On Wed, Jan 24, 2018 at 6:15 AM, Przemysław Pach <kontoka...@gmail.com>
wrote:
>
> I'm new with guacamole and configured basic WEB authentication with tokens
> ${GUAC_PASSWORD} and ${GUAC_USERNAME) to use with RDP connection.
>
> This work with static
>
> <user-mapping>
> <authorize
> username="user"
> password="password"
> >
>
> My goal is to use dynamic WEB authentication with tokens based on LDAP (
> Active Directory)
> I've read topic https://sourceforge.net/p/guacamole/discussion/1110834/
> thread/b66cf159/?limit=25 and did everything same but still getting error
> "Invalid Login" to web guacamole.
> Logs catalina.out show me only:
>
> WARN o.g.g.n.b.r.a.AuthenticationService - Authentication attempt from
> 192.168.0.10 for user "test" failed. Nothing more oO Don't see if any LDAP
> query success of fail. Whats wrong ? MY environment: Debian 9 newest and
> guacamole installed from default repository.
>
> My /etc/guacamole/guacamole.properties
> https://pastebin.com/QzGLXRmF
>
>
After changing guacamole.propeties and installing the LDAP authentication
extension, did you either restart your Tomcat instance or re-deploy the
gaucaole.war file? Changes to extensions and guacamole.properties are only
read at startup/deploy, so you'll need to do one of those to make it take
effect.
Also, ActiveDirectory generally does some LDAP referrals, so you might want
to either play with the ldap-follow-referrals parameter or point the
configuration directly at your global catalog on your AD server (port 3268).
Also, you might want to post more output from your catalina.out in a
pastebin - particularly look for the entries when guacamole.war is
deployed, as it lists the authentication extensions that get deployed and
gives you any errors from initializing those.
> My config:
> https://pastebin.com/AY0xMM8B
>
> I dont understand topic "LDAP schema" https://guacamole.apache.org/
> doc/gug/ldap-auth.html from article. How to connect Web authentication
> (LDAP) with correspond RDP session like I could do in static
> /etc/guacamole/user-mapping.xml with tokens ????
> I want dynamic WEB LDAP users with normal RDP sessions like USER WEB =
> USER RDP.
>
>
The LDAP schema changes are only necessary if you want to store connections
inside the LDAP tree. If you're just doing user authentication from LDAP
and are storing connections elsewhere (simple file or JDBC), then there's
no need to change your LDAP schema.
Guacamole "stacks" authentication modules by matching username - so, if the
username from LDAP matches connections for a specific user in the
user-mapping.xml file, it should allow them to connect to those. However,
I would caution against using user-mapping.xml in anything beyond a simple
PoC environment (and the manual states that, as well) - it's much better to
use something like JDBC (MySQL, PostgreSQL, or SQL Server) to store your
connections an then authenticate users via LDAP. The user-mapping.xml file
is very simple and lacks many of the features and some of the security for
connections that exist in the JDBC module.
-Nick
