Hi, I have sucessfully installed Guacamole on a Centos 7 server. I can log in as user "guacadmin", create connections using RDP or SSH, and connect to different hosts. So far it works fine.
However, I now would like to use LDAPS for use authentication. We do have an Active Directory which can be accessed via LDAPS and I have sucessfully managed to set up LDAPS authentication for some other services we use (Gitea, Nextcloud). On those servers it works fine, but I cannot make it work with Guacamole! I use Guacamole 1.1.0 with the Guacamole LDAP authentication extension. Following is my LDAPS configuration in the guacamole.properties file: ldap-hostname: ldap.server.domain.ch ldap-port: 636 ldap-encryption-method: ssl ldap-search-bind-dn: [email protected] ldap-search-bind-password: (some password) ldap-user-base-dn: ou=MYOU,dc=server,dc=domain,dc=ch ldap-username-attribute: sAMAccountName ldap-user-search-filter: (samAccountType=805306368) I enabled debug log level for guacd, and this is what I find in the logs: (see below) especially interesting is the line where it says "user successfully authenticated", so I would expect that I am able to login, but instead, I get an error message in the browser, telling that Guacamole had an internal error. On the very bottom line of the logs you can see that indeed the LDAP authentication module seems to have some internal problem. How can I find out what is going on? I tried to enable debug log level for the LDAP authentication module, but I couldn't find any documentation about this. What I have already tried: a) use different versions of Guacamole: I tried with 1.0.0, same problem. b) I manually queried the LDAP server from that machine using the command "ldapsearch". This was successful and worked fine. Any hints for that? Many thanks in advance. Tobias Feb 17 13:17:04 guacamole server: 13:17:04.084 [http-bio-8080-exec-48] DEBUG o.a.g.a.ldap.LDAPConnectionService - Connecting to LDAP server using SSL/TLS. Feb 17 13:17:04 guacamole server: 13:17:04.203 [http-bio-8080-exec-48] DEBUG o.a.g.auth.ldap.ObjectQueryService - Searching "ou=MYOU,dc=server,dc=domain,dc=ch" for objects matching "(&(samAccountType=805306368)(sAMAccountName=<username>))". Feb 17 13:17:04 guacamole server: 13:17:04.210 [http-bio-8080-exec-48] DEBUG o.a.g.a.ldap.LDAPConnectionService - Connecting to LDAP server using SSL/TLS. Feb 17 13:17:04 guacamole server: 13:17:04.319 [http-bio-8080-exec-48] INFO o.a.g.r.auth.AuthenticationService - User "<username>" successfully authenticated from <my IP address>. Feb 17 13:17:04 guacamole server: 13:17:04.319 [http-bio-8080-exec-48] DEBUG o.a.i.t.jdbc.JdbcTransaction - Opening JDBC Connection Feb 17 13:17:04 guacamole server: 13:17:04.319 [http-bio-8080-exec-48] DEBUG o.a.i.d.pooled.PooledDataSource - Checked out connection 1100486697 from pool. Feb 17 13:17:04 guacamole server: 13:17:04.319 [http-bio-8080-exec-48] DEBUG o.a.i.d.pooled.PooledDataSource - Testing connection 1100486697 ... Feb 17 13:17:04 guacamole server: 13:17:04.322 [http-bio-8080-exec-48] DEBUG o.a.i.d.pooled.PooledDataSource - Connection 1100486697 is GOOD! Feb 17 13:17:04 guacamole server: 13:17:04.322 [http-bio-8080-exec-48] DEBUG o.a.i.t.jdbc.JdbcTransaction - Setting autocommit to false on JDBC Connection [com.mysql.cj.jdbc.ConnectionImpl@41981829] Feb 17 13:17:04 guacamole server: 13:17:04.323 [http-bio-8080-exec-48] DEBUG o.a.g.a.j.user.UserMapper.selectOne - ==> Preparing: SELECT guacamole_user.user_id, guacamole_entity.entity_id, guacamole_entity.name, password_hash, password_salt, password_date, disabled, expired, access_window_start, access_window_end, valid_from, valid_until, timezone, full_name, email_address, organization, organizational_role, MAX(start_date) AS last_active FROM guacamole_user JOIN guacamole_entity ON guacamole_user.entity_id = guacamole_entity.entity_id LEFT JOIN guacamole_user_history ON guacamole_user_history.user_id = guacamole_user.user_id WHERE guacamole_entity.name = ? AND guacamole_entity.type = 'USER' GROUP BY guacamole_user.user_id, guacamole_entity.entity_id; SELECT guacamole_user_attribute.user_id, guacamole_user_attribute.attribute_name, guacamole_user_attribute.attribute_value FROM guacamole_user_attribute JOIN guacamole_user ON guacamole_user.user_id = guacamole_user_attribute.user_id JOIN guacamole_entity ON guacamole_user.entity_id = guacamole_entity.entity_id WHERE guacamole_entity.name = ? AND guacamole_entity.type = 'USER' Feb 17 13:17:04 guacamole server: 13:17:04.323 [http-bio-8080-exec-48] DEBUG o.a.g.a.j.user.UserMapper.selectOne - ==> Parameters: <username>(String), <username>(String) Feb 17 13:17:04 guacamole server: 13:17:04.328 [http-bio-8080-exec-48] DEBUG o.a.g.a.j.user.UserMapper.selectOne - <== Total: 0 Feb 17 13:17:04 guacamole server: 13:17:04.328 [http-bio-8080-exec-48] DEBUG o.a.i.t.jdbc.JdbcTransaction - Resetting autocommit to true on JDBC Connection [com.mysql.cj.jdbc.ConnectionImpl@41981829] Feb 17 13:17:04 guacamole server: 13:17:04.329 [http-bio-8080-exec-48] DEBUG o.a.i.t.jdbc.JdbcTransaction - Closing JDBC Connection [com.mysql.cj.jdbc.ConnectionImpl@41981829] Feb 17 13:17:04 guacamole server: 13:17:04.329 [http-bio-8080-exec-48] DEBUG o.a.i.d.pooled.PooledDataSource - Testing connection 1100486697 ... Feb 17 13:17:04 guacamole server: 13:17:04.329 [http-bio-8080-exec-48] DEBUG o.a.i.d.pooled.PooledDataSource - Connection 1100486697 is GOOD! Feb 17 13:17:04 guacamole server: 13:17:04.329 [http-bio-8080-exec-48] DEBUG o.a.i.d.pooled.PooledDataSource - Returned connection 1100486697 to pool. Feb 17 13:17:04 guacamole server: 13:17:04.330 [http-bio-8080-exec-48] DEBUG o.a.i.t.jdbc.JdbcTransaction - Opening JDBC Connection Feb 17 13:17:04 guacamole server: 13:17:04.330 [http-bio-8080-exec-48] DEBUG o.a.i.d.pooled.PooledDataSource - Checked out connection 1960179742 from pool. Feb 17 13:17:04 guacamole server: 13:17:04.330 [http-bio-8080-exec-48] DEBUG o.a.i.d.pooled.PooledDataSource - Testing connection 1960179742 ... Feb 17 13:17:04 guacamole server: 13:17:04.331 [http-bio-8080-exec-48] DEBUG o.a.i.d.pooled.PooledDataSource - Connection 1960179742 is GOOD! Feb 17 13:17:04 guacamole server: 13:17:04.331 [http-bio-8080-exec-48] DEBUG o.a.i.t.jdbc.JdbcTransaction - Setting autocommit to false on JDBC Connection [com.mysql.cj.jdbc.ConnectionImpl@74d5f81e] Feb 17 13:17:04 guacamole server: 13:17:04.331 [http-bio-8080-exec-48] DEBUG o.a.g.a.j.u.UserRecordMapper.insert - ==> Preparing: INSERT INTO guacamole_user_history ( remote_host, user_id, username, start_date, end_date ) VALUES ( ?, (SELECT user_id FROM guacamole_user JOIN guacamole_entity ON guacamole_user.entity_id = guacamole_entity.entity_id WHERE guacamole_entity.name = ? AND guacamole_entity.type = 'USER'), ?, ?, ? ) Feb 17 13:17:04 guacamole server: 13:17:04.331 [http-bio-8080-exec-48] DEBUG o.a.g.a.j.u.UserRecordMapper.insert - ==> Parameters: <my IP address>(String), <username>(String), <username>(String), 2020-02-17 13:17:04.33(Timestamp), null Feb 17 13:17:04 guacamole server: 13:17:04.332 [http-bio-8080-exec-48] DEBUG o.a.g.a.j.u.UserRecordMapper.insert - <== Updates: 1 Feb 17 13:17:04 guacamole server: 13:17:04.332 [http-bio-8080-exec-48] DEBUG o.a.i.t.jdbc.JdbcTransaction - Committing JDBC Connection [com.mysql.cj.jdbc.ConnectionImpl@74d5f81e] Feb 17 13:17:04 guacamole server: 13:17:04.369 [http-bio-8080-exec-48] DEBUG o.a.i.t.jdbc.JdbcTransaction - Resetting autocommit to true on JDBC Connection [com.mysql.cj.jdbc.ConnectionImpl@74d5f81e] Feb 17 13:17:04 guacamole server: 13:17:04.369 [http-bio-8080-exec-48] DEBUG o.a.i.t.jdbc.JdbcTransaction - Closing JDBC Connection [com.mysql.cj.jdbc.ConnectionImpl@74d5f81e] Feb 17 13:17:04 guacamole server: 13:17:04.369 [http-bio-8080-exec-48] DEBUG o.a.i.d.pooled.PooledDataSource - Testing connection 1960179742 ... Feb 17 13:17:04 guacamole server: 13:17:04.369 [http-bio-8080-exec-48] DEBUG o.a.i.d.pooled.PooledDataSource - Connection 1960179742 is GOOD! Feb 17 13:17:04 guacamole server: 13:17:04.369 [http-bio-8080-exec-48] DEBUG o.a.i.d.pooled.PooledDataSource - Returned connection 1960179742 to pool. Feb 17 13:17:04 guacamole server: 13:17:04.370 [http-bio-8080-exec-48] DEBUG o.a.g.a.ldap.LDAPConnectionService - Connecting to LDAP server using SSL/TLS. Feb 17 13:17:04 guacamole server: 13:17:04.453 [http-bio-8080-exec-48] DEBUG o.a.g.auth.ldap.ObjectQueryService - Searching "ou=MYOU,dc=server,dc=domain,dc=ch" for objects matching "(&(samAccountType=805306368)(sAMAccountName=<username>))". Feb 17 13:17:04 guacamole server: 13:17:04.461 [http-bio-8080-exec-48] DEBUG o.a.g.a.ldap.LDAPConnectionService - Connecting to LDAP server using SSL/TLS. Feb 17 13:17:04 guacamole server: 13:17:04.548 [http-bio-8080-exec-48] DEBUG o.a.g.auth.ldap.ObjectQueryService - Searching "ou=MYOU,dc=server,dc=domain,dc=ch" for objects matching "(&(samAccountType=805306368)(sAMAccountName=*))". Feb 17 13:17:06 guacamole server: 13:17:06.507 [http-bio-8080-exec-48] WARN o.a.g.e.AuthenticationProviderFacade - The "ldap" authentication provider has encountered an internal error which will halt the authentication process. If this is unexpected or you are the developer of this authentication provider, you may wish to enable debug-level logging. If this is expected and you wish to ignore such failures in the future, please set "skip-if-unavailable: ldap" within your guacamole.properties. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
