Hi again Nick OK so I tested it again and imported the LDAP certificate, even though I would expect that this is not necessary as it should be trusted (because it is not a self signed one). On the Guacamole server, I did
openssl s_client -showcerts -connect ldap.campus.unibe.ch:636 </dev/null 2>/dev/null | openssl x509 -outform PEM > mycert.pem to download the cert from the LDAP server. And then I added the cert to the keystore with keytool -importcert -alias "ldaps" -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7.x86_64/jre/lib/security/cacerts -file mycert.pem however, I have no success, it is still not possible to login with LDAP. Fun fact: when I try to login via LDAP and enter a wrong password, the Guacamole does display a message that the password was wrong. However when I enter the correct password, I get the message about the unknown internal error. I also tried different versions of the LDAP auth extension, so I used v1.0.0 as well as v1.1.0, both with the same result. Best Tobias From: Nick Couchman [mailto:[email protected]] Sent: Saturday, 22 February 2020 19:19 To: [email protected] Subject: Re: Problem with LDAP authentication On Mon, Feb 17, 2020 at 7:28 AM Pluess, Tobias <[email protected]<mailto:[email protected]>> wrote: Hi, I have sucessfully installed Guacamole on a Centos 7 server. I can log in as user "guacadmin", create connections using RDP or SSH, and connect to different hosts. So far it works fine. However, I now would like to use LDAPS for use authentication. We do have an Active Directory which can be accessed via LDAPS and I have sucessfully managed to set up LDAPS authentication for some other services we use (Gitea, Nextcloud). On those servers it works fine, but I cannot make it work with Guacamole! I use Guacamole 1.1.0 with the Guacamole LDAP authentication extension. Following is my LDAPS configuration in the guacamole.properties file: ldap-hostname: ldap.server.domain.ch<http://ldap.server.domain.ch> ldap-port: 636 ldap-encryption-method: ssl ldap-search-bind-dn: [email protected]<mailto:[email protected]> ldap-search-bind-password: (some password) ldap-user-base-dn: ou=MYOU,dc=server,dc=domain,dc=ch ldap-username-attribute: sAMAccountName ldap-user-search-filter: (samAccountType=805306368) Is your LDAP server certificate trusted within the Java framework that is running Tomcat - that is, have you imported it into cacerts? -Nick
