Hello all,
I am still facing some issues on this topic, and simply can’t figure them out.
This is what I get from guacamole when a specific user wants to login via ldap:
10:34:11.430 [NioProcessor-10] DEBUG org.apache.directory.api.CODEC_LOG -
MSG_14002_DECODED_LDAP_MESSAGE (MessageType : BIND_RESPONSE
Message ID : 1
BindResponse
Ldap Result
Result code : (INVALID_CREDENTIALS) invalidCredentials
Matched Dn : ''
Diagnostic message : '80090308: LdapErr: DSID-0C090446, comment:
AcceptSecurityContext error, data 52e, v2580'
)
10:34:11.430 [NioProcessor-10] DEBUG o.a.d.l.c.api.LdapNetworkConnection -
MSG_04142_MESSAGE_RECEIVED (MessageType : BIND_RESPONSE
Message ID : 1
BindResponse
Ldap Result
Result code : (INVALID_CREDENTIALS) invalidCredentials
Matched Dn : ''
Diagnostic message : '80090308: LdapErr: DSID-0C090446, comment:
AcceptSecurityContext error, data 52e, v2580'
)
10:34:11.430 [NioProcessor-10] DEBUG o.a.d.l.c.api.LdapNetworkConnection -
MSG_04119_GETTING (1,org.apache.directory.ldap.client.api.future.BindFuture)
10:34:11.430 [NioProcessor-10] DEBUG o.a.d.l.c.api.LdapNetworkConnection -
MSG_04100_BIND_FAIL (MessageType : BIND_RESPONSE
Message ID : 1
BindResponse
Ldap Result
Result code : (INVALID_CREDENTIALS) invalidCredentials
Matched Dn : ''
Diagnostic message : '80090308: LdapErr: DSID-0C090446, comment:
AcceptSecurityContext error, data 52e, v2580'
)
10:34:11.430 [http-nio-8080-exec-10] DEBUG o.a.d.l.c.api.LdapNetworkConnection
- MSG_04100_BIND_FAIL (MessageType : BIND_RESPONSE
Message ID : 1
BindResponse
Ldap Result
Result code : (INVALID_CREDENTIALS) invalidCredentials
Matched Dn : ''
Diagnostic message : '80090308: LdapErr: DSID-0C090446, comment:
AcceptSecurityContext error, data 52e, v2580'
)
10:34:11.430 [http-nio-8080-exec-10] DEBUG o.a.g.a.f.FileAuthenticationProvider
- User mapping file "/etc/guacamole/user-mapping.xml" does not exist and will
not be read.
10:34:11.430 [http-nio-8080-exec-10] WARN o.a.g.r.auth.AuthenticationService -
Authentication attempt from 10.1.0.4 for user “firstname.lastname" failed.
10:34:11.432 [NioProcessor-10] DEBUG o.a.d.l.c.api.LdapNetworkConnection -
MSG_04126_REMOVING (1,org.apache.directory.ldap.client.api.future.BindFuture)
10:34:12.918 [NioProcessor-8] DEBUG o.a.d.l.c.api.LdapNetworkConnection -
MSG_04137_NOD_RECEIVED ()
However, doing a simple ldapsearch with the same credentials, pointing at the
same DC, things look ok:
root@guaca-replica:/etc/guacamole# ldapsearch -vvv -h 127.0.0.1 -p 389 -D
[email protected] -W -b '' -s base -S 'objectClass=*' 1.1
ldap_initialize( ldap://127.0.0.1:389 )
Enter LDAP Password:
filter: (objectclass=*)
requesting: 1.1
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: 1.1
#
#
dn:
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
I simply can’t understand what’s happening. Please help me work this out.
Regards,
Bogdan
> On 10 Mar 2020, at 23:34, Stefan Bogdan Cimpeanu <[email protected]> wrote:
>
> Hello Mike,
>
> I understand your point about no caching.
> About debugging, yes I have, and it gives me something like:
> Result code : (INVALID_CREDENTIALS) invalidCredentials
> Matched Dn : ‘'
>
> My guess is that indeed the LDAP is not in a consistent state at that point.
>
> Thanks!
> Bogdan
>
>> On 10 Mar 2020, at 23:30, Mike Jumper <[email protected]
>> <mailto:[email protected]>> wrote:
>>
>> On Tue, Mar 10, 2020, 14:16 Stefan Bogdan Cimpeanu <[email protected]
>> <mailto:[email protected]>> wrote:
>> Hello all,
>>
>> I’m using Azure Active Directory Domain Services as my ldap source for
>> Guacamole. The main use is for RDP with domain joined machines.
>> I sometimes experience two (I think related issues):
>> - some of the user accounts are not able to login to guacamole even though
>> supplied user/password are correct (the user can RDP to the VM directly, but
>> not login to guacamole). Error in logs don’t say much except "Authentication
>> attempt from [ IP ] for user xxxx failed”
>> - sometimes it takes few hours or even a server restart to see newly created
>> AADDS users in guacamole
>>
>> Is there a way I can “force” an ldap sync so that users are added to
>> guacamole?
>>
>> There is no sync. When using LDAP, Guacamole authenticates against LDAP
>> directly. The relevant users and groups do not need to exist in the database
>> except where you are granting those users/groups permissions for connections
>> stored on the database, however the web interface is organized such that
>> attempting to do so would result in their creation.
>>
>> If you are seeing inconsistencies in whether users/groups exist, I don't
>> believe that inconsistency would be on the Guacamole side. There's no cache
>> between sessions, nothing stored from LDAP. Data from LDAP is queried
>> directly as needed. It may be that the LDAP server takes time to become
>> consistent, and that the correlation with server restarts is a coincidence.
>>
>> Regarding the login failures, have you tried enabling debug-level logging in
>> for the webapp?
>>
>> - Mike
>>
>
