I don't know if you paraphrased the config file, but I noticed the ldap-search-bind-dn common name doesn't have the space escaped. I wonder if guacd is treating the ldap-search-bind-dn cn as two separate entries, hence the "Multiple DNs possible" error?
I'm not sure if it's required or not, but I fully qualified each LDAP parameter i.e. ldap-search-bind-dn: CN="Directory Manager",OU=foo,DC=faa,DC=gov" and it's working successfully for us. The search-bind-dn user should be part of the base-dn in case it isn't already. The relevant LDAP attributes from our working configuration are below. ldap-hostname: dc.local ldap-port: 389 ldap-user-base-dn: OU="Superior Paving Employees",DC=superiorpaving,DC=net ldap-search-bind-dn: CN=guacamole,OU="Information Technology",OU=Office,OU="Superior Paving Employees",DC=superiorpaving,DC=net ldap-search-bind-password: XXXXX Erik Berndt / Systems Administrator 5551 Wellington Rd, Gainesville, VA 20155 703.631.0004 x520 (Phone) / 703.257.1725 (Fax) http://www.superiorpaving.net Need to open an IT support ticket? http://FixIT.superiorpaving.net/portal or [email protected] On Fri, Dec 1, 2017 at 11:11 AM, <[email protected]> wrote: > Just wondering if anyone has any ideas on how the LDAP is configured > below? This still isn’t working for me and I’d like to know why. > > > > Thanks, > > Harry > > > > *From:* Devine, Harry (FAA) > *Sent:* Monday, November 27, 2017 1:49 PM > *To:* [email protected] > *Subject:* RE: Configuring LDAP > > > > Here’s my current /etc/guacamole/guacamole.properties file: > > > > #MySQL properties > > mysql-hostname: localhost > > mysql-port:3306 > > mysql-database: guacdb > > mysql-username: guacuser > > mysql-password: guacadmin > > mysql-default-max-connections-per-user: 0 > > mysql-default-max-group-connections-per-user:0 > > > > #LDAP properties > > ldap-hostname:my.hostname > > ldap-port:389 > > ldap-encryption-method:none > > ldap-dereference-aliases:never > > ldap-search-bind-dn:cn=Directory Manager > > ldap-search-bind-password:pass123 > > ldap-user-base-dn:dc=example,dc=com > > #ldap-username-attribute=cn=users,cn=accounts,dc=example,dc=com > > ldap-username-attribute:cn > > ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com > > > > > > When I use the ldap-username-attribute:cn setting, I get the error where > the Multiple DNs are what’s being complained about. If I use the other one > (the commented out one above), I simply get “Authentication attempted …… > failed”. We use the “cn=users,cn=accounts” string in other projects where > we communicate with our LDAP server, so I’m pretty sure that’s correct. > > > > Thanks, > > Harry > > > > *From:* Jonathan Hankins [mailto:[email protected] > <[email protected]>] > *Sent:* Monday, November 27, 2017 12:38 PM > *To:* [email protected] > *Subject:* Re: Configuring LDAP > > > > Harry, you said you tried "modifying ldap-username-attribute to be > cn=users,cn=accounts,dc=example,dc=com" - just wanted to confirm. > Ldap-username-attribute should be an LDAP attribute name like cn. Could you > post your complete (redacted) guacamole.properties as you have it currently? > > > > Also, I saw that on a previous attempt today you got the log message: > > > > Nov 27 09:42:01 access server: 09:42:01.909 [http-bio-8080-exec-6] WARN > o.a.g.a.l.AuthenticationProviderService - Multiple DNs possible for user > "harry.devine": [uid=harry.devine,cn=users,cn=compat,dc=example,dc=com, > uid=harry.devine,cn=users,cn=accounts,dc=example,dc=com] > > > > If you have two users under your search base with uid (or cn, or whatever > you are using for ldap-username-attribute) "harry.devine" you are going to > have to use a more specific search base or a more unique > ldap-username-attribute or a more restrictive search filter so that you > don't get multiple matches for the username you are typing into the > username field on the login page. > > > > I.e., the attribute you match against has to uniquely identify the user > beneath your search base for your query. > > > > -Jonathan Hankins > > > > On Mon, Nov 27, 2017, 10:10 AM Nick Couchman <[email protected]> wrote: > > On Mon, Nov 27, 2017 at 10:02 AM, <[email protected]> wrote: > > OK, so I tried that, including modifying ldap-username-attribute to be > cn=users,cn=accounts,dc=example,dc=com, and now I get a 403 error in the > Developer Tools, and the following error in /var/log/messages: > > > > Nov 27 10:00:34 access server: 10:00:34.766 [http-bio-8080-exec-8] WARN > o.a.g.r.auth.AuthenticationService - Authentication attempt from > xxx.xxx.xxx.xxx for user "harry.devine" failed. > > > > However, I know that the password is 100% correct. Where to look now? I > feel we’re getting very close. > > > > > > What LDAP server are you running? You probably mentioned it already > somewhere in this thread, and I'm going to guess Active Directory, but just > want to make sure? If it's OpenLDAP then it is quite possible it is > configured to disallow logins without some form of encryption (although I > wouldn't expect the search bind to work in this case, but who knows). AD > doesn't usually have those restrictions, but depending on the environment, > it actually might require encryption, as well. Other than that, it would > be useful to get a log from the LDAP server that indicates why it is > failing authentication - if it believes the password is wrong, or if it is > throwing some other sort of error. I realize that you might be in an > organization where you don't have access to that server or those logs, but, > if you do, that would be helpful. > > > > -Nick > > > This e-mail is intended only for the recipient and may contain > confidential or proprietary information. If you are not the intended > recipient, the review, distribution, duplication or retention of this > message and its attachments is prohibited. Please notify the sender of this > error immediately by reply e-mail, and permanently delete this message and > its attachments in any form in which they may have been preserved. >
