RE: Configuring LDAP

[harry.devine]

Update: using port 389 and none for encryption, and I had to change the search 
DN to be just cn=Directory Manager.  Now I get the following error:

Nov 27 09:42:01 access server: 09:42:01.909 [http-bio-8080-exec-6] WARN  
o.a.g.a.l.AuthenticationProviderService - Multiple DNs possible for user 
"harry.devine": [uid=harry.devine,cn=users,cn=compat,dc=example,dc=com, 
uid=harry.devine,cn=users,cn=accounts,dc=example,dc=com]
Nov 27 09:42:01 access server: 09:42:01.917 [http-bio-8080-exec-6] WARN  
o.a.g.r.auth.AuthenticationService - Authentication attempt from 
xxx.xxx.xxx.xxx for user "harry.devine" failed.

When I tried port 636 and encryption set to SSL, I get “Unable to bind using 
search DN “cn=Directory Manager”.  Ultimately, we need to have SSL working, so 
any help with first: logging in, then second, logging in via SSL/636 would be 
great.

Thanks,
Harry

From: Devine, Harry (FAA)
Sent: Monday, November 27, 2017 9:32 AM
To: user@guacamole.apache.org
Subject: RE: Configuring LDAP

OK, I just tried it again with both 389/none and 636/ssl for those parameters, 
and both times I get the following errors:

Nov 27 09:30:31 access server: 09:30:31.838 [http-bio-8080-exec-9] ERROR 
o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN 
"cn=Directory Manager,dc=example,dc=com"
Nov 27 09:30:31 access server: 09:30:31.839 [http-bio-8080-exec-9] WARN  
o.a.g.r.auth.AuthenticationService - Authentication attempt from 172.31.26.216 
for user "harry.devine" failed.

Thanks,
Harry
From: Jonathan Hankins [mailto:jhank...@homewood.k12.al.us]
Sent: Monday, November 27, 2017 9:27 AM
To: user@guacamole.apache.org<mailto:user@guacamole.apache.org>
Subject: Re: Configuring LDAP

Harry, if you are using ldap-port:636, you probably need to specify:

ldap-encryption-method: ssl

I believe the default is "none" .

Assuming you are able to temporarily configure your LDAP server to allow 
unencrypted binds(if it isn't already), you may want to test with ldap-port: 
389 and ldap-encryption-method: none  to make sure you have all of your LDAP 
settings correct before enabling encryption, then tackle the encryption.
-Jonathan Hankins

On Mon, Nov 27, 2017, 8:23 AM 
<harry.dev...@faa.gov<mailto:harry.dev...@faa.gov>> wrote:
I just got back into the office and tried what you suggested.  Whenever I don’t 
have quotes around the ldap-search-bind-dn value, the login button doesn’t seem 
to respond.  In the Network tab in Chrome’s Developer Tools, the 
/guacamole/api/tokens call always shows “(pending)” as the status instead of 
200 or 403.

Here’s what I have for my LDAP values in guacamole.properties (again, masking 
out the real values):

ldap-hostname:ldap.hostname
ldap-port:636
ldap-search-bind-dn:cn=Directory Manager,dc=example,dc=com
ldap-search-bind-password:pass123
ldap-user-base-dn:dc=example,dc=com
ldap-username-attribute:cn
ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com

Thanks,
Harry

From: Jonathan Hankins 
[mailto:jhank...@homewood.k12.al.us<mailto:jhank...@homewood.k12.al.us>]
Sent: Wednesday, November 22, 2017 1:41 PM

To: user@guacamole.apache.org<mailto:user@guacamole.apache.org>
Subject: Re: Configuring LDAP

Harry,

I believe you need to fully qualify your ldap-search-bind-dn:

ldap-search-bind-dn: cn=My User,dc=my,dc=example,dc=com

And your ldap-username-attribute should be the name of an ldap attribute that 
you want to match usernames against, such as cn:


ldap-username-attribute: cn

Also, unsure if the config you posted was pseudo-code, but the 
guacamole.properties file should look like:

varname: this is the value to end of line

See my examples above.

-Jonathan Hankins


On Tue, Nov 21, 2017, 3:41 PM Hawkins, Richard 
<richard.hawk...@medctrbarbour.org<mailto:richard.hawk...@medctrbarbour.org>> 
wrote:

Restart tomcat

Service tomcat restart..

Tail –f /var/log/messages


Authenticated



From: harry.dev...@faa.gov<mailto:harry.dev...@faa.gov> 
[mailto:harry.dev...@faa.gov<mailto:harry.dev...@faa.gov>]
Sent: Tuesday, November 21, 2017 2:01 PM
To: user@guacamole.apache.org<mailto:user@guacamole.apache.org>
Subject: RE: Configuring LDAP

OK, took me a little bit to weed through some OpenLDAP config issues (it wasn’t 
installed on the server I have guacamole installed on; didn’t realize that at 
first), but I got the ldapsearch working.  So I re-enabled the LDAP parameters 
and tried again.  The page shows “Invalid Login”, but the following is 
displayed in the /var/log/messages:

Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR 
o.a.g.a.ldap.LDAPConnectionService - Unable to connect to LDAP server: Connect 
Error
Nov 21 14:56:15 access server: 14:56:15.495 [http-bio-8080-exec-9] ERROR 
o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN 
""cn=My User""
Nov 21 14:56:15 access server: 14:56:15.496 [http-bio-8080-exec-9] WARN  
o.a.g.r.auth.AuthenticationService - Authentication attempt from 172.31.26.216 
for user "harry.devine" failed.

I have the LDAP parameters defined as follows in guacamole properties (I am 
masking the usernames and such):
ldap-hostname="my-host"
ldap-port=636
ldap-search-bind-dn="cn=My User"
ldap-search-bind-password="Pass123"
ldap-user-base-dn="dc=my,dc=example,dc=com"
ldap-username-attribute="cn=users,cn=accounts,dc=my,dc=example,dc=com"
ldap-group-base-dn="cn=groups,cn=accounts,dc=my,dc=example,dc=com"

Ideas?
Harry

From: Nick Couchman [mailto:vn...@apache.org<mailto:vn...@apache.org>]
Sent: Tuesday, November 21, 2017 9:20 AM
To: user@guacamole.apache.org<mailto:user@guacamole.apache.org>
Subject: Re: Configuring LDAP

On Tue, Nov 21, 2017 at 8:10 AM, 
<harry.dev...@faa.gov<mailto:harry.dev...@faa.gov>> wrote:
I set SELinux to permissive and put the LDAP extension back (its under 
/usr/share/tomcat/.guacamole/extensions), restarted tomcat and guacd, and try 
to log in using an LDAP user.  I click Login and on the Network tab, it shows 
tokens (/guacamole/api/tokens) as having a “pending” status.  Never gets any 
further.


Okay...on the system where you're running Tomcat, can you make sure the 
OpenLDAP client utilities are installed and then use "ldapsearch" to query the 
same LDAP server that you're trying to use in Guacamole?  Something like this:

ldapsearch -H ldap://<server> -D <Search User> -W -b <base dn> cn=<Some User In 
LDAP>

...substituting in the above parameters and make sure you get a response?

-Nick

This e-mail is intended only for the recipient and may contain confidential or 
proprietary information. If you are not the intended recipient, the review, 
distribution, duplication or retention of this message and its attachments is 
prohibited. Please notify the sender of this error immediately by reply e-mail, 
and permanently delete this message and its attachments in any form in which 
they may have been preserved.

This e-mail is intended only for the recipient and may contain confidential or 
proprietary information. If you are not the intended recipient, the review, 
distribution, duplication or retention of this message and its attachments is 
prohibited. Please notify the sender of this error immediately by reply e-mail, 
and permanently delete this message and its attachments in any form in which 
they may have been preserved.