OK, took me a little bit to weed through some OpenLDAP config issues (it wasn’t installed on the server I have guacamole installed on; didn’t realize that at first), but I got the ldapsearch working. So I re-enabled the LDAP parameters and tried again. The page shows “Invalid Login”, but the following is displayed in the /var/log/messages:
Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR o.a.g.a.ldap.LDAPConnectionService - Unable to connect to LDAP server: Connect Error Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN ""cn=My User"" Nov 21 14:56:15 access server: 14:56:15.496 [http-bio-8080-exec-9] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 172.31.26.216 for user "harry.devine" failed. I have the LDAP parameters defined as follows in guacamole properties (I am masking the usernames and such): ldap-hostname="my-host" ldap-port=636 ldap-search-bind-dn="cn=My User" ldap-search-bind-password="Pass123" ldap-user-base-dn="dc=my,dc=example,dc=com" ldap-username-attribute="cn=users,cn=accounts,dc=my,dc=example,dc=com" ldap-group-base-dn="cn=groups,cn=accounts,dc=my,dc=example,dc=com" Ideas? Harry From: Nick Couchman [mailto:[email protected]] Sent: Tuesday, November 21, 2017 9:20 AM To: [email protected] Subject: Re: Configuring LDAP On Tue, Nov 21, 2017 at 8:10 AM, <[email protected]<mailto:[email protected]>> wrote: I set SELinux to permissive and put the LDAP extension back (its under /usr/share/tomcat/.guacamole/extensions), restarted tomcat and guacd, and try to log in using an LDAP user. I click Login and on the Network tab, it shows tokens (/guacamole/api/tokens) as having a “pending” status. Never gets any further. Okay...on the system where you're running Tomcat, can you make sure the OpenLDAP client utilities are installed and then use "ldapsearch" to query the same LDAP server that you're trying to use in Guacamole? Something like this: ldapsearch -H ldap://<server> -D <Search User> -W -b <base dn> cn=<Some User In LDAP> ...substituting in the above parameters and make sure you get a response? -Nick
