We’re using Red Hat Enterprise Linux 7.4 with SELinux set to enforcing. I disabled the LDAP extension and just used MySQL for the guacadmin user and could log in. I do see the following information in /var/log/messages:
Nov 20 13:43:57 access server: 13:43:57.545 [http-bio-8080-exec-6] INFO o.a.g.r.auth.AuthenticationService - User "guacadmin" successfully authenticated from 172.31.26.216. Nov 20 13:44:01 access setroubleshoot: SELinux is preventing /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/bin/java from name_connect access on the tcp_socket port 3306. For complete SELinux messages run: sealert -l 1514ddfd-32d5-4705-b5d3-cdec3cb55f46 Nov 20 13:44:01 access python: SELinux is preventing /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/bin/java from name_connect access on the tcp_socket port 3306.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that java should be allowed name_connect access on the port 3306 tcp_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'java' --raw | audit2allow -M my-java#012# semodule -i my-java.pp#012 I found the following bug against the SELinux policy RPMs: https://bugzilla.redhat.com/show_bug.cgi?id=1491747 As a workaround, I made that portion with the bug set to Permissive. Did that a few weeks ago, so Guacamole is working for at least the local Admin user. Not for LDAP. Harry From: Nick Couchman [mailto:[email protected]] Sent: Monday, November 20, 2017 1:25 PM To: [email protected] Subject: Re: Configuring LDAP On Mon, Nov 20, 2017 at 1:06 PM, <[email protected]<mailto:[email protected]>> wrote: /var/log/messages doesn’t show anything at all when I try the login. Also, when I click Login, the area at the top of the Developer Tools window (with the times in it 2000ms, 4000ms, etc.) updates, but the list of javascript files that is accessed doesn’t change. The tokens file/topic is in red, and it says that the Initiator is angular.js on line 9902. Okay, a couple of things for you: - This thread started out as an issue with the LDAP module/authentication, but I'm fairly convinced it has absolutely nothing to do with LDAP. Have you tried removing the LDAP module and just using something like the JDBC module, or even the simple file authentication module, and see if it works at all like that? I suspect it will not, but it would be good to confirm. - What client platform are you running (Windows, Linux, etc.), and have you tried it on more than one client system, and preferably on more than one platform? - This issue really sounds like some sort of security software intercepting the browser's attempt to log in to the system. Do you have any sort of A/V or security extension installed in the browser (e.g. McAfee, Symantec, etc.), any of the Chrome Enterprise Group Policies deployed, or any sort of web security software running on the client, that could be blocking this web page from actually submitting the data to the Guacamole system? The behavior you are describing sounds very much like something is stopping the browser from actually making the call to the REST endpoint, and not like a Tomcat/servlet issue. -Nick
