OK I was able to get it to log in. Here’s what I changed in my guacamole.properties to make it work: ldap-search-bind-dn:cn=”Directory Manager” ldap-user-base-dn:cn=users,cn=accounts,dc=example,dc=com
So the user logs in fine, but in /var/log/messages, I get the following errors that I’m not sure are relevant or not: Dec 1 13:34:34 access server: 13:34:34.157 [http-bio-8080-exec-6] INFO o.a.g.r.auth.AuthenticationService - User "harry.devine" successfully authenticated from 172.31.26.216. Dec 1 13:34:35 access server: 13:34:35.644 [http-bio-8080-exec-6] WARN o.a.g.auth.ldap.user.UserService - Possibly ambiguous user account: "Jon Moen". Dec 1 13:34:36 access server: 13:34:36.122 [http-bio-8080-exec-6] WARN o.a.g.auth.ldap.user.UserService - Possibly ambiguous user account: "Steve Smith". Dec 1 13:34:36 access server: 13:34:36.146 [http-bio-8080-exec-6] WARN o.a.g.auth.ldap.user.UserService - Could not query list of all users for attribute "cn": Error while querying users. VERY close now! Thoughts? Harry From: Erik Berndt [mailto:[email protected]] Sent: Friday, December 01, 2017 12:19 PM To: [email protected] Subject: Re: Configuring LDAP I don't know if you paraphrased the config file, but I noticed the ldap-search-bind-dn common name doesn't have the space escaped. I wonder if guacd is treating the ldap-search-bind-dn cn as two separate entries, hence the "Multiple DNs possible" error? I'm not sure if it's required or not, but I fully qualified each LDAP parameter i.e. ldap-search-bind-dn: CN="Directory Manager",OU=foo,DC=faa,DC=gov" and it's working successfully for us. The search-bind-dn user should be part of the base-dn in case it isn't already. The relevant LDAP attributes from our working configuration are below. ldap-hostname: dc.local ldap-port: 389 ldap-user-base-dn: OU="Superior Paving Employees",DC=superiorpaving,DC=net ldap-search-bind-dn: CN=guacamole,OU="Information Technology",OU=Office,OU="Superior Paving Employees",DC=superiorpaving,DC=net ldap-search-bind-password: XXXXX Erik Berndt / Systems Administrator 5551 Wellington Rd, Gainesville, VA 20155 703.631.0004 x520 (Phone) / 703.257.1725 (Fax) http://www.superiorpaving.net Need to open an IT support ticket? http://FixIT.superiorpaving.net/portal or [email protected]<mailto:[email protected]> On Fri, Dec 1, 2017 at 11:11 AM, <[email protected]<mailto:[email protected]>> wrote: Just wondering if anyone has any ideas on how the LDAP is configured below? This still isn’t working for me and I’d like to know why. Thanks, Harry From: Devine, Harry (FAA) Sent: Monday, November 27, 2017 1:49 PM To: [email protected]<mailto:[email protected]> Subject: RE: Configuring LDAP Here’s my current /etc/guacamole/guacamole.properties file: #MySQL properties mysql-hostname: localhost mysql-port:3306 mysql-database: guacdb mysql-username: guacuser mysql-password: guacadmin mysql-default-max-connections-per-user: 0 mysql-default-max-group-connections-per-user:0 #LDAP properties ldap-hostname:my.hostname ldap-port:389 ldap-encryption-method:none ldap-dereference-aliases:never ldap-search-bind-dn:cn=Directory Manager ldap-search-bind-password:pass123 ldap-user-base-dn:dc=example,dc=com #ldap-username-attribute=cn=users,cn=accounts,dc=example,dc=com ldap-username-attribute:cn ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com When I use the ldap-username-attribute:cn setting, I get the error where the Multiple DNs are what’s being complained about. If I use the other one (the commented out one above), I simply get “Authentication attempted …… failed”. We use the “cn=users,cn=accounts” string in other projects where we communicate with our LDAP server, so I’m pretty sure that’s correct. Thanks, Harry From: Jonathan Hankins [mailto:[email protected]] Sent: Monday, November 27, 2017 12:38 PM To: [email protected]<mailto:[email protected]> Subject: Re: Configuring LDAP Harry, you said you tried "modifying ldap-username-attribute to be cn=users,cn=accounts,dc=example,dc=com" - just wanted to confirm. Ldap-username-attribute should be an LDAP attribute name like cn. Could you post your complete (redacted) guacamole.properties as you have it currently? Also, I saw that on a previous attempt today you got the log message: Nov 27 09:42:01 access server: 09:42:01.909 [http-bio-8080-exec-6] WARN o.a.g.a.l.AuthenticationProviderService - Multiple DNs possible for user "harry.devine": [uid=harry.devine,cn=users,cn=compat,dc=example,dc=com, uid=harry.devine,cn=users,cn=accounts,dc=example,dc=com] If you have two users under your search base with uid (or cn, or whatever you are using for ldap-username-attribute) "harry.devine" you are going to have to use a more specific search base or a more unique ldap-username-attribute or a more restrictive search filter so that you don't get multiple matches for the username you are typing into the username field on the login page. I.e., the attribute you match against has to uniquely identify the user beneath your search base for your query. -Jonathan Hankins On Mon, Nov 27, 2017, 10:10 AM Nick Couchman <[email protected]<mailto:[email protected]>> wrote: On Mon, Nov 27, 2017 at 10:02 AM, <[email protected]<mailto:[email protected]>> wrote: OK, so I tried that, including modifying ldap-username-attribute to be cn=users,cn=accounts,dc=example,dc=com, and now I get a 403 error in the Developer Tools, and the following error in /var/log/messages: Nov 27 10:00:34 access server: 10:00:34.766 [http-bio-8080-exec-8] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from xxx.xxx.xxx.xxx for user "harry.devine" failed. However, I know that the password is 100% correct. Where to look now? I feel we’re getting very close. What LDAP server are you running? You probably mentioned it already somewhere in this thread, and I'm going to guess Active Directory, but just want to make sure? If it's OpenLDAP then it is quite possible it is configured to disallow logins without some form of encryption (although I wouldn't expect the search bind to work in this case, but who knows). AD doesn't usually have those restrictions, but depending on the environment, it actually might require encryption, as well. Other than that, it would be useful to get a log from the LDAP server that indicates why it is failing authentication - if it believes the password is wrong, or if it is throwing some other sort of error. I realize that you might be in an organization where you don't have access to that server or those logs, but, if you do, that would be helpful. -Nick This e-mail is intended only for the recipient and may contain confidential or proprietary information. If you are not the intended recipient, the review, distribution, duplication or retention of this message and its attachments is prohibited. Please notify the sender of this error immediately by reply e-mail, and permanently delete this message and its attachments in any form in which they may have been preserved.
