messages


Authenticated



From: harry.dev...@faa.gov<mailto:harry.dev...@faa.gov> 
[mailto:harry.dev...@faa.gov<mailto:harry.dev...@faa.gov>]
Sent: Tuesday, November 21, 2017 2:01 PM
To: user@guacamole.apache.org<mailto:user@guacamole.apache.org>
Subject: RE: Configuring LDAP

OK, took me a little bit to weed through some OpenLDAP config issues (it wasn’t 
installed on the server I have guacamole installed on; didn’t realize that at 
first), but I got the ldapsearch working.  So I re-enabled the LDAP parameters 
and tried again.  The page shows “Invalid Login”, but the following is 
displayed in the /var/log/messages:

Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR 
o.a.g.a.ldap.LDAPConnectionService - Unable to connect to LDAP server: Connect 
Error
Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR 
o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN 
""cn=My User""
Nov 21 14:56:15 access server: 14:56:15.496 [http-bio-8080-exec-9] WARN  
o.a.g.r.auth.AuthenticationService - Authentication attempt from 172.31.26.216 
for user "harry.devine" failed.

I have the LDAP parameters defined as follows in guacamole properties (I am 
masking the usernames and such):
ldap-hostname="my-host"
ldap-port=636
ldap-search-bind-dn="cn=My User"
ldap-search-bind-password="Pass123"
ldap-user-base-dn="dc=my,dc=example,dc=com"
ldap-username-attribute="cn=users,cn=accounts,dc=my,dc=example,dc=com"
ldap-group-base-dn="cn=groups,cn=accounts,dc=my,dc=example,dc=com"

Ideas?
Harry

From: Nick Couchman [mailto:vn...@apache.org<mailto:vn...@apache.org>]
Sent: Tuesday, November 21, 2017 9:20 AM
To: user@guacamole.apache.org<mailto:user@guacamole.apache.org>
Subject: Re: Configuring LDAP

On Tue, Nov 21, 2017 at 8:10 AM, 
<harry.dev...@faa.gov<mailto:harry.dev...@faa.gov>> wrote:
I set SELinux to permissive and put the LDAP extension back (its under 
/usr/share/tomcat/.guacamole/extensions), res

Re: Configuring LDAP

2017-11-27 Thread Jonathan Hankins

Harry, if you are using ldap-port:636, you probably need to specify:

ldap-encryption-method: ssl

I believe the default is "none" .

Assuming you are able to temporarily configure your LDAP server to allow
unencrypted binds(if it isn't already), you may want to test with
ldap-port: 389 and ldap-encryption-method: none  to make sure you have all
of your LDAP settings correct before enabling encryption, then tackle the
encryption.
-Jonathan Hankins

On Mon, Nov 27, 2017, 8:23 AM <harry.dev...@faa.gov> wrote:

> I just got back into the office and tried what you suggested.  Whenever I
> don’t have quotes around the ldap-search-bind-dn value, the login button
> doesn’t seem to respond.  In the Network tab in Chrome’s Developer Tools,
> the /guacamole/api/tokens call always shows “(pending)” as the status
> instead of 200 or 403.
>
>
>
> Here’s what I have for my LDAP values in guacamole.properties (again,
> masking out the real values):
>
>
>
> ldap-hostname:ldap.hostname
>
> ldap-port:636
>
> ldap-search-bind-dn:cn=Directory Manager,dc=example,dc=com
>
> ldap-search-bind-password:pass123
>
> ldap-user-base-dn:dc=example,dc=com
>
> ldap-username-attribute:cn
>
> ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com
>
>
>
> Thanks,
>
> Harry
>
>
>
> *From:* Jonathan Hankins [mailto:jhank...@homewood.k12.al.us]
> *Sent:* Wednesday, November 22, 2017 1:41 PM
>
>
> *To:* user@guacamole.apache.org
> *Subject:* Re: Configuring LDAP
>
>
>
> Harry,
>
>
>
> I believe you need to fully qualify your ldap-search-bind-dn:
>
>
>
> ldap-search-bind-dn: cn=My User,dc=my,dc=example,dc=com
>
>
>
> And your ldap-username-attribute should be the name of an ldap attribute
> that you want to match usernames against, such as cn:
>
>
>
> ldap-username-attribute: cn
>
>
>
> Also, unsure if the config you posted was pseudo-code, but the
> guacamole.properties file should look like:
>
>
>
> varname: this is the value to end of line
>
>
>
> See my examples above.
>
>
>
> -Jonathan Hankins
>
>
>
>
>
> On Tue, Nov 21, 2017, 3:41 PM Hawkins, Richard <
> richard.hawk...@medctrbarbour.org> wrote:
>
>
>
> Restart tomcat
>
>
>
> Service tomcat restart..
>
>
>
> Tail –f /var/log/messages
>
>
>
>
>
> Authenticated
>
>
>
>
>
>
>
> *From:* harry.dev...@faa.gov [mailto:harry.dev...@faa.gov]
> *Sent:* Tuesday, November 21, 2017 2:01 PM
> *To:* user@guacamole.apache.org
> *Subject:* RE: Configuring LDAP
>
>
>
> OK, took me a little bit to weed through some OpenLDAP config issues (it
> wasn’t installed on the server I have guacamole installed on; didn’t
> realize that at first), but I got the ldapsearch working.  So I re-enabled
> the LDAP parameters and tried again.  The page shows “Invalid Login”, but
> the following is displayed in the /var/log/messages:
>
>
>
> Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR
> o.a.g.a.ldap.LDAPConnectionService - Unable to connect to LDAP server:
> Connect Error
>
> Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR
> o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN
> ""cn=My User""
>
> Nov 21 14:56:15 access server: 14:56:15.496 [http-bio-8080-exec-9] WARN
> o.a.g.r.auth.AuthenticationService - Authentication attempt from
> 172.31.26.216 for user "harry.devine" failed.
>
>
>
> I have the LDAP parameters defined as follows in guacamole properties (I
> am masking the usernames and such):
>
> ldap-hostname="my-host"
>
> ldap-port=636
>
> ldap-search-bind-dn="cn=My User"
>
> ldap-search-bind-password="Pass123"
>
> ldap-user-base-dn="dc=my,dc=example,dc=com"
>
> ldap-username-attribute="cn=users,cn=accounts,dc=my,dc=example,dc=com"
>
> ldap-group-base-dn="cn=groups,cn=accounts,dc=my,dc=example,dc=com"
>
>
>
> Ideas?
>
> Harry
>
>
>
> *From:* Nick Couchman [mailto:vn...@apache.org]
> *Sent:* Tuesday, November 21, 2017 9:20 AM
> *To:* user@guacamole.apache.org
> *Subject:* Re: Configuring LDAP
>
>
>
> On Tue, Nov 21, 2017 at 8:10 AM, <harry.dev...@faa.gov> wrote:
>
> I set SELinux to permissive and put the LDAP extension back (its under
> /usr/share/tomcat/.guacamole/extensions), restarted tomcat and guacd, and
> try to log in using an LDAP user.  I click Login and on the Network tab, it
> shows tokens (/guacamole/api/tokens) as having a “pending” status.  Never
> gets any further.
>
>
>
>

RE: Configuring LDAP

2017-11-27 Thread harry.devine

I just got back into the office and tried what you suggested.  Whenever I don’t 
have quotes around the ldap-search-bind-dn value, the login button doesn’t seem 
to respond.  In the Network tab in Chrome’s Developer Tools, the 
/guacamole/api/tokens call always shows “(pending)” as the status instead of 
200 or 403.

Here’s what I have for my LDAP values in guacamole.properties (again, masking 
out the real values):

ldap-hostname:ldap.hostname
ldap-port:636
ldap-search-bind-dn:cn=Directory Manager,dc=example,dc=com
ldap-search-bind-password:pass123
ldap-user-base-dn:dc=example,dc=com
ldap-username-attribute:cn
ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com

Thanks,
Harry

From: Jonathan Hankins [mailto:jhank...@homewood.k12.al.us]
Sent: Wednesday, November 22, 2017 1:41 PM
To: user@guacamole.apache.org
Subject: Re: Configuring LDAP

Harry,

I believe you need to fully qualify your ldap-search-bind-dn:

ldap-search-bind-dn: cn=My User,dc=my,dc=example,dc=com

And your ldap-username-attribute should be the name of an ldap attribute that 
you want to match usernames against, such as cn:


ldap-username-attribute: cn

Also, unsure if the config you posted was pseudo-code, but the 
guacamole.properties file should look like:

varname: this is the value to end of line

See my examples above.

-Jonathan Hankins


On Tue, Nov 21, 2017, 3:41 PM Hawkins, Richard 
<richard.hawk...@medctrbarbour.org<mailto:richard.hawk...@medctrbarbour.org>> 
wrote:

Restart tomcat

Service tomcat restart..

Tail –f /var/log/messages


Authenticated



From: harry.dev...@faa.gov<mailto:harry.dev...@faa.gov> 
[mailto:harry.dev...@faa.gov<mailto:harry.dev...@faa.gov>]
Sent: Tuesday, November 21, 2017 2:01 PM
To: user@guacamole.apache.org<mailto:user@guacamole.apache.org>
Subject: RE: Configuring LDAP

OK, took me a little bit to weed through some OpenLDAP config issues (it wasn’t 
installed on the server I have guacamole installed on; didn’t realize that at 
first), but I got the ldapsearch working.  So I re-enabled the LDAP parameters 
and tried again.  The page shows “Invalid Login”, but the following is 
displayed in the /var/log/messages:

Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR 
o.a.g.a.ldap.LDAPConnectionService - Unable to connect to LDAP server: Connect 
Error
Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR 
o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN 
""cn=My User""
Nov 21 14:56:15 access server: 14:56:15.496 [http-bio-8080-exec-9] WARN  
o.a.g.r.auth.AuthenticationService - Authentication attempt from 172.31.26.216 
for user "harry.devine" failed.

I have the LDAP parameters defined as follows in guacamole properties (I am 
masking the usernames and such):
ldap-hostname="my-host"
ldap-port=636
ldap-search-bind-dn="cn=My User"
ldap-search-bind-password="Pass123"
ldap-user-base-dn="dc=my,dc=example,dc=com"
ldap-username-attribute="cn=users,cn=accounts,dc=my,dc=example,dc=com"
ldap-group-base-dn="cn=groups,cn=accounts,dc=my,dc=example,dc=com"

Ideas?
Harry

From: Nick Couchman [mailto:vn...@apache.org<mailto:vn...@apache.org>]
Sent: Tuesday, November 21, 2017 9:20 AM
To: user@guacamole.apache.org<mailto:user@guacamole.apache.org>
Subject: Re: Configuring LDAP

On Tue, Nov 21, 2017 at 8:10 AM, 
<harry.dev...@faa.gov<mailto:harry.dev...@faa.gov>> wrote:
I set SELinux to permissive and put the LDAP extension back (its under 
/usr/share/tomcat/.guacamole/extensions), restarted tomcat and guacd, and try 
to log in using an LDAP user.  I click Login and on the Network tab, it shows 
tokens (/guacamole/api/tokens) as having a “pending” status.  Never gets any 
further.


Okay...on the system where you're running Tomcat, can you make sure the 
OpenLDAP client utilities are installed and then use "ldapsearch" to query the 
same LDAP server that you're trying to use in Guacamole?  Something like this:

ldapsearch -H ldap:// -D  -W -b  cn=

...substituting in the above parameters and make sure you get a response?

-Nick

This e-mail is intended only for the recipient and may contain confidential or 
proprietary information. If you are not the intended recipient, the review, 
distribution, duplication or retention of this message and its attachments is 
prohibited. Please notify the sender of this error immediately by reply e-mail, 
and permanently delete this message and its attachments in any form in which 
they may have been preserved.

Re: Configuring LDAP

2017-11-22 Thread Jonathan Hankins

Harry,

I believe you need to fully qualify your ldap-search-bind-dn:

ldap-search-bind-dn: cn=My User,dc=my,dc=example,dc=com

And your ldap-username-attribute should be the name of an ldap attribute
that you want to match usernames against, such as cn:


ldap-username-attribute: cn

Also, unsure if the config you posted was pseudo-code, but the
guacamole.properties file should look like:

varname: this is the value to end of line

See my examples above.

-Jonathan Hankins


On Tue, Nov 21, 2017, 3:41 PM Hawkins, Richard <
richard.hawk...@medctrbarbour.org> wrote:

>
>
> Restart tomcat
>
>
>
> Service tomcat restart..
>
>
>
> Tail –f /var/log/messages
>
>
>
>
>
> Authenticated
>
>
>
>
>
>
>
> *From:* harry.dev...@faa.gov [mailto:harry.dev...@faa.gov]
> *Sent:* Tuesday, November 21, 2017 2:01 PM
> *To:* user@guacamole.apache.org
> *Subject:* RE: Configuring LDAP
>
>
>
> OK, took me a little bit to weed through some OpenLDAP config issues (it
> wasn’t installed on the server I have guacamole installed on; didn’t
> realize that at first), but I got the ldapsearch working.  So I re-enabled
> the LDAP parameters and tried again.  The page shows “Invalid Login”, but
> the following is displayed in the /var/log/messages:
>
>
>
> Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR
> o.a.g.a.ldap.LDAPConnectionService - Unable to connect to LDAP server:
> Connect Error
>
> Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR
> o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN
> ""cn=My User""
>
> Nov 21 14:56:15 access server: 14:56:15.496 [http-bio-8080-exec-9] WARN
> o.a.g.r.auth.AuthenticationService - Authentication attempt from
> 172.31.26.216 for user "harry.devine" failed.
>
>
>
> I have the LDAP parameters defined as follows in guacamole properties (I
> am masking the usernames and such):
>
> ldap-hostname="my-host"
>
> ldap-port=636
>
> ldap-search-bind-dn="cn=My User"
>
> ldap-search-bind-password="Pass123"
>
> ldap-user-base-dn="dc=my,dc=example,dc=com"
>
> ldap-username-attribute="cn=users,cn=accounts,dc=my,dc=example,dc=com"
>
> ldap-group-base-dn="cn=groups,cn=accounts,dc=my,dc=example,dc=com"
>
>
>
> Ideas?
>
> Harry
>
>
>
> *From:* Nick Couchman [mailto:vn...@apache.org]
> *Sent:* Tuesday, November 21, 2017 9:20 AM
> *To:* user@guacamole.apache.org
> *Subject:* Re: Configuring LDAP
>
>
>
> On Tue, Nov 21, 2017 at 8:10 AM, <harry.dev...@faa.gov> wrote:
>
> I set SELinux to permissive and put the LDAP extension back (its under
> /usr/share/tomcat/.guacamole/extensions), restarted tomcat and guacd, and
> try to log in using an LDAP user.  I click Login and on the Network tab, it
> shows tokens (/guacamole/api/tokens) as having a “pending” status.  Never
> gets any further.
>
>
>
>
>
> Okay...on the system where you're running Tomcat, can you make sure the
> OpenLDAP client utilities are installed and then use "ldapsearch" to query
> the same LDAP server that you're trying to use in Guacamole?  Something
> like this:
>
>
>
> ldapsearch -H ldap:// -D  -W -b  cn= User In LDAP>
>
>
>
> ...substituting in the above parameters and make sure you get a response?
>
>
>
> -Nick
>

-- 
This e-mail is intended only for the recipient and may contain confidential 
or proprietary information. If you are not the intended recipient, the 
review, distribution, duplication or retention of this message and its 
attachments is prohibited. Please notify the sender of this error 
immediately by reply e-mail, and permanently delete this message and its 
attachments in any form in which they may have been preserved.

RE: Configuring LDAP

2017-11-21 Thread Hawkins, Richard

Here is mine.. see if it helps..  the DC is a windows server 2012 r2 server.

 

ldap-hostname: dc01.mydomain.org

ldap-port: 3268

ldap-user-base-dn: DC=mydomain, DC=org

ldap-search-bind-dn: CN=mysecretlookupuser, CN=Users, DC= mydomain, DC=org

ldap-search-bind-password: Mysecret password

ldap-username-attribute: sAMAccountName

 

 

In the past I have had issues with using something other than the Base DN.   
Also,  In my configs the spacing DOES Matter..

 

r

 

From: harry.dev...@faa.gov [mailto:harry.dev...@faa.gov] 
Sent: Tuesday, November 21, 2017 2:01 PM
To: user@guacamole.apache.org
Subject: RE: Configuring LDAP

 

OK, took me a little bit to weed through some OpenLDAP config issues (it wasn’t 
installed on the server I have guacamole installed on; didn’t realize that at 
first), but I got the ldapsearch working.  So I re-enabled the LDAP parameters 
and tried again.  The page shows “Invalid Login”, but the following is 
displayed in the /var/log/messages:

 

Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR 
o.a.g.a.ldap.LDAPConnectionService - Unable to connect to LDAP server: Connect 
Error

Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR 
o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN 
""cn=My User""

Nov 21 14:56:15 access server: 14:56:15.496 [http-bio-8080-exec-9] WARN  
o.a.g.r.auth.AuthenticationService - Authentication attempt from 172.31.26.216 
for user "harry.devine" failed.

 

I have the LDAP parameters defined as follows in guacamole properties (I am 
masking the usernames and such):

ldap-hostname="my-host"

ldap-port=636

ldap-search-bind-dn="cn=My User"

ldap-search-bind-password="Pass123"

ldap-user-base-dn="dc=my,dc=example,dc=com"

ldap-username-attribute="cn=users,cn=accounts,dc=my,dc=example,dc=com"

ldap-group-base-dn="cn=groups,cn=accounts,dc=my,dc=example,dc=com"

 

Ideas?

Harry

 

From: Nick Couchman [mailto:vn...@apache.org] 
Sent: Tuesday, November 21, 2017 9:20 AM
To: user@guacamole.apache.org
Subject: Re: Configuring LDAP

 

On Tue, Nov 21, 2017 at 8:10 AM, <harry.dev...@faa.gov> wrote:

I set SELinux to permissive and put the LDAP extension back (its under 
/usr/share/tomcat/.guacamole/extensions), restarted tomcat and guacd, and try 
to log in using an LDAP user.  I click Login and on the Network tab, it shows 
tokens (/guacamole/api/tokens) as having a “pending” status.  Never gets any 
further.

 

 

Okay...on the system where you're running Tomcat, can you make sure the 
OpenLDAP client utilities are installed and then use "ldapsearch" to query the 
same LDAP server that you're trying to use in Guacamole?  Something like this:

 

ldapsearch -H ldap:// -D  -W -b  cn=

 

...substituting in the above parameters and make sure you get a response?

 

-Nick

RE: Configuring LDAP

2017-11-21 Thread harry.devine

OK, took me a little bit to weed through some OpenLDAP config issues (it wasn’t 
installed on the server I have guacamole installed on; didn’t realize that at 
first), but I got the ldapsearch working.  So I re-enabled the LDAP parameters 
and tried again.  The page shows “Invalid Login”, but the following is 
displayed in the /var/log/messages:

Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR 
o.a.g.a.ldap.LDAPConnectionService - Unable to connect to LDAP server: Connect 
Error
Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR 
o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN 
""cn=My User""
Nov 21 14:56:15 access server: 14:56:15.496 [http-bio-8080-exec-9] WARN  
o.a.g.r.auth.AuthenticationService - Authentication attempt from 172.31.26.216 
for user "harry.devine" failed.

I have the LDAP parameters defined as follows in guacamole properties (I am 
masking the usernames and such):
ldap-hostname="my-host"
ldap-port=636
ldap-search-bind-dn="cn=My User"
ldap-search-bind-password="Pass123"
ldap-user-base-dn="dc=my,dc=example,dc=com"
ldap-username-attribute="cn=users,cn=accounts,dc=my,dc=example,dc=com"
ldap-group-base-dn="cn=groups,cn=accounts,dc=my,dc=example,dc=com"

Ideas?
Harry

From: Nick Couchman [mailto:vn...@apache.org]
Sent: Tuesday, November 21, 2017 9:20 AM
To: user@guacamole.apache.org
Subject: Re: Configuring LDAP

On Tue, Nov 21, 2017 at 8:10 AM, 
<harry.dev...@faa.gov<mailto:harry.dev...@faa.gov>> wrote:
I set SELinux to permissive and put the LDAP extension back (its under 
/usr/share/tomcat/.guacamole/extensions), restarted tomcat and guacd, and try 
to log in using an LDAP user.  I click Login and on the Network tab, it shows 
tokens (/guacamole/api/tokens) as having a “pending” status.  Never gets any 
further.


Okay...on the system where you're running Tomcat, can you make sure the 
OpenLDAP client utilities are installed and then use "ldapsearch" to query the 
same LDAP server that you're trying to use in Guacamole?  Something like this:

ldapsearch -H ldap:// -D  -W -b  cn=

...substituting in the above parameters and make sure you get a response?

-Nick

RE: Configuring LDAP

2017-11-21 Thread harry.devine

I set SELinux to permissive and put the LDAP extension back (its under 
/usr/share/tomcat/.guacamole/extensions), restarted tomcat and guacd, and try 
to log in using an LDAP user.  I click Login and on the Network tab, it shows 
tokens (/guacamole/api/tokens) as having a “pending” status.  Never gets any 
further.

Harry

From: Nick Couchman [mailto:vn...@apache.org]
Sent: Monday, November 20, 2017 2:04 PM
To: user@guacamole.apache.org
Subject: Re: Configuring LDAP

On Mon, Nov 20, 2017 at 1:52 PM, 
<harry.dev...@faa.gov<mailto:harry.dev...@faa.gov>> wrote:
We’re using Red Hat Enterprise Linux 7.4 with SELinux set to enforcing.  I 
disabled the LDAP extension and just used MySQL for the guacadmin user and 
could log in.  I do see the following information in /var/log/messages:


This sounds like the server-side, but are you able to temporarily disable 
SELinux (set it to permissive mode, "setenforce 0") and then restart Tomcat and 
see if it works with LDAP? I'm not suggesting this as a long-term fix, just 
long enough to validate whether SELinux is, indeed, blocking LDAP traffic, or 
if it's still something else?

-Nick

Re: Configuring LDAP

2017-11-20 Thread Mike Jumper

On Mon, Nov 20, 2017 at 10:01 AM, Richard Lee 
wrote:

> How can I leave this group?
>
>
If you want to unsubscribe to the user@ list, send an email to
user-unsubscr...@guacamole.apache.org and follow the instructions in the
confirmation email. Be sure to send the email from the email address that
you used to subscribe.

See:

http://guacamole.apache.org/support/#mailing-lists
http://apache.org/foundation/mailinglists.html

- Mike

Re: Configuring LDAP

2017-11-20 Thread Nick Couchman

On Mon, Nov 20, 2017 at 1:52 PM,  wrote:

> We’re using Red Hat Enterprise Linux 7.4 with SELinux set to enforcing.  I
> disabled the LDAP extension and just used MySQL for the guacadmin user and
> could log in.  I do see the following information in /var/log/messages:
>
>
>
This sounds like the server-side, but are you able to temporarily disable
SELinux (set it to permissive mode, "setenforce 0") and then restart Tomcat
and see if it works with LDAP? I'm not suggesting this as a long-term fix,
just long enough to validate whether SELinux is, indeed, blocking LDAP
traffic, or if it's still something else?

-Nick

RE: Configuring LDAP

2017-11-20 Thread harry.devine

We’re using Red Hat Enterprise Linux 7.4 with SELinux set to enforcing.  I 
disabled the LDAP extension and just used MySQL for the guacadmin user and 
could log in.  I do see the following information in /var/log/messages:

Nov 20 13:43:57 access server: 13:43:57.545 [http-bio-8080-exec-6] INFO  
o.a.g.r.auth.AuthenticationService - User "guacadmin" successfully 
authenticated from 172.31.26.216.
Nov 20 13:44:01 access setroubleshoot: SELinux is preventing 
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/bin/java from 
name_connect access on the tcp_socket port 3306. For complete SELinux messages 
run: sealert -l 1514ddfd-32d5-4705-b5d3-cdec3cb55f46
Nov 20 13:44:01 access python: SELinux is preventing 
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/bin/java from 
name_connect access on the tcp_socket port 3306.#012#012*  Plugin catchall 
(100. confidence) suggests   **#012#012If you believe 
that java should be allowed name_connect access on the port 3306 tcp_socket by 
default.#012Then you should report this as a bug.#012You can generate a local 
policy module to allow this access.#012Do#012allow this access for now by 
executing:#012# ausearch -c 'java' --raw | audit2allow -M my-java#012# semodule 
-i my-java.pp#012

I found the following bug against the SELinux policy RPMs: 
https://bugzilla.redhat.com/show_bug.cgi?id=1491747

As a workaround, I made that portion with the bug set to Permissive.  Did that 
a few weeks ago, so Guacamole is working for at least the local Admin user.  
Not for LDAP.

Harry

From: Nick Couchman [mailto:vn...@apache.org]
Sent: Monday, November 20, 2017 1:25 PM
To: user@guacamole.apache.org
Subject: Re: Configuring LDAP

On Mon, Nov 20, 2017 at 1:06 PM, 
<harry.dev...@faa.gov<mailto:harry.dev...@faa.gov>> wrote:
/var/log/messages doesn’t show anything at all when I try the login.  Also, 
when I click Login, the area at the top of the Developer Tools window (with the 
times in it 2000ms, 4000ms, etc.) updates, but the list of javascript files 
that is accessed doesn’t change.  The tokens file/topic is in red, and it says 
that the Initiator is angular.js on line 9902.


Okay, a couple of things for you:

- This thread started out as an issue with the LDAP module/authentication, but 
I'm fairly convinced it has absolutely nothing to do with LDAP.  Have you tried 
removing the LDAP module and just using something like the JDBC module, or even 
the simple file authentication module, and see if it works at all like that?  I 
suspect it will not, but it would be good to confirm.
- What client platform are you running (Windows, Linux, etc.), and have you 
tried it on more than one client system, and preferably on more than one 
platform?
- This issue really sounds like some sort of security software intercepting the 
browser's attempt to log in to the system.  Do you have any sort of A/V or 
security extension installed in the browser (e.g. McAfee, Symantec, etc.), any 
of the Chrome Enterprise Group Policies deployed, or any sort of web security 
software running on the client, that could be blocking this web page from 
actually submitting the data to the Guacamole system?  The behavior you are 
describing sounds very much like something is stopping the browser from 
actually making the call to the REST endpoint, and not like a Tomcat/servlet 
issue.

-Nick

Re: Configuring LDAP

2017-11-20 Thread Nick Couchman

On Mon, Nov 20, 2017 at 1:06 PM,  wrote:

> /var/log/messages doesn’t show anything at all when I try the login.
> Also, when I click Login, the area at the top of the Developer Tools window
> (with the times in it 2000ms, 4000ms, etc.) updates, but the list of
> javascript files that is accessed doesn’t change.  The tokens file/topic is
> in red, and it says that the Initiator is angular.js on line 9902.
>
>
>
Okay, a couple of things for you:

- This thread started out as an issue with the LDAP module/authentication,
but I'm fairly convinced it has absolutely nothing to do with LDAP.  Have
you tried removing the LDAP module and just using something like the JDBC
module, or even the simple file authentication module, and see if it works
at all like that?  I suspect it will not, but it would be good to confirm.
- What client platform are you running (Windows, Linux, etc.), and have you
tried it on more than one client system, and preferably on more than one
platform?
- This issue really sounds like some sort of security software intercepting
the browser's attempt to log in to the system.  Do you have any sort of A/V
or security extension installed in the browser (e.g. McAfee, Symantec,
etc.), any of the Chrome Enterprise Group Policies deployed, or any sort of
web security software running on the client, that could be blocking this
web page from actually submitting the data to the Guacamole system?  The
behavior you are describing sounds very much like something is stopping the
browser from actually making the call to the REST endpoint, and not like a
Tomcat/servlet issue.

-Nick

RE: Configuring LDAP

2017-11-20 Thread harry.devine

/var/log/messages doesn’t show anything at all when I try the login.  Also, 
when I click Login, the area at the top of the Developer Tools window (with the 
times in it 2000ms, 4000ms, etc.) updates, but the list of javascript files 
that is accessed doesn’t change.  The tokens file/topic is in red, and it says 
that the Initiator is angular.js on line 9902.

Thanks,
Harry

From: Nick Couchman [mailto:vn...@apache.org]
Sent: Monday, November 20, 2017 1:00 PM
To: user@guacamole.apache.org
Subject: Re: Configuring LDAP

On Mon, Nov 20, 2017 at 12:53 PM, 
<harry.dev...@faa.gov<mailto:harry.dev...@faa.gov>> wrote:
Looks like I get a 403 when it tries to access /guacamole/api/tokens.


There will be an initial 403 that happens when the page is loaded (this prompts 
the login dialog to appear in the first place), but if you're getting a 403 
after entering the credentials and clicking Login, then something is going 
wrong with the login process.  Can you dig into the 403 and see what type of 
error/response you're seeing?  Is it Invalid credentials, insufficient 
credentials, or some other error?

I think we determined in the past that on your system the bulk of the Tomcat 
messages are actually going to /var/log/messages instead of the Tomcat-specific 
logs.  Can you do a "tail -f /var/log/messages" and attempt the login, and see 
what gets displayed there?  You should get at least the authentication failure 
message, if nothing else.

-Nick

Re: Configuring LDAP

2017-11-20 Thread Richard Lee

How can I leave this group?

Richard Lee // Production Director // +44 203 627 6280 // www.streamgo.co.uk

the streaming and online event experts

On 20 November 2017 at 18:00, Nick Couchman  wrote:

> On Mon, Nov 20, 2017 at 12:53 PM,  wrote:
>
>> Looks like I get a 403 when it tries to access /guacamole/api/tokens.
>>
>>
>>
>
> There will be an initial 403 that happens when the page is loaded (this
> prompts the login dialog to appear in the first place), but if you're
> getting a 403 after entering the credentials and clicking Login, then
> something is going wrong with the login process.  Can you dig into the 403
> and see what type of error/response you're seeing?  Is it Invalid
> credentials, insufficient credentials, or some other error?
>
> I think we determined in the past that on your system the bulk of the
> Tomcat messages are actually going to /var/log/messages instead of the
> Tomcat-specific logs.  Can you do a "tail -f /var/log/messages" and attempt
> the login, and see what gets displayed there?  You should get at least the
> authentication failure message, if nothing else.
>
> -Nick
>
>

-- 

This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. 
If you have received this email in error please notify the system manager. 
This message contains confidential information and is intended only for the 
individual named. If you are not the named addressee you should not 
disseminate, distribute or copy this e-mail. Please notify the sender 
immediately by e-mail if you have received this e-mail by mistake and 
delete this e-mail from your system. If you are not the intended recipient 
you are notified that disclosing, copying, distributing or taking any 
action in reliance on the contents of this information is strictly 
prohibited.

Re: Configuring LDAP

2017-11-20 Thread Nick Couchman

On Mon, Nov 20, 2017 at 12:53 PM,  wrote:

> Looks like I get a 403 when it tries to access /guacamole/api/tokens.
>
>
>

There will be an initial 403 that happens when the page is loaded (this
prompts the login dialog to appear in the first place), but if you're
getting a 403 after entering the credentials and clicking Login, then
something is going wrong with the login process.  Can you dig into the 403
and see what type of error/response you're seeing?  Is it Invalid
credentials, insufficient credentials, or some other error?

I think we determined in the past that on your system the bulk of the
Tomcat messages are actually going to /var/log/messages instead of the
Tomcat-specific logs.  Can you do a "tail -f /var/log/messages" and attempt
the login, and see what gets displayed there?  You should get at least the
authentication failure message, if nothing else.

-Nick

RE: Configuring LDAP

2017-11-20 Thread harry.devine

Looks like I get a 403 when it tries to access /guacamole/api/tokens.

Harry

From: Nick Couchman [mailto:vn...@apache.org]
Sent: Monday, November 20, 2017 11:40 AM
To: user@guacamole.apache.org
Subject: Re: Configuring LDAP

On Mon, Nov 20, 2017 at 8:10 AM, 
<harry.dev...@faa.gov<mailto:harry.dev...@faa.gov>> wrote:
I use Chrome and I use the Developer Console all the time.  I just tried it 
again and got nothing at all in the console.  I even had the 
catalina.2017-11-20.log file open and got nothing in there either.  Nothing 
happens.

Great.  What about on the Network tab?  When you click the Login button, do you 
see it making any attempts to access anything network-side?  For example, when 
I log in, I see a POST to the api/tokens REST endpoint with the credentials, 
and I receive a 200 (OK) response.  You should see this POST happen, and then 
some sort of return - 200 for OK (which I would not expect in your case), 403 
if the credentials are not accepted, or 500 if there's a server-side error.

-Nick

Re: Configuring LDAP

2017-11-20 Thread Nick Couchman

On Mon, Nov 20, 2017 at 8:10 AM,  wrote:

> I use Chrome and I use the Developer Console all the time.  I just tried
> it again and got nothing at all in the console.  I even had the
> catalina.2017-11-20.log file open and got nothing in there either.  Nothing
> happens.
>

Great.  What about on the Network tab?  When you click the Login button, do
you see it making any attempts to access anything network-side?  For
example, when I log in, I see a POST to the api/tokens REST endpoint with
the credentials, and I receive a 200 (OK) response.  You should see this
POST happen, and then some sort of return - 200 for OK (which I would not
expect in your case), 403 if the credentials are not accepted, or 500 if
there's a server-side error.

-Nick

RE: Configuring LDAP

2017-11-20 Thread harry.devine

I use Chrome and I use the Developer Console all the time.  I just tried it 
again and got nothing at all in the console.  I even had the 
catalina.2017-11-20.log file open and got nothing in there either.  Nothing 
happens.

Harry

From: Nick Couchman [mailto:vn...@apache.org]
Sent: Friday, November 17, 2017 1:17 PM
To: user@guacamole.apache.org
Subject: Re: Configuring LDAP

On Thu, Nov 16, 2017 at 9:33 AM, 
<harry.dev...@faa.gov<mailto:harry.dev...@faa.gov>> wrote:

Nothing at all. And the Guacamole screen never changes, as if the Login button 
doesn't work or is somehow dead.
Hmmm...okay, this is odd.  What browser are you using?  If you're using Chrome, 
can you open the Developer Console and look for errors in the JavaScript 
console, or what the network activity during login and see what's being 
returned??

-Nick

Re: Configuring LDAP

2017-11-16 Thread harry.devine

Nothing at all. And the Guacamole screen never changes, as if the Login button 
doesn't work or is somehow dead.


Thanks,

Harry


From: Nick Couchman <vn...@apache.org>
Sent: Wednesday, November 15, 2017 7:59:36 PM
To: u...@guacamole.incubator.apache.org
Subject: Re: Configuring LDAP


On Wed, Nov 15, 2017 at 15:35 
<harry.dev...@faa.gov<mailto:harry.dev...@faa.gov>> wrote:
Here’s the /var/log/messages data from right after I restarted Tomcat and 
Guacamole:  https://pastebin.com/YSwepbgk.  This server is running RHEL 7.4.

So, on line 94 the LDAP extension appears to be getting loaded, so that part is 
fine.  Seems like it might be a configuration issue - what shows up in that log 
file when you try to authenticate?

- Nick

RE: Configuring LDAP

RE: Configuring LDAP

RE: Configuring LDAP

Re: Configuring LDAP

RE: Configuring LDAP

Re: Configuring LDAP

Re: Configuring LDAP

RE: Configuring LDAP

RE: Configuring LDAP

Re: Configuring LDAP

RE: Configuring LDAP

Re: Configuring LDAP

RE: Configuring LDAP

RE: Configuring LDAP

RE: Configuring LDAP

Re: Configuring LDAP

Re: Configuring LDAP

RE: Configuring LDAP

Re: Configuring LDAP

RE: Configuring LDAP

Re: Configuring LDAP

Re: Configuring LDAP

RE: Configuring LDAP

Re: Configuring LDAP

RE: Configuring LDAP

Re: Configuring LDAP

26 matches

Site Navigation

Mail list logo

Footer information