Hi Nick, I just performed a test, I left the guacadmin passwords for LDAP and MYSQL different.
When I type the user with the LDAP password, now he is showing the users. Wow, I can't believe it. I thought I would be stuck forever in version 1.0.0 But another problem. LDAP login is taking about 8 to 12 seconds. Too much time for the user. I believe it is because when logging in, you are looking for all kinds of user attributes. Any way to solve this and make it quick? See example: Jun 30 23:04:43 remoto server: 23:04:42.952 [NioProcessor-1] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (givenName) Jun 30 23:04:43 remoto server: 23:04:42.956 [NioProcessor-1] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (distinguishedName) Jun 30 23:04:43 remoto server: 23:04:42.960 [NioProcessor-1] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (instanceType) Jun 30 23:04:43 remoto server: 23:04:42.963 [NioProcessor-1] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (whenCreated) Jun 30 23:04:43 remoto server: 23:04:42.967 [NioProcessor-1] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (whenChanged) Jun 30 23:06:30 remoto server: 23:06:30.203 [NioProcessor-4] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (objectClass) Jun 30 23:06:30 remoto server: 23:06:30.210 [NioProcessor-4] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (cn) Jun 30 23:06:30 remoto server: 23:06:30.214 [NioProcessor-4] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (c) Jun 30 23:06:30 remoto server: 23:06:30.219 [NioProcessor-4] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (l) Jun 30 23:06:30 remoto server: 23:06:30.223 [NioProcessor-4] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (st) Jun 30 23:06:30 remoto server: 23:06:30.227 [NioProcessor-4] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (title) Jun 30 23:06:30 remoto server: 23:06:30.231 [NioProcessor-4] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (description) Jun 30 23:06:30 remoto server: 23:06:30.235 [NioProcessor-4] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (postalCode) Jun 30 23:06:38 remoto server: 23:06:36.307 [NioProcessor-6] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (name) Jun 30 23:06:38 remoto server: 23:06:36.308 [NioProcessor-6] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (objectGUID) Jun 30 23:06:38 remoto server: 23:06:36.310 [NioProcessor-6] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (userAccountControl) Jun 30 23:06:38 remoto server: 23:06:36.311 [NioProcessor-6] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (badPwdCount) Jun 30 23:06:38 remoto server: 23:06:36.312 [NioProcessor-6] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (codePage) Jun 30 23:06:38 remoto server: 23:06:36.313 [NioProcessor-6] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (countryCode) Jun 30 23:06:38 remoto server: 23:06:36.315 [NioProcessor-6] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (badPasswordTime) Jun 30 23:06:38 remoto server: 23:06:36.316 [NioProcessor-6] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (lastLogoff) Jun 30 23:06:38 remoto server: 23:06:36.317 [NioProcessor-6] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (lastLogon) Jun 30 23:06:38 remoto server: 23:06:36.319 [NioProcessor-6] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (pwdLastSet) Jun 30 23:06:38 remoto server: 23:06:36.320 [NioProcessor-6] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (primaryGroupID) Jun 30 23:06:38 remoto server: 23:06:36.321 [NioProcessor-6] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (objectSid) Jun 30 23:06:38 remoto server: 23:06:36.323 [NioProcessor-6] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (adminCount) Jun 30 23:06:38 remoto server: 23:06:36.324 [NioProcessor-6] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (accountExpires) Thanks Henri. Em ter., 30 de jun. de 2020 às 22:04, Henri Alves de Godoy < [email protected]> escreveu: > Hi Nick, > > Yes, I created the same guacadmin user on ldap also with the same > password, just like an account on mysql. > > In version 1.0.0, I see all my users through the guacadmin account without > any problems. > > What configuration is missing in the configuration file to list all users, > groups and / or settings available in LDAP, and thus appear in the > guacadmin user list? > > I believe that this detail is the big difference that was in the versions > and that it is causing a misunderstanding. > > What can be done so that the guacadmin user can perform these operations > and list users and groups, in order to assign the connections that we want > for each user ? > > Thanks ! > > Henri > > Em ter., 30 de jun. de 2020 às 21:44, Nick Couchman < > [email protected]> escreveu: > >> On Tue, Jun 30, 2020 at 19:07 Henri Alves de Godoy >> <[email protected]> wrote: >> >>> Hi Nick, thanks for reply ! >>> >>> My configuration: >>> >>> guacd-hostname: localhost >>> guacd-port: 4822 >>> >>> auth-provider: >>> net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider >>> auth-provider: >>> net.sourceforge.guacamole.net.auth.mysql.MySQLAuthenticationProvider >>> >> >> This option is not valid and will have no effect. >> >> >>> ldap-hostname: server >>> ldap-port: 389 >>> ldap-encryption-method: none >>> ldap-user-base-dn: >>> ou=Users,ou=ADM,ou=FCA,dc=fca,dc=unicamp,dc=br >>> ldap-search-bind-dn: >>> cn=userldap,ou=FCA,dc=fca,dc=unicamp,dc=br >>> ldap-search-bind-password: pass >>> ldap-username-attribute: sAMAccountName >>> ldap-follow-referrals: true >>> >> >> Unless you need referrals enabled for traversing your LDAP directory you >> might try turning this option off. >> >> >>> mysql-hostname: localhost >>> mysql-port: 3306 >>> mysql-database: guacamole_db >>> mysql-username: guacadmin >>> mysql-password: pass >>> >>> And the log not show anything or error, but not binding with AD LDAP >>> >> >>> Jun 30 20:28:41 remoto server: 20:28:41.435 [localhost-startStop-1] >>> DEBUG o.a.g.extension.ExtensionModule - [2] Binding AuthenticationProvider >>> "org.apache.guacamole.auth.ldap.LDAPAuthenticationProvider". >>> Jun 30 20:28:41 remoto server: 20:28:41.627 [localhost-startStop-1] >>> INFO o.a.g.extension.ExtensionModule - Extension "LDAP Authentication" >>> loaded. >>> Jun 30 20:30:58 remoto server: 20:30:58.633 [localhost-startStop-1] >>> DEBUG o.a.g.extension.ExtensionModule - [2] Binding AuthenticationProvider >>> "org.apache.guacamole.auth.ldap.LDAPAuthenticationProvider". >>> Jun 30 20:30:58 remoto server: 20:30:58.815 [localhost-startStop-1] >>> INFO o.a.g.extension.ExtensionModule - Extension "LDAP Authentication" >>> loaded. >>> >>> Jun 30 20:34:00 remoto server: Loading class `com.mysql.jdbc.Driver'. >>> This is deprecated. The new driver class is `com.mysql.cj.jdbc.Driver'. The >>> driver is automatically registered via the SPI and manual loading of the >>> driver class is generally unnecessary. >>> Jun 30 20:34:01 remoto server: 20:34:01.082 [http-bio-8443-exec-1] DEBUG >>> o.a.g.a.f.FileAuthenticationProvider - User mapping file >>> "/etc/guacamole/user-mapping.xml" does not exist and will not be read. >>> Jun 30 20:34:01 remoto server: 20:34:01.082 [http-bio-8443-exec-1] DEBUG >>> o.a.g.r.auth.AuthenticationService - Anonymous authentication attempt from >>> [143.106.230.18, 143.106.231.10] failed. >>> Jun 30 20:34:07 remoto server: 20:34:07.391 [http-bio-8443-exec-3] DEBUG >>> o.a.g.a.mysql.conf.MySQLEnvironment - Database recognized as MySQL 5.5.65. >>> Jun 30 20:34:07 remoto server: 20:34:07.494 [http-bio-8443-exec-3] INFO >>> o.a.g.r.auth.AuthenticationService - User "guacadmin" successfully >>> authenticated from [143.106.230.18, 143.106.231.10]. >>> Jun 30 20:34:07 remoto server: 20:34:07.539 [http-bio-8443-exec-3] DEBUG >>> o.a.g.a.f.FileAuthenticationProvider - User mapping file >>> "/etc/guacamole/user-mapping.xml" does not exist and will not be read. >>> Jun 30 20:34:07 remoto server: 20:34:07.563 [http-bio-8443-exec-3] DEBUG >>> o.a.g.r.auth.AuthenticationService - Login was successful for user >>> "guacadmin". >>> Jun 30 20:34:07 remoto server: 20:34:07.810 [http-bio-8443-exec-7] DEBUG >>> o.a.g.a.mysql.conf.MySQLEnvironment - Database recognized as MySQL 5.5.65. >>> Jun 30 20:34:07 remoto server: 20:34:07.828 [http-bio-8443-exec-7] DEBUG >>> o.a.g.a.mysql.conf.MySQLEnvironment - Database recognized as MySQL 5.5.65. >>> Jun 30 20:34:08 remoto server: 20:34:08.076 [http-bio-8443-exec-3] DEBUG >>> o.a.g.a.mysql.conf.MySQLEnvironment - Database recognized as MySQL 5.5.65. >>> >> >> Does the guacadmin user also exist in your LDAP directory? It looks from >> these like you’re authenticating with guacadmin successfully and the JDBC >> user is logging that user in. What happens when you attempt to >> authenticate with a user from your LDAP directory? >> >> Keep in mind that, unless the guacadmin user exists in your LDAP >> directory and has the same password as the database user you won’t be able >> to see any of the LDAP users with the guacadmin user. The search user that >> you specify in the configuration file is only ever used to attempt to >> locate the user logging in - it is *not* used to enumerate all available >> users, groups, and/or configurations from LDAP. Those operations are done >> as the user who actually logs in. >> >> -Nick >> > > > -- > -- > Henri Alves Godoy > Tecnologia da Informação e Comunicação > Faculdade de Ciências Aplicadas - FCA > Universidade Estadual de Campinas - UNICAMP > Fone: (19) 3701-6682 > -- -- Henri Alves Godoy Tecnologia da Informação e Comunicação Faculdade de Ciências Aplicadas - FCA Universidade Estadual de Campinas - UNICAMP Fone: (19) 3701-6682
