RE: Guacamole 1.1.0 and LDAP binding on M$ AD

[Dino Edwards]

Here's my config which works in Win 2k12 AD domain. It's for docker but you'll 
get the idea:

#LDAP Authentication
      LDAP_HOSTNAME: dc.domain.tld
      LDAP_PORT: 389
      LDAP_ENCRYPTION_METHOD: none    #Allowed Values are none ssl or starttls
      LDAP_SEARCH_BIND_DN: CN=guacamole,OU=Guacamole Users,DC=domain.tld,DC=tld
      LDAP_SEARCH_BIND_PASSWORD: super_secret_pass
      LDAP_USER_BASE_DN: OU=Guacamole Users,DC=domain,DC=tld
      LDAP_USERNAME_ATTRIBUTE: sAMAccountName

Created a "Guacamole Users"  OU and I moved users that need to authenticate to 
guacamole in it. Then I created guacamole user in that same OU with the 
"super_secret_password" above and then I created same user with NO password in 
guacamole Web GUI, gave admin access to it. Then I logged into guacamole Web 
GUI with the guacamole user AD creds. Then I was able to see the users in the 
"Guacamole Users" OU. I verified that users in that OU were able to login to 
Guacamole with their AD creds.

Hope this helps.





-----Original Message-----
From: Caleb Crawford <cal...@ucsd.edu.INVALID> 
Sent: Friday, March 20, 2020 3:12 PM
To: user@guacamole.apache.org
Subject: Re: Guacamole 1.1.0 and LDAP binding on M$ AD

First thing to check: Is 'uid' what you want there? The property in our AD is 
'uidNumber' - though I think what you actually want there is 'sAMAccountName'. 
I also don't immediately see the config setting 'ldap-user-attributes' in the 
documentation which might be breaking things.

Here's a comparison to my config which is working without issue:

ldap-hostname: ldap.ad.mydomain
ldap-port: 389
ldap-user-base-dn: OU=MYOU=,DC=MY,DC=DOMAIN
ldap-search-bind-dn: cn=ldapuser,ou=Users,OU=MYOU,DC=MY,DC=DOMAIN
ldap-search-bind-password: myldapuserpassword
ldap-username-attribute: sAMAccountName
ldap-user-search-filter: 
(&(objectClass=user)(!(objectClass=computer))(CustomString2=*)(!(CustomString2=/nonexistent)))
ldap-group-base-dn: OU=Guacamole Access Groups,OU=MYOU,DC=MY,DC=DOMAIN

On 3/20/20 6:35 AM, Niubbo75 wrote:
> Hello all, I'm going crazy trying to connect to Guacamole via LDAP 
> using M$ AD users.
> here my LDAP configuration into guacamole.properties: (some personal 
> data
> omitted)
>
> ####################################################
> # LDAP Configuration
> ldap-hostname: 192.168.1.249
> ldap-port: 389
> ldap-encryption-method: none
> ldap-search-bind-dn: CN=Administrator,CN=Users,DC=DOMAIN,DC=local
> ldap-search-bind-password: S3cr3t!
> ldap-user-base-dn: CN=Users,DC=DOMAIN,DC=local
> ldap-username-attribute: uid
> ldap-user-attributes: sAMAccountName
> ldap-config-base-dn: CN=Guacamole,CN=Users,DC=DOMAIN,DC=local
> ####################################################
>
> I use Administrator as bind user, I have create it also into 
> Guacamole's MySQL user and I can login w/out any problem (I have 
> create the user using the same password as domain user have), when I 
> log in with Administrator in Guacamole and I go under settings => 
> Users I can't see domain users, if I try to log in with a domain user 
> different from Administrator I got this:
>
> 14:21:44.191 [http-nio-8080-exec-6] WARN  
> o.a.g.r.auth.AuthenticationService
> - Authentication attempt from 192.168.1.73 for user "mydomainuser" failed.
>
> LDAP module is correctly loaded from what I can read in catalina.out, 
> also bind seems to be correct because I can't see any error or 
> warnings related, I have this messages:
>
> Loading class `com.mysql.jdbc.Driver'. This is deprecated. The new 
> driver class is `com.mysql.cj.jdbc.Driver'. The driver is 
> automatically registered via the SPI and manual loading of the driver class 
> is generally unnecessary.
> 14:15:26.414 [http-nio-8080-exec-3] INFO 
> o.a.d.a.l.c.o.DefaultLdapCodecService - 
> MSG_06000_REGISTERED_CONTROL_FACTORY
> (1.3.6.1.4.1.18060.0.0.1)
> 14:15:26.415 [http-nio-8080-exec-3] INFO 
> o.a.d.a.l.c.o.DefaultLdapCodecService - 
> MSG_06000_REGISTERED_CONTROL_FACTORY
> (2.16.840.1.113730.3.4.7)
> 14:15:26.415 [http-nio-8080-exec-3] INFO 
> o.a.d.a.l.c.o.DefaultLdapCodecService - 
> MSG_06000_REGISTERED_CONTROL_FACTORY
> (2.16.840.1.113730.3.4.2)
> 14:15:26.416 [http-nio-8080-exec-3] INFO 
> o.a.d.a.l.c.o.DefaultLdapCodecService - 
> MSG_06000_REGISTERED_CONTROL_FACTORY
> (1.2.840.113556.1.4.319)
> 14:15:26.416 [http-nio-8080-exec-3] INFO 
> o.a.d.a.l.c.o.DefaultLdapCodecService - 
> MSG_06000_REGISTERED_CONTROL_FACTORY
> (2.16.840.1.113730.3.4.3)
> 14:15:26.417 [http-nio-8080-exec-3] INFO 
> o.a.d.a.l.c.o.DefaultLdapCodecService - 
> MSG_06000_REGISTERED_CONTROL_FACTORY
> (2.16.840.1.113730.3.4.18)
> 14:15:26.417 [http-nio-8080-exec-3] INFO 
> o.a.d.a.l.c.o.DefaultLdapCodecService - 
> MSG_06000_REGISTERED_CONTROL_FACTORY
> (1.2.840.113556.1.4.473)
> 14:15:26.418 [http-nio-8080-exec-3] INFO 
> o.a.d.a.l.c.o.DefaultLdapCodecService - 
> MSG_06000_REGISTERED_CONTROL_FACTORY
> (1.2.840.113556.1.4.474)
> 14:15:26.418 [http-nio-8080-exec-3] INFO 
> o.a.d.a.l.c.o.DefaultLdapCodecService - 
> MSG_06000_REGISTERED_CONTROL_FACTORY
> (1.3.6.1.4.1.4203.1.10.1)
> 14:15:26.419 [http-nio-8080-exec-3] INFO  
> o.a.d.a.l.c.StockCodecFactoryUtil
> - MSG_06000_REGISTERED_CONTROL_FACTORY (1.3.6.1.4.1.18060.0.0.1)
> 14:15:26.419 [http-nio-8080-exec-3] INFO  
> o.a.d.a.l.c.StockCodecFactoryUtil
> - MSG_06000_REGISTERED_CONTROL_FACTORY (2.16.840.1.113730.3.4.7)
> 14:15:26.419 [http-nio-8080-exec-3] INFO  
> o.a.d.a.l.c.StockCodecFactoryUtil
> - MSG_06000_REGISTERED_CONTROL_FACTORY (2.16.840.1.113730.3.4.2)
> 14:15:26.419 [http-nio-8080-exec-3] INFO  
> o.a.d.a.l.c.StockCodecFactoryUtil
> - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.319)
> 14:15:26.419 [http-nio-8080-exec-3] INFO  
> o.a.d.a.l.c.StockCodecFactoryUtil
> - MSG_06000_REGISTERED_CONTROL_FACTORY (2.16.840.1.113730.3.4.3)
> 14:15:26.419 [http-nio-8080-exec-3] INFO  
> o.a.d.a.l.c.StockCodecFactoryUtil
> - MSG_06000_REGISTERED_CONTROL_FACTORY (2.16.840.1.113730.3.4.18)
> 14:15:26.419 [http-nio-8080-exec-3] INFO  
> o.a.d.a.l.c.StockCodecFactoryUtil
> - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.473)
> 14:15:26.420 [http-nio-8080-exec-3] INFO  
> o.a.d.a.l.c.StockCodecFactoryUtil
> - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.474)
> 14:15:26.420 [http-nio-8080-exec-3] INFO  
> o.a.d.a.l.c.StockCodecFactoryUtil
> - MSG_06000_REGISTERED_CONTROL_FACTORY (1.3.6.1.4.1.4203.1.10.1)
> 14:15:26.421 [http-nio-8080-exec-3] INFO  
> o.a.d.a.l.e.ExtrasCodecFactoryUtil
> - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.841)
> 14:15:26.421 [http-nio-8080-exec-3] INFO  
> o.a.d.a.l.e.ExtrasCodecFactoryUtil
> - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.841)
> 14:15:26.422 [http-nio-8080-exec-3] INFO  
> o.a.d.a.l.e.ExtrasCodecFactoryUtil
> - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.2239)
> 14:15:26.422 [http-nio-8080-exec-3] INFO  
> o.a.d.a.l.e.ExtrasCodecFactoryUtil
> - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.417)
> 14:15:26.423 [http-nio-8080-exec-3] INFO  
> o.a.d.a.l.e.ExtrasCodecFactoryUtil
> - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.528)
> 14:15:26.423 [http-nio-8080-exec-3] INFO  
> o.a.d.a.l.e.ExtrasCodecFactoryUtil
> - MSG_06000_REGISTERED_CONTROL_FACTORY (1.3.6.1.4.1.42.2.27.8.5.1)
> 14:15:26.424 [http-nio-8080-exec-3] INFO  
> o.a.d.a.l.e.ExtrasCodecFactoryUtil
> - MSG_06000_REGISTERED_CONTROL_FACTORY (1.3.6.1.4.1.42.2.27.8.5.1)
> 14:15:26.425 [http-nio-8080-exec-3] INFO  
> o.a.d.a.l.e.ExtrasCodecFactoryUtil
> - MSG_06000_REGISTERED_CONTROL_FACTORY (1.2.840.113556.1.4.1413)
> 14:15:26.425 [http-nio-8080-exec-3] INFO  
> o.a.d.a.l.e.ExtrasCodecFactoryUtil
> - MSG_06000_REGISTERED_CONTROL_FACTORY (1.3.6.1.4.1.4203.1.9.1.3)
> 14:15:26.426 [http-nio-8080-exec-3] INFO  
> o.a.d.a.l.e.ExtrasCodecFactoryUtil
> - MSG_06000_REGISTERED_CONTROL_FACTORY (1.3.6.1.4.1.4203.1.9.1.1)
> 14:15:26.426 [http-nio-8080-exec-3] INFO  
> o.a.d.a.l.e.ExtrasCodecFactoryUtil
> - MSG_06000_REGISTERED_CONTROL_FACTORY (1.3.6.1.4.1.4203.1.9.1.2)
> 14:15:26.427 [http-nio-8080-exec-3] INFO  
> o.a.d.a.l.e.ExtrasCodecFactoryUtil
> - MSG_06000_REGISTERED_CONTROL_FACTORY (1.3.6.1.1.21.2)
> 14:15:26.427 [http-nio-8080-exec-3] INFO  
> o.a.d.a.l.e.ExtrasCodecFactoryUtil
> - MSG_06000_REGISTERED_CONTROL_FACTORY (2.16.840.1.113730.3.4.9)
> 14:15:26.428 [http-nio-8080-exec-3] INFO  
> o.a.d.a.l.e.ExtrasCodecFactoryUtil
> - MSG_06000_REGISTERED_CONTROL_FACTORY (2.16.840.1.113730.3.4.10)
> 14:15:26.430 [http-nio-8080-exec-3] INFO  
> o.a.d.a.l.e.ExtrasCodecFactoryUtil
> - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.1.8)
> 14:15:26.431 [http-nio-8080-exec-3] INFO  
> o.a.d.a.l.e.ExtrasCodecFactoryUtil
> - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4.1.18060.0.1.8)
> 14:15:26.431 [http-nio-8080-exec-3] INFO  
> o.a.d.a.l.e.ExtrasCodecFactoryUtil
> - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.1.21.3)
> 14:15:26.432 [http-nio-8080-exec-3] INFO  
> o.a.d.a.l.e.ExtrasCodecFactoryUtil
> - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4.1.18060.0.1.5)
> 14:15:26.433 [http-nio-8080-exec-3] INFO  
> o.a.d.a.l.e.ExtrasCodecFactoryUtil
> - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4.1.18060.0.1.3)
> 14:15:26.433 [http-nio-8080-exec-3] INFO  
> o.a.d.a.l.e.ExtrasCodecFactoryUtil
> - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4.1.1466.20036)
> 14:15:26.434 [http-nio-8080-exec-3] INFO  
> o.a.d.a.l.e.ExtrasCodecFactoryUtil
> - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4.1.4203.1.11.1)
> 14:15:26.435 [http-nio-8080-exec-3] INFO  
> o.a.d.a.l.e.ExtrasCodecFactoryUtil
> - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4.1.1466.20037)
> 14:15:26.436 [http-nio-8080-exec-3] INFO  
> o.a.d.a.l.e.ExtrasCodecFactoryUtil
> - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.1.21.1)
> 14:15:26.437 [http-nio-8080-exec-3] INFO  
> o.a.d.a.l.e.ExtrasCodecFactoryUtil
> - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4.1.18060.0.1.6)
> 14:15:26.438 [http-nio-8080-exec-3] INFO  
> o.a.d.a.l.e.ExtrasCodecFactoryUtil
> - MSG_06001_REGISTERED_EXTENDED_OP_FACTORY (1.3.6.1.4.1.4203.1.11.3)
> 14:15:26.439 [http-nio-8080-exec-3] INFO  
> o.a.d.a.l.e.ExtrasCodecFactoryUtil
> - MSG_06002_REGISTERED_INTERMEDIATE_FACTORY (1.3.6.1.4.1.4203.1.9.1.4)
>
> I have try using the same configuration I had used in past with 
> Guacamole
> 1.0.0 (and that worked) but I still can't see any domain users and 
> can't login with them.
>
> Any help will be very appreciate, I'm in hurry to get this working 
> because we need to have this for let our colleagues works from home 
> due to covid-19 emergency, thanks.
>
>
>
> --
> Sent from: 
> http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.co
> m/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org