for some reason I do not understand, I can not enable debug logging. I have added the logback.xml to /etc/gucamamole (where guacamole.properties is located)
startup in catalina.out show Loading logback configuration from "/usr/share/tomcat7/.guacamole/logback.xml (this file i seither copied or contains the same information, however I only get info level logging. What am I doing wrong ? (see appended startup messages) Regarding https://issues.apache.org/jira/browse/GUACAMOLE-696 group based-dn is set tot he root oft the directory, I this is should cause matching groups …? Thanks, a lot --Philip INFO: Starting Servlet Engine: Apache Tomcat/7.0.68 (Ubuntu) Jan 13, 2019 9:21:48 PM org.apache.catalina.startup.HostConfig deployWAR INFO: Deploying web application archive /var/lib/tomcat7/webapps/guacamole.war Jan 13, 2019 9:21:49 PM org.apache.catalina.startup.TldConfig execute INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. 21:21:49.364 [localhost-startStop-1] INFO o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is "/usr/share/tomcat7/.guacamole". 21:21:49.425 [localhost-startStop-1] INFO o.a.g.rest.auth.HashTokenSessionMap - Sessions will expire after 60 minutes of inactivity. 21:21:49.489 [localhost-startStop-1] INFO org.apache.guacamole.log.LogModule - Loading logback configuration from "/usr/share/tomcat7/.guacamole/logback.xml". Jan 13, 2019 9:21:50 PM com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory register INFO: Registering org.apache.guacamole.rest.RESTExceptionMapper as a provider class Jan 13, 2019 9:21:50 PM com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory register INFO: Registering org.apache.guacamole.rest.extension.ExtensionRESTService as a root resource class Jan 13, 2019 9:21:50 PM com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory register INFO: Registering org.apache.guacamole.rest.language.LanguageRESTService as a root resource class Jan 13, 2019 9:21:50 PM com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory register INFO: Registering org.apache.guacamole.rest.patch.PatchRESTService as a root resource class Jan 13, 2019 9:21:50 PM com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory register INFO: Registering org.apache.guacamole.rest.auth.TokenRESTService as a root resource class Jan 13, 2019 9:21:50 PM com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory register INFO: Registering org.apache.guacamole.rest.session.SessionRESTService as a root resource class Jan 13, 2019 9:21:50 PM com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory register INFO: Registering org.codehaus.jackson.jaxrs.JacksonJsonProvider as a provider class Jan 13, 2019 9:21:50 PM com.sun.jersey.server.impl.application.WebApplicationImpl _initiate INFO: Initiating Jersey application, version 'Jersey: 1.17.1 02/28/2013 12:47 PM' Jan 13, 2019 9:21:51 PM com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory getComponentProvider INFO: Binding org.apache.guacamole.rest.RESTExceptionMapper to GuiceManagedComponentProvider with the scope "Singleton" Jan 13, 2019 9:21:51 PM com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory getComponentProvider INFO: Binding org.codehaus.jackson.jaxrs.JacksonJsonProvider to GuiceManagedComponentProvider with the scope "Singleton" Jan 13, 2019 9:21:51 PM com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory getComponentProvider INFO: Binding org.apache.guacamole.rest.extension.ExtensionRESTService to GuiceManagedComponentProvider with the scope "PerRequest" Jan 13, 2019 9:21:51 PM com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory getComponentProvider INFO: Binding org.apache.guacamole.rest.language.LanguageRESTService to GuiceManagedComponentProvider with the scope "PerRequest" Jan 13, 2019 9:21:51 PM com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory getComponentProvider INFO: Binding org.apache.guacamole.rest.patch.PatchRESTService to GuiceManagedComponentProvider with the scope "PerRequest" Jan 13, 2019 9:21:51 PM com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory getComponentProvider INFO: Binding org.apache.guacamole.rest.auth.TokenRESTService to GuiceManagedComponentProvider with the scope "PerRequest" Jan 13, 2019 9:21:51 PM com.sun.jersey.guice.spi.container.GuiceComponentProviderFactory getComponentProvider INFO: Binding org.apache.guacamole.rest.session.SessionRESTService to GuiceManagedComponentProvider with the scope "PerRequest" Jan 13, 2019 9:21:51 PM org.webjars.servlet.WebjarsServlet init INFO: WebjarsServlet initialization completed Jan 13, 2019 9:21:51 PM org.apache.catalina.startup.HostConfig deployWAR INFO: Deployment of web application archive /var/lib/tomcat7/webapps/guacamole.war has finished in 3,271 ms Jan 13, 2019 9:21:51 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /var/lib/tomcat7/webapps/ROOT Jan 13, 2019 9:21:51 PM org.apache.catalina.core.StandardContext setPath WARNING: A context path must either be an empty string or start with a '/' and do not end with a '/'. The path [/] does not meet these criteria and has been changed to [] Jan 13, 2019 9:21:51 PM org.apache.catalina.startup.TldConfig execute INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. Jan 13, 2019 9:21:51 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deployment of web application directory /var/lib/tomcat7/webapps/ROOT has finished in 186 ms Jan 13, 2019 9:21:51 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler ["http-bio-8080"] Von: Nick Couchman <[email protected]> Gesendet: Sonntag, 13. Januar 2019 20:23 An: [email protected] Betreff: Re: ldap groups in 1.0.0 RC1 On Sun, Jan 13, 2019 at 7:43 AM Philip Herbert <[email protected]<mailto:[email protected]>> wrote: as it seems impossible to change the structure of an ldap, because a single application expects users and groups In different parts oft the ldap directory, I would like to try to find out why this config is failing We certainly do not try to design the LDAP authentication extension with the notion of having you reorganize your entire tree to suite the needs of Guacamole. The Guacamole extension does not expect users and groups to be in different parts of the tree - it simply gives you different options for searching for users, groups, and connections, and leaving them out allows you to disable items that you don't use. For example, I use Guacamole, with Active Directory, but don't care about having either LDAP groups or connections pulled in from AD - I'm only interested in authentication and users. Hopefully this helps explain why it is structured the way it is. If I set ldap-user-base-dn and ldap-group base-dn to he same value (pointng to the root of the directory like: DC=DOMAIN,DC=DE then any attempt to login causes an error: 13:12:15.772 [http-bio-8080-exec-4] INFO o.a.g.r.auth.AuthenticationService - User "philip" successfully authenticated from [192.168.121.212, 0:0:0:0:0:0:0:1]. 13:12:16.745 [http-bio-8080-exec-4] WARN o.a.g.e.AuthenticationProviderFacade - The "ldap" authentication provider has encountered an internal error which will halt the authentication process. If this is unexpected or you are the developer of this authentication provider, you may wish to enable debug-level logging. If this is expected and you wish to ignore such failures in the future, please set "skip-if-unavailable: ldap" within your guacamole.properties. There is no additional output in catalina.out Might be worth putting logging into DEBUG mode and see if anything else is captured. Instructions for that is here: http://guacamole.apache.org/doc/gug/configuring-guacamole.html#webapp-logging This looks like it could be a bug, but hard to know for sure without some more detailed logging. In my last post: dap-username-attribute:sAMAccountName was a copy/past error. The ‚l‘ before ldap is not missing … I have managed to get clean user / group lists by modifying The function getGroupSearchFilter in UserGroupService.jar to return only objectClass=group //return "(objectClass=*)"; return "(objectClass=group)"; with the following properties: ldap-hostname: dc.domain.de<http://dc.domain.de> ldap-port:3269 ldap-encryption-method:ssl ldap-search-bind-dn:cn=GuacamoleLDAP,cn=Users,dc=domain,dc=de ldap-search-bind-password:<something> ldap-user-base-dn:dc=domain,dc=de ldap-group-base-dn:dc=domain,dc=de ldap-username-attribute:sAMAccountName ldap-max-search-results:4000 ldap-follow-referrals:true ldap-user-search-filter:(objectClass=user)(!(objectCategory=computer)) With this config and change, I get a clean lisst of (person)users in the user tab and a clean list of groups in the group tab. When I assign a connection profile to a group, the connection is visible to the users, but he can not connect, due to missing permissions. ‚You do not have permissions to access this connection‘ Hmmm. I wonder if this is related to this issue: https://issues.apache.org/jira/browse/GUACAMOLE-696 ?? -Nick
