On Tue, Jun 30, 2020 at 19:07 Henri Alves de Godoy <[email protected]> wrote:
> Hi Nick, thanks for reply ! > > My configuration: > > guacd-hostname: localhost > guacd-port: 4822 > > auth-provider: > net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider > auth-provider: > net.sourceforge.guacamole.net.auth.mysql.MySQLAuthenticationProvider > This option is not valid and will have no effect. > ldap-hostname: server > ldap-port: 389 > ldap-encryption-method: none > ldap-user-base-dn: > ou=Users,ou=ADM,ou=FCA,dc=fca,dc=unicamp,dc=br > ldap-search-bind-dn: cn=userldap,ou=FCA,dc=fca,dc=unicamp,dc=br > ldap-search-bind-password: pass > ldap-username-attribute: sAMAccountName > ldap-follow-referrals: true > Unless you need referrals enabled for traversing your LDAP directory you might try turning this option off. > mysql-hostname: localhost > mysql-port: 3306 > mysql-database: guacamole_db > mysql-username: guacadmin > mysql-password: pass > > And the log not show anything or error, but not binding with AD LDAP > > Jun 30 20:28:41 remoto server: 20:28:41.435 [localhost-startStop-1] DEBUG > o.a.g.extension.ExtensionModule - [2] Binding AuthenticationProvider > "org.apache.guacamole.auth.ldap.LDAPAuthenticationProvider". > Jun 30 20:28:41 remoto server: 20:28:41.627 [localhost-startStop-1] INFO > o.a.g.extension.ExtensionModule - Extension "LDAP Authentication" loaded. > Jun 30 20:30:58 remoto server: 20:30:58.633 [localhost-startStop-1] DEBUG > o.a.g.extension.ExtensionModule - [2] Binding AuthenticationProvider > "org.apache.guacamole.auth.ldap.LDAPAuthenticationProvider". > Jun 30 20:30:58 remoto server: 20:30:58.815 [localhost-startStop-1] INFO > o.a.g.extension.ExtensionModule - Extension "LDAP Authentication" loaded. > > Jun 30 20:34:00 remoto server: Loading class `com.mysql.jdbc.Driver'. This > is deprecated. The new driver class is `com.mysql.cj.jdbc.Driver'. The > driver is automatically registered via the SPI and manual loading of the > driver class is generally unnecessary. > Jun 30 20:34:01 remoto server: 20:34:01.082 [http-bio-8443-exec-1] DEBUG > o.a.g.a.f.FileAuthenticationProvider - User mapping file > "/etc/guacamole/user-mapping.xml" does not exist and will not be read. > Jun 30 20:34:01 remoto server: 20:34:01.082 [http-bio-8443-exec-1] DEBUG > o.a.g.r.auth.AuthenticationService - Anonymous authentication attempt from > [143.106.230.18, 143.106.231.10] failed. > Jun 30 20:34:07 remoto server: 20:34:07.391 [http-bio-8443-exec-3] DEBUG > o.a.g.a.mysql.conf.MySQLEnvironment - Database recognized as MySQL 5.5.65. > Jun 30 20:34:07 remoto server: 20:34:07.494 [http-bio-8443-exec-3] INFO > o.a.g.r.auth.AuthenticationService - User "guacadmin" successfully > authenticated from [143.106.230.18, 143.106.231.10]. > Jun 30 20:34:07 remoto server: 20:34:07.539 [http-bio-8443-exec-3] DEBUG > o.a.g.a.f.FileAuthenticationProvider - User mapping file > "/etc/guacamole/user-mapping.xml" does not exist and will not be read. > Jun 30 20:34:07 remoto server: 20:34:07.563 [http-bio-8443-exec-3] DEBUG > o.a.g.r.auth.AuthenticationService - Login was successful for user > "guacadmin". > Jun 30 20:34:07 remoto server: 20:34:07.810 [http-bio-8443-exec-7] DEBUG > o.a.g.a.mysql.conf.MySQLEnvironment - Database recognized as MySQL 5.5.65. > Jun 30 20:34:07 remoto server: 20:34:07.828 [http-bio-8443-exec-7] DEBUG > o.a.g.a.mysql.conf.MySQLEnvironment - Database recognized as MySQL 5.5.65. > Jun 30 20:34:08 remoto server: 20:34:08.076 [http-bio-8443-exec-3] DEBUG > o.a.g.a.mysql.conf.MySQLEnvironment - Database recognized as MySQL 5.5.65. > Does the guacadmin user also exist in your LDAP directory? It looks from these like you’re authenticating with guacadmin successfully and the JDBC user is logging that user in. What happens when you attempt to authenticate with a user from your LDAP directory? Keep in mind that, unless the guacadmin user exists in your LDAP directory and has the same password as the database user you won’t be able to see any of the LDAP users with the guacadmin user. The search user that you specify in the configuration file is only ever used to attempt to locate the user logging in - it is *not* used to enumerate all available users, groups, and/or configurations from LDAP. Those operations are done as the user who actually logs in. -Nick
