Re: LDAP Guacamole 0.9.14

[Nick Couchman]

>
> I've rebooted whole server to make sure all services is restarted.
> Maybe I've wrong installed LDAP extension ? I do not
> I've only copied jars to extension folder:
> /etc/guacamole/extensions
> guacamole-auth-jdbc-mysql-0.9.9.jar
> guacamole-auth-ldap-0.9.9.jar
>
> /etc/guacamole/lib
> mysql-connector-java-5.1.45-bin.jar
>
> What more should I do ?
> My catalina.out file:
> https://pastebin.com/JW2kker7
>
>
>
Okay, now I'm confused.  Are you using version 0.9.9 or version 0.9.14?
They're not generally compatible, so you need to pick one version and stick
with it - I'd recommend 0.9.14.  Make sure the version of the guacamole.war
you're deploying matches the extensions.


>
> Yes, Im not programmer and don't knwo how to specify/store RDP connections
> in MySQL.
> FOllowed
> https://sourceforge.net/p/guacamole/discussion/1110834/
> thread/b66cf159/?limit=25
>
> BTW: there is nothing about
> # Auth provider class
> in guacamole.properties file.
>
> What auth-provider: net.sourceforge. should i write ? Or its obsolete line
> ?
>
>
You seem to be using very old versions and documentation.  First, you don't
need to be a programmer - there is a very nice administrative GUI for
managing the JDBC extension that lets you create the connections inside the
database from a Web UI.  Second, the auth-provider property has been gone
from Guacamole for quite some time.

Please make sure you're referencing the most recent documentation (and
using the most recent versions):

http://guacamole.apache.org/doc/gug/

The manual, at that location, has configuration instructions for LDAP and
JDBC, including how to integrate the two.

Regards,
Nick

Re: LDAP Guacamole 0.9.14

[ldap123user]

vnick wrote
> On Wed, Jan 24, 2018 at 6:15 AM, Przemysław Pach 
> 
> kontoka...@gmail.com
> 
> wrote:
> 
> After changing guacamole.propeties and installing the LDAP authentication
> extension, did you either restart your Tomcat instance or re-deploy the
> gaucaole.war file?  Changes to extensions and guacamole.properties are
> only
> read at startup/deploy, so you'll need to do one of those to make it take
> effect.
> 
> Also, ActiveDirectory generally does some LDAP referrals, so you might
> want
> to either play with the ldap-follow-referrals parameter or point the
> configuration directly at your global catalog on your AD server (port
> 3268).
> 
> Also, you might want to post more output from your catalina.out in a
> pastebin - particularly look for the entries when guacamole.war is
> deployed, as it lists the authentication extensions that get deployed and
> gives you any errors from initializing those.
> 
> -Nick

Quoted from: 
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/LDAP-Guacamole-0-9-14-tp2593p2606.html

I've rebooted whole server to make sure all services is restarted.
Maybe I've wrong installed LDAP extension ? I do not 
I've only copied jars to extension folder:
/etc/guacamole/extensions
guacamole-auth-jdbc-mysql-0.9.9.jar
guacamole-auth-ldap-0.9.9.jar

/etc/guacamole/lib
mysql-connector-java-5.1.45-bin.jar 

What more should I do ?
My catalina.out file:
https://pastebin.com/JW2kker7


vnick wrote
> On Wed, Jan 24, 2018 at 6:15 AM, Przemysław Pach 
> 
> kontoka...@gmail.com
> 
> wrote:
> 
> The LDAP schema changes are only necessary if you want to store
> connections
> inside the LDAP tree.  If you're just doing user authentication from LDAP
> and are storing connections elsewhere (simple file or JDBC), then there's
> no need to change your LDAP schema.
> 
> Guacamole "stacks" authentication modules by matching username - so, if
> the
> username from LDAP matches connections for a specific user in the
> user-mapping.xml file, it should allow them to connect to those.  However,
> I would caution against using user-mapping.xml in anything beyond a simple
> PoC environment (and the manual states that, as well) - it's much better
> to
> use something like JDBC (MySQL, PostgreSQL, or SQL Server) to store your
> connections an then authenticate users via LDAP.  The user-mapping.xml
> file
> is very simple and lacks many of the features and some of the security for
> connections that exist in the JDBC module.
> 
> -Nick

Quoted from: 
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/LDAP-Guacamole-0-9-14-tp2593p2606.html

Yes, Im not programmer and don't knwo how to specify/store RDP connections
in MySQL.
FOllowed
https://sourceforge.net/p/guacamole/discussion/1110834/thread/b66cf159/?limit=25

BTW: there is nothing about 
# Auth provider class
in guacamole.properties file.

What auth-provider: net.sourceforge. should i write ? Or its obsolete line ?




--
Sent from: 
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: LDAP Guacamole 0.9.14

[Jonathan Hankins]

Przemysław,

You may want to see what you can find in the event log on your domain
controller. I had to do some googling to figure out how/where to enable
LDAP logging. I did have trouble with a few issues.

1) If your LDAP search filter returns too many results (>1000 by default, I
think) (this is regardless of the max result parameter in guacamole) AD
returns LDAP "paged" results which guacamole doesn't handle, currently. I
had a ticket open on it and I think they are going to build that logic in
when they move to the newer (Apache?) LDAP library.

2) If you are returning users from multiple OUs (your base OU is at the top
and your scope is sub), you may have to use a ldap-username-attribute like
samAccountName instead of CN to auth with, since you need something unique
across all of your OUs. I.e., in AD you can have CN=Jim,OU=Sales,...
(samAccountName=Jim1) and CN=Jim,OU=Management,... (samAccountName=Jim2)
who can't be uniquely identified by "Jim" (CN) but can by "Jim1" and "Jim2"
(samAccountName).

3) AD stores samAccountName case-sensitively, but when you login to
windows, it does a case-insensitive compare against the DC. However,
guacamole does a case-sensitive comparison. I fixed this by lower-casing
all of my users' samAccountNames, but it took some poking around to figure
out how to do it.

If you think any of these are what you're getting stuck on, let me know and
I will be happy to look back at my configs and see what all I did to work
around them.

-Jonathan Hankins


On Thu, Jan 25, 2018 at 9:26 AM Nick Couchman  wrote:

> On Wed, Jan 24, 2018 at 6:15 AM, Przemysław Pach 
> wrote:
>
>>
>> I'm new with guacamole and configured basic WEB authentication with
>> tokens ${GUAC_PASSWORD} and ${GUAC_USERNAME) to use with RDP connection.
>>
>> This work with static
>>
>> 
>> > username="user"
>> password="password"
>> >
>>
>> My goal is to use dynamic WEB authentication with tokens based on LDAP (
>> Active Directory)
>> I've read topic
>> https://sourceforge.net/p/guacamole/discussion/1110834/thread/b66cf159/?limit=25
>> and did everything same but still getting error "Invalid Login" to web
>> guacamole.
>> Logs catalina.out show me only:
>>
>>  WARN  o.g.g.n.b.r.a.AuthenticationService - Authentication attempt from
>> 192.168.0.10 for user "test" failed. Nothing more oO Don't see if any LDAP
>> query success of fail. Whats wrong ? MY environment: Debian 9 newest and
>> guacamole installed from default repository.
>>
>> My /etc/guacamole/guacamole.properties
>> https://pastebin.com/QzGLXRmF
>>
>>
> After changing guacamole.propeties and installing the LDAP authentication
> extension, did you either restart your Tomcat instance or re-deploy the
> gaucaole.war file?  Changes to extensions and guacamole.properties are only
> read at startup/deploy, so you'll need to do one of those to make it take
> effect.
>
> Also, ActiveDirectory generally does some LDAP referrals, so you might
> want to either play with the ldap-follow-referrals parameter or point the
> configuration directly at your global catalog on your AD server (port 3268).
>
> Also, you might want to post more output from your catalina.out in a
> pastebin - particularly look for the entries when guacamole.war is
> deployed, as it lists the authentication extensions that get deployed and
> gives you any errors from initializing those.
>
>
>> My config:
>> https://pastebin.com/AY0xMM8B
>>
>> I dont understand topic "LDAP schema"
>> https://guacamole.apache.org/doc/gug/ldap-auth.html from article. How to
>> connect Web authentication (LDAP) with correspond RDP session like I could
>> do in static /etc/guacamole/user-mapping.xml with tokens 
>> I want dynamic WEB LDAP users with normal RDP sessions like USER WEB =
>> USER RDP.
>>
>>
> The LDAP schema changes are only necessary if you want to store
> connections inside the LDAP tree.  If you're just doing user authentication
> from LDAP and are storing connections elsewhere (simple file or JDBC), then
> there's no need to change your LDAP schema.
>
> Guacamole "stacks" authentication modules by matching username - so, if
> the username from LDAP matches connections for a specific user in the
> user-mapping.xml file, it should allow them to connect to those.  However,
> I would caution against using user-mapping.xml in anything beyond a simple
> PoC environment (and the manual states that, as well) - it's much better to
> use something like JDBC (MySQL, PostgreSQL, or SQL Server) to store your
> connections an then authenticate users via LDAP.  The user-mapping.xml file
> is very simple and lacks many of the features and some of the security for
> connections that exist in the JDBC module.
>
> -Nick
>

-- 
This e-mail is intended only for the recipient and may contain confidential 
or proprietary information. If you are not the intended recipient, the 
review, distribution, duplication or retention of this message and its 
attachments is prohibited. 

Re: LDAP Guacamole 0.9.14

[Nick Couchman]

On Wed, Jan 24, 2018 at 6:15 AM, Przemysław Pach 
wrote:

>
> I'm new with guacamole and configured basic WEB authentication with tokens
> ${GUAC_PASSWORD} and ${GUAC_USERNAME) to use with RDP connection.
>
> This work with static
>
> 
>  username="user"
> password="password"
> >
>
> My goal is to use dynamic WEB authentication with tokens based on LDAP (
> Active Directory)
> I've read topic https://sourceforge.net/p/guacamole/discussion/1110834/
> thread/b66cf159/?limit=25 and did everything same but still getting error
> "Invalid Login" to web guacamole.
> Logs catalina.out show me only:
>
>  WARN  o.g.g.n.b.r.a.AuthenticationService - Authentication attempt from
> 192.168.0.10 for user "test" failed. Nothing more oO Don't see if any LDAP
> query success of fail. Whats wrong ? MY environment: Debian 9 newest and
> guacamole installed from default repository.
>
> My /etc/guacamole/guacamole.properties
> https://pastebin.com/QzGLXRmF
>
>
After changing guacamole.propeties and installing the LDAP authentication
extension, did you either restart your Tomcat instance or re-deploy the
gaucaole.war file?  Changes to extensions and guacamole.properties are only
read at startup/deploy, so you'll need to do one of those to make it take
effect.

Also, ActiveDirectory generally does some LDAP referrals, so you might want
to either play with the ldap-follow-referrals parameter or point the
configuration directly at your global catalog on your AD server (port 3268).

Also, you might want to post more output from your catalina.out in a
pastebin - particularly look for the entries when guacamole.war is
deployed, as it lists the authentication extensions that get deployed and
gives you any errors from initializing those.


> My config:
> https://pastebin.com/AY0xMM8B
>
> I dont understand topic "LDAP schema" https://guacamole.apache.org/
> doc/gug/ldap-auth.html from article. How to connect Web authentication
> (LDAP) with correspond RDP session like I could do in static
> /etc/guacamole/user-mapping.xml with tokens 
> I want dynamic WEB LDAP users with normal RDP sessions like USER WEB =
> USER RDP.
>
>
The LDAP schema changes are only necessary if you want to store connections
inside the LDAP tree.  If you're just doing user authentication from LDAP
and are storing connections elsewhere (simple file or JDBC), then there's
no need to change your LDAP schema.

Guacamole "stacks" authentication modules by matching username - so, if the
username from LDAP matches connections for a specific user in the
user-mapping.xml file, it should allow them to connect to those.  However,
I would caution against using user-mapping.xml in anything beyond a simple
PoC environment (and the manual states that, as well) - it's much better to
use something like JDBC (MySQL, PostgreSQL, or SQL Server) to store your
connections an then authenticate users via LDAP.  The user-mapping.xml file
is very simple and lacks many of the features and some of the security for
connections that exist in the JDBC module.

-Nick