Re: Path forward to get Guacamole working with AD LDAP?

Fri, 09 Aug 2019 10:49:16 -0700 

On 08/08/2019 23:27, surfrock66 wrote:

I'm pretty confused here, I see documentation that it should be relatively
painless to get LDAP with AD working with Guacamole, but I can't for the
life of me get it to work.  Our target clients will be Windows machines, so
RDP is critical.

My AD has users nested under sites under our root, so I cannot provide a
root DN that is not the root of my domain.  This is relevant later.  My
LDAP_USER_BASE_DN="DC=AD,DC=DOMAIN,DC=org".

My preferred target platform is Ubuntu Server 19.04.  Using the docker
image, I cannot get AD authentication to work.  When viewing the docker
logs, I see this:
[your log messages were stripped out of the mailing list, so copying from the website...] 


22:23:04.355 [http-nio-8080-exec-10] WARN  o.a.g.auth.ldap.ObjectQueryService - 
Given a referral, but referrals are disabled. Error was: Referral
22:23:04.355 [http-nio-8080-exec-10] WARN  o.a.g.auth.ldap.ObjectQueryService - 
Given a referral, but referrals are disabled. Error was: Referral
22:23:04.356 [http-nio-8080-exec-10] WARN  o.a.g.auth.ldap.ObjectQueryService - 
Given a referral, but referrals are disabled. Error was: Referral
22:23:04.359 [http-nio-8080-exec-10] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 10.1.18.39 for user "username" failed. 


This error has been referenced before in GUACAMOLE-243 and a fix was applied
in 0.9.14, but it appears to have regressed in 1.0.0?
https://issues.apache.org/jira/browse/GUACAMOLE-243
GUACAMOLE-243 introduced the ability to follow LDAP referrals but that's disabled by default; see the ldap-follow-referrals option at 

https://guacamole.apache.org/doc/gug/ldap-auth.html#guac-ldap-config


Full docker commands (with org stuff commented out) for completeness:


[similarly copy/pasting back in...]


docker run \
        --name org-guacamole \
        --link org-guacd:guacd \
        -e LDAP_HOSTNAME="10.1.10.3" \
        -e LDAP_PORT="389" \
        -e lDAP-USERNAME-ATTRIBUTE=cn \
        -e LDAP_USER_BASE_DN="DC=AD,DC=DOMAIN,DC=org" \
        -e LDAP_SEARCH_BIND_DN="CN=svcLDAPLookup,OU=Service 
Accounts,DC=AD,DC=DOMAIN,DC=org" \
        -e LDAP_SEARCH_BIND_PASSWORD=********** \
-d -p 8080:8080 guacamole/guacamole
I don't use the docker image but based upon the description of enable-environment-properties at: 

https://guacamole.apache.org/doc/gug/configuring-guacamole.html#initial-setup
...I think you might also want to specify "-e LDAP_FOLLOW_REFERRALS=true". Note also that you've specified "-e lDAP-USERNAME-ATTRIBUTE=cn" which I think ought to be "-e LDAP_USERNAME_ATTRIBUTE=cn" 

Adam

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to