Przemysław, You may want to see what you can find in the event log on your domain controller. I had to do some googling to figure out how/where to enable LDAP logging. I did have trouble with a few issues.
1) If your LDAP search filter returns too many results (>1000 by default, I think) (this is regardless of the max result parameter in guacamole) AD returns LDAP "paged" results which guacamole doesn't handle, currently. I had a ticket open on it and I think they are going to build that logic in when they move to the newer (Apache?) LDAP library. 2) If you are returning users from multiple OUs (your base OU is at the top and your scope is sub), you may have to use a ldap-username-attribute like samAccountName instead of CN to auth with, since you need something unique across all of your OUs. I.e., in AD you can have CN=Jim,OU=Sales,... (samAccountName=Jim1) and CN=Jim,OU=Management,... (samAccountName=Jim2) who can't be uniquely identified by "Jim" (CN) but can by "Jim1" and "Jim2" (samAccountName). 3) AD stores samAccountName case-sensitively, but when you login to windows, it does a case-insensitive compare against the DC. However, guacamole does a case-sensitive comparison. I fixed this by lower-casing all of my users' samAccountNames, but it took some poking around to figure out how to do it. If you think any of these are what you're getting stuck on, let me know and I will be happy to look back at my configs and see what all I did to work around them. -Jonathan Hankins On Thu, Jan 25, 2018 at 9:26 AM Nick Couchman <[email protected]> wrote: > On Wed, Jan 24, 2018 at 6:15 AM, Przemysław Pach <[email protected]> > wrote: > >> >> I'm new with guacamole and configured basic WEB authentication with >> tokens ${GUAC_PASSWORD} and ${GUAC_USERNAME) to use with RDP connection. >> >> This work with static >> >> <user-mapping> >> <authorize >> username="user" >> password="password" >> > >> >> My goal is to use dynamic WEB authentication with tokens based on LDAP ( >> Active Directory) >> I've read topic >> https://sourceforge.net/p/guacamole/discussion/1110834/thread/b66cf159/?limit=25 >> and did everything same but still getting error "Invalid Login" to web >> guacamole. >> Logs catalina.out show me only: >> >> WARN o.g.g.n.b.r.a.AuthenticationService - Authentication attempt from >> 192.168.0.10 for user "test" failed. Nothing more oO Don't see if any LDAP >> query success of fail. Whats wrong ? MY environment: Debian 9 newest and >> guacamole installed from default repository. >> >> My /etc/guacamole/guacamole.properties >> https://pastebin.com/QzGLXRmF >> >> > After changing guacamole.propeties and installing the LDAP authentication > extension, did you either restart your Tomcat instance or re-deploy the > gaucaole.war file? Changes to extensions and guacamole.properties are only > read at startup/deploy, so you'll need to do one of those to make it take > effect. > > Also, ActiveDirectory generally does some LDAP referrals, so you might > want to either play with the ldap-follow-referrals parameter or point the > configuration directly at your global catalog on your AD server (port 3268). > > Also, you might want to post more output from your catalina.out in a > pastebin - particularly look for the entries when guacamole.war is > deployed, as it lists the authentication extensions that get deployed and > gives you any errors from initializing those. > > >> My config: >> https://pastebin.com/AY0xMM8B >> >> I dont understand topic "LDAP schema" >> https://guacamole.apache.org/doc/gug/ldap-auth.html from article. How to >> connect Web authentication (LDAP) with correspond RDP session like I could >> do in static /etc/guacamole/user-mapping.xml with tokens ???? >> I want dynamic WEB LDAP users with normal RDP sessions like USER WEB = >> USER RDP. >> >> > The LDAP schema changes are only necessary if you want to store > connections inside the LDAP tree. If you're just doing user authentication > from LDAP and are storing connections elsewhere (simple file or JDBC), then > there's no need to change your LDAP schema. > > Guacamole "stacks" authentication modules by matching username - so, if > the username from LDAP matches connections for a specific user in the > user-mapping.xml file, it should allow them to connect to those. However, > I would caution against using user-mapping.xml in anything beyond a simple > PoC environment (and the manual states that, as well) - it's much better to > use something like JDBC (MySQL, PostgreSQL, or SQL Server) to store your > connections an then authenticate users via LDAP. The user-mapping.xml file > is very simple and lacks many of the features and some of the security for > connections that exist in the JDBC module. > > -Nick > -- This e-mail is intended only for the recipient and may contain confidential or proprietary information. If you are not the intended recipient, the review, distribution, duplication or retention of this message and its attachments is prohibited. Please notify the sender of this error immediately by reply e-mail, and permanently delete this message and its attachments in any form in which they may have been preserved.
