On Fri, Feb 2, 2018 at 5:25 AM, Ferron Nijland - Switch IT Solutions < f.nijl...@switch.nl> wrote:
> Hello Everyone, > > > Hello Ferron, I’ve installed a new installation of Guacamole 9.14. > > I can access the GUI and login with sql authentication. > > Now I’ve added LDAP authentication, but it doesn’t seem to work. > > The guacd service starts without problems, so I’ve no idea where to look. > > > guacd actually has nothing to do with the authentication mechanism in use; it handles only the low-level remote desktop connection. If the LDAP authentication isn't working for you, the first thing to check would be the logs from the web application. Assuming you are using Tomcat, these will be logged to Tomcat's logs, most likely "catalina.out". My guacamole.properties in /etc/guacamole contains is like: > > > > # Hostname and port of guacamole proxy > > guacd-hostname: localhost > > guacd-port: 4822 > > Beware that these property values are actually the defaults. Having them will not hurt anything, but Guacamole will assume these values if these properties are omitted. > > # Location to read extra .jar's from > > lib-directory: /etc/guacamole/lib > > The "lib-directory" property has actually been deprecated since 0.9.7, and as of 0.9.10-incubating no longer has any effect: http://guacamole.apache.org/releases/0.9.10-incubating/#removal-of-deprecated-lib-directory-and-auth-provider-properties The lib directory used by Guacamole is now always GUACAMOLE_HOME/lib/, which matches the value you are trying to use here. > > # Authentication provider class > > #auth-provider: net.sourceforge.guacamole.net.basic. > BasicFileAuthenticationProvider > > > > auth-provider: net.sourceforge.guacamole.net.auth.ldap. > LDAPAuthenticationProvider > > > Like the "lib-directory" property, the "auth-provider" property has been deprecated since 0.9.7 and as of 0.9.10-incubating no longer has any effect: The "lib-directory" property has actually been deprecated since 0.9.7, and as of 0.9.10-incubating no longer has any effect: http://guacamole.apache.org/releases/0.9.10-incubating/#removal-of-deprecated-lib-directory-and-auth-provider-properties In prior releases which followed 0.9.7, attempting to use this property would have resulted in a warning in the logs. With the property having now been fully removed, it is simply silently ignored. The authentication mechanism in use is dictated purely by the extensions installed within GUACAMOLE_HOME/extensions/. > #LDAP Properties > > ldap-hostname: 10.75.10.12 > > ldap-port: 3268 > > ldap-user-base-dn: DC=domain,DC=local > > ldap-search-bind-dn: CN=sa_ ldap_guac,OU=Service > Accounts,DC=domain,DC=local > > ldap-search-bind-password: password > > ldap-username-attribute: sAMAccountName > > > Depending on what you see in the Tomcat logs from Guacamole, I suggest trying a few searches against your LDAP directory, binding to the LDAP directory using the search DN and password you've specified here, making sure you can execute queries against the "DC=domain,DC=local" tree. If you cannot execute such searches, that is probably why things are failing, and there should be corresponding errors in the logs. # Properties used by BasicFileAuthenticationProvider > > basic-user-mapping: /etc/guacamole/user-mapping.xml > > The "basic-user-mapping" property has been deprecated since 0.9.10-incubating: http://guacamole.apache.org/releases/0.9.10-incubating/#deprecation-of-the-basic-user-mapping-property Its use would have resulted in a warning regarding its deprecation in the logs. Though still supported in 0.9.14, support for this property has recently been removed entirely. It will no longer be supported in future releases: https://issues.apache.org/jira/browse/GUACAMOLE-494 - Mike